QR codes are just as insecure as anything else

Think back to February and the weekend of the Super Bowl. I didn’t watch it as I have better things to do in the early hours of the morning, like playing Cyberpunk 2077 because I can’t sleep. Also, I prefer proper rugby without crash helmets and 1980s shoulder pads. I didn’t escape the fallout of the thing, though, and I’m not talking about Eminem taking the knee: I’m talking about the adverts.

Don’t worry, this isn’t another of my rants about trackers, cookie options or advert delivery and blocking options. Instead, it’s about a certain level of cyber security-related hysteria. That hysteria – spread by way of tweets and blogs and emails – centred around Coinbase. Not for the usual “cryptocurrency is all an illusion” reasons, either, but rather down to a 60-second advert featuring a QR code bouncing around the telly-box, or more likely your computer screen, by way of a half-time advertising slot that’s reported to have cost in the region of $13 million.

Coinbase, no doubt, considers that money well spent; it reckons it recorded some 20 million hits on the landing page from scanning that QR code during the single minute of broadcast, crashing the relevant Coinbase servers in the process. Engagement also went through the roof, with Coinbase claiming a six-fold improvement over previous benchmarks.

The hysteria I’m talking about is the divided opinion on the not so small matter of QR code security, or insecurity, depending on which side of the debate you sit. Me, I’m firmly straddling this controversial fence. QR codes are neither an invitation to compromise your device and data nor a perfectly safe method of reaching the information you seek. Can QR codes be used for malicious purposes? Sure, but so can web links (so best not click on any ever again) or email (never open a message folks) and apps (dammit, time to flush your finest smartphone down the bog).

There’s no 100% secure method of jumping to linked information. Sorry if that just burst your InfoSec bubble, but it’s the truth. Unless you know the destination URL already, know that it’s trustworthy (and even that trust can be misplaced) and type it into your locked down as tight as a duck’s derriere browser by hand, consider every link to be potentially dangerous.

That doesn’t mean you should click on nothing, scan nothing, trust nothing. It does mean you should be aware of the risk, should be able to threat-model accordingly and understand the mitigations that can be applied.

You can’t apply a zero-trust policy to real life

Consider a scenario in which you substitute me for a QR code. I could turn up on your doorstep, unannounced, wearing a hi-vis with an ID badge and claim to need access to investigate a gas leak. You determine whether to let me in, or scan the QR code, based on your trust in me being who I appear to be. This isn’t the same as saying that all QR codes are perfectly safe to use, or that all people knocking at your door mean no harm, but rather illustrating that it’s simply not feasible to apply a zero-trust policy to real life. Saying “never scan a QR code” is about as sensible as declaring international travel is to be avoided as there’s a chance you could fall off the edge of our flat Earth.

Cyber security and privacy should never come wrapped in absolutes. If they do then you’re probably doing the whole threat modelling thing wrong. Some honest advice is coming up, so look away now if you dislike your world view being challenged: a watering hole attack (aiming at users of a particular site or service) employing a zero-day exploit is very unlikely to target you. Zero-days are expensive and are used sparingly. It’s not that such things do not happen, of course, but rather they can be filed in the uncommon folder rather than every occurrence.

Your chances, your company’s chances, of being targeted using a zero-day attack will also depend highly on the industry you're in and the profitability (be that financial or political) of a successful compromise. As Michael Coates, a former Twitter chief information security officer (CISO) and security head at Mozilla, once tweeted: “If an org has a choice of where to spend time, spend it on the timely application of patches across the entire fleet. It’s not the 0days that get orgs, it’s the 100days.” In other words, you’re far more likely to get hit by a known exploit that compromises your networks by using a vulnerability in the patch cycle time between release and application.

Again, this absolutely does not mean that I’m saying QR codes are perfectly safe. I’m saying, apply the same defensive logic to them as you would clicking on a link in your email, a direct message or SMS. Certainly, be aware that they can be abused. Scanning, for example, a QR code on a parking metre could be problematic if that code has been tampered with or, indeed, shouldn’t be there at all.

How to eliminate the phishing risk

Cyber crime has come a long way since the ‘AOHell’ cracking exploit kit of 1996. Phishing is not only still with us but still plays a central role in cyber crime, alongside the ransomware threat to targeted spear phishing. To the even more highly targeted, whale phishing of business email compromise (BEC) and nation state spying campaigns are persistent threats.

The National Cyber Security Centre (NCSC) has a very good guide for organisations when it comes to defending against deceptive phishing campaigns. It’s an excellent starting point on your journey towards the best possible phishing mitigation you can expect.

Helping users to identify and report suspected phishing emails is one area that’s often either over-emphasised to the detriment of technical tools or under-emphasised, which is actually just as bad all round. There needs to be a balance between tool implementation and awareness training if such a multi-level strategy is going to be effective in practice. Using Domain-based Message Authentication (DMARC) is a solid way to verify that an email is actually from the purported sender, by way of example, but not every organisation will use it so an awareness of the dangers (and other mitigations) of spoofing is still a requirement.

The NCSC also has a somewhat dated, but still relevant, information resource when it comes to anti-spoofing while Microsoft 365 users can do worse than head over to that company’s official support and documentation for using DMARC to validate email. One last general resource comes by way of an Electronic Frontier Foundation (EFF) project called Surveillance Self-Defense, which provides a good overview of the tools and techniques to combat phishing attacks.

I heartily concur with the software and operating system patching advice, and two-factor authentication (2FA) key usage is equally great advice as well. Less for preventing phishing itself, more helping to mitigate the outcome of a successful initial phish.

A security researcher who goes by the Twitter handle of mr.d0x created a phishing workaround for multi-factor authentication while undertaking a penetration test for a client. I mention this purely to emphasise that while 2FA is a great additional layer, it isn’t a foolproof one. The mr.d0x exploit is essentially a man-in-the-middle (MitM) compromise, where the attacker controls the site where the authentication code is being entered. This uses a VNC server hack called noVNC that will automatically launch the victim’s web browser and connect to the threat actor’s VNC server with a browser running in full-screen kiosk mode, so they just see the login web page as expected. The point being that the login takes place on the threat actor server, as will one-time passcodes.

Roger Grimes, author of a book called Hacking Multifactor Authentication, and a data-driven defence evangelist with KnowBe4, warns “MFA using voice calls, SMS messages, one-time codes the user types in, and pushed-based approvals is highly phishable. Hundreds to thousands to millions of people protected by these types of MFA have been successfully phished and hacked. It’s like giving them a self-driving car and not mentioning that they still have to pay attention and drive when the autonomous system fails.”

There’s one more resource I have to mention, and for good reason as a communicator myself. Namely, this Medium posting by Bob Lord. A former CISO at Yahoo and the Democratic National Committee in the US, Lord has published an excellent round-up of how business security advice should be given. It’s well worth a read in full.