Malicious quick response (QR) codes are not a new idea. Some readers might remember last year when it was found that a popular Android smartphone could be wiped by a malicious USSD code embedded within a QR code. QR codes have been in use for many years now, but when scanning them with a mobile phone the user can never tell where they will end up.
To protect against automated redirection to malicious sites with QR codes, Symantec created the Norton Snap application which scans any URL before the user is redirected to the destination address. Currently, we get a few thousand URL lookup requests each day from our users. During the last month, only 0.03 percent of those URLs were malicious. That is not a huge risk, but we have already seen cases where QR codes for snack vending machines were replaced, so that the paid for snacks get released at a different location.
Figure. Google Glass and QR codes
Don’t look now
Google Glass is one of the hottest pieces of technologies out at the moment and we’ve got our hands on a number of them for research purposes in our labs. As far as the relationship between Glass and QR code goes, it provides an easy way to configure the device; after all it would be quite difficult to input text using your eyes. Our colleagues at Lookout analyzed how Google Glass can be manipulated using malicious QR codes. Wearable devices by their nature can open up new attack vectors because the user interacts with them differently. Lookout have stated when taking a photo of a QR code, Glass will silently connect to a potentially malicious WiFi access point. This gives the word photobombing a whole new meaning. Glass doesn't support all general QR codes, but does use them for reconfiguring the device's preferred WiFi access point.
Once the Google Glass device connects to the access point of an attacker, the attacker can sniff all the traffic or even redirects users of the device to a malicious website. Fortunately, Google is aware of this issue and have already fixed it—so you don’t have to keep looking away from QR codes while taking pictures.
QR code is not the only way to PWN a device…
So, while Glass’ ability to get QR photobombed was interesting, there are far easier ways to get a mobile device connected to a rogue WiFi access point. Many people have WiFi enabled all the time on their smartphones. This means the device constantly probes the surroundings to see if there is a known access point to connect to. Similar behavior is expected in new wearable devices to make it easier for them to interact with. There is software available that will impersonate any network that a device searches for, and this software is quite easy to use. You can even buy a small device called WiFi Pineapple that will do all the work for you. For example, when your smartphone remembers your home network with the SSID name “myPrivateWiFi”, the attacker will simply answer the probe request and pretend to be that specific network. From that point on classic man-in-the-middle (MITM) attacks, like session hijacking or sniffing, can be performed. It is actually easier to get a wearable device like Google Glass or a smartphone to connect to a rogue access point in this way since accidental recognition of a QR code is not required. So even with Google's patch against QR photobombing, Glass remains vulnerable to WiFi hijacking.
Unfortunately the WiFi hijacking issue is not trivial to solve. Users want a smooth user experience that works without the hassle of pairing the devices each time they use a WiFi hotspot. Remembering the MAC addresses of the access points together with the SSID could help in some instances, but that is not feasible in the context of roaming and MAC addresses that can be easily spoofed as well.
The more practicable solution to WiFi hijacking is to treat every network as hostile and ensure that all the applications use encrypted communications like SSL or to tunnel through a VPN. That way you don’t have to worry about where you are or what you are looking at, but instead can relax and enjoy the sunshine.