Editor's note

Recommendations

Info

QRbot This article is related to both social engineering and cyber-crime. Why social engineering? Since QR usage is based on interactive actions of mobile users, which might lead to threats on their devices, as will be explained in detail later. Why cyber-crime? The actions taken by criminals not only harm the mobile phone/device users, but also may steal sensitive information or aid in launching massive actions using controlled, Zombie-based networks (Botnets), e.g. DDoS – Distributed Denial of Service attacks. In order to explain the whole process, this article begins from the basics of QR and iPhone Usage. After understanding the basics, we will dive into the actions needed to build a QRbot. Finally, avoidance recommendations will be explained. What is QR? A QR (Quick Response) code is a type of matrix barcode that was developed in order to automate the industry. The code consists of black modules arranged in a square pattern on a white background, e.g. the QR code in Figure 1 is decoded to the phrase Do you think that information security is expansive? Try to ignore it! There are similarities to the QR, such as EZcode, QM, but the QR is the most common. The QR is used in various places and media types: newspapers, TV, business cards, books, Google starterkit 02/2011(2) MOBILE PENTESTING – iPhone QR botnet Every time that new technology is revealed, lots of security researchers seek for vulnerabilities in it. In my case, I am looking for security holes in the integration between QR readers and smart phones, especially on iPhone. favorite places i.e. to see review on a restaurant before entering, Google chrome add-on, museums, house selling advertisements, on CDs to watch a clip of the band, troubleshooting on electronic devices, restaurant menus etc. In order to read the QR code, the mobile device (not only smart phones) should include a specialized code reading and decoding software. The mobile device can translate it differently to actions, e.g. open URL, send SMS, make calls, add contacts, show text etc. However, there are QR codes that cannot be read by mobile devices because they are encrypted. A matching decryption key is required to view the content. QR abuse The main problem of the QR is that the human eye cannot decode the message. This makes the following social attacks possible: Figure 1. Demo text Page 6 http://pentestmag.com
QRjacking A malicious sticker can be pasted over the original sticker, e.g. on public advertisement in the street or other public spaces, simply replaced where possible – websites, brochures etc. Scanjacking The scanned barcode would redirect to malicious web site or run any malicious code. Hence, various attacks can be executed, e.g. phishing, man-in-the-browser (form of man-in-the-middle attack), SMS abuse (social engineering is required) etc. IPhone users and application permissions IPhone devices can be divided into two main categories – legal (factory default configuration) and jailbroken (running a hacked, modified operating system version). On one hand, legal iPhone devices can execute only Apple-approved applications, which may lower the total risk of getting malicious software on the device. On the other hand, the jailbroken devices are more vulnerable to malicious applications since these devices allow installation of applications which had not been checked and verified by Apple. There are several options to install applications on iPhones: App Store, iTunes, iPhone configuration utility and over-the-air (from a web server). Of course, Cidya and Installous are also available on jailbroken devices. One thing is certain about both the legal and most of the jailborken devices – they have a default password for the root user; by default it’s alpine (without the quotes, of course). Why is this interesting? By default, applications don’t have root access to the iPhones but instead are provided with a limited access by the user mobile (for which the default password is dottie). In order to get root privilege access, we need to do some coding as will be explained later in this article. starterkit 02/2011(2) QR botnet After understanding QR threats and iPhone limitations, I can explain the idea behind the title of this article. In order to build a botnet we need to combine the threats of the QR code readers with the iPhone limitations. The main idea of this attack is to install a malicious application from a web server directly on the iPhone. It almost does not matter whether the iPhone is legal or jailbroken with default root password. Step 1: Locate vulnerable QR reader Since we would like to install an application from a web site, the QR reader should have automatic redirection to URL. I have been testing the following 10 applications on my iPhone with iOS 5: QRReader, RedLaser, QR+, ShopSavvy, Scan, ConnectMe, HP CodeScan, ATTScanner, ScanLife and i-Nigma. To make it close to the reality, I searched the word QR in App Store and downloaded the first 10. I generated a QR code for a website and scanned the code in each application. The following applications have automatic redirection: QRReader, ShopSavvy, Scan, HP CodeScan, ScanLife and i-Nigma. Summary: 6 of 10 were vulnerable to automatic redirection, e.g. i- Nigma opens Safari automatically and redirects to the requested page, see screenshot in Figure 2. What should appear when automatic redirection is disabled? See screenshot of RedLaser’s question in Figure 3. Figure 2. Automatic redirection in Safari Figure 3. Popup on non-redirecting QR reader Page 7 http://pentestmag.com
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5: SOCIAL FRAUD 24 Social Engineering
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19 and 20: password and then end up having to
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33 and 34: analysis that should not be made by
Page 35 and 36: If we have made an in-depth risk an
Page 37 and 38: several security standards in wides
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

Create successful ePaper yourself

Delete template?

Save as template?