Editor's note
Editor's note
Editor's note
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
QRbot<br />
This article is related to both social engineering<br />
and cyber-crime. Why social engineering?<br />
Since QR usage is based on interactive actions<br />
of mobile users, which might lead to threats on their<br />
devices, as will be explained in detail later.<br />
Why cyber-crime? The actions taken by criminals not<br />
only harm the mobile phone/device users, but also may<br />
steal sensitive information or aid in launching massive<br />
actions using controlled, Zombie-based networks<br />
(Botnets), e.g. DDoS – Distributed Denial of Service<br />
attacks.<br />
In order to explain the whole process, this article<br />
begins from the basics of QR and iPhone Usage.<br />
After understanding the basics, we will dive into the<br />
actions needed to build a QRbot. Finally, avoidance<br />
recommendations will be explained.<br />
What is QR?<br />
A QR (Quick Response) code is a type of matrix<br />
barcode that was developed in order to automate the<br />
industry. The code consists of black modules arranged<br />
in a square pattern on a white background, e.g. the QR<br />
code in Figure 1 is decoded to the phrase Do you think<br />
that information security is expansive? Try to ignore it!<br />
There are similarities to the QR, such as EZcode, QM,<br />
but the QR is the most common.<br />
The QR is used in various places and media types:<br />
newspapers, TV, business cards, books, Google<br />
starterkit 02/2011(2)<br />
MOBILE PENTESTING<br />
– iPhone QR botnet<br />
Every time that new technology is revealed, lots of security<br />
researchers seek for vulnerabilities in it. In my case, I am looking<br />
for security holes in the integration between QR readers and smart<br />
phones, especially on iPhone.<br />
favorite places i.e. to see review on a restaurant before<br />
entering, Google chrome add-on, museums, house<br />
selling advertisements, on CDs to watch a clip of the<br />
band, troubleshooting on electronic devices, restaurant<br />
menus etc.<br />
In order to read the QR code, the mobile device (not<br />
only smart phones) should include a specialized code<br />
reading and decoding software. The mobile device can<br />
translate it differently to actions, e.g. open URL, send<br />
SMS, make calls, add contacts, show text etc.<br />
However, there are QR codes that cannot be read by<br />
mobile devices because they are encrypted. A matching<br />
decryption key is required to view the content.<br />
QR abuse<br />
The main problem of the QR is that the human eye<br />
cannot decode the message. This makes the following<br />
social attacks possible:<br />
Figure 1. Demo text<br />
Page 6 http://pentestmag.com