Mobile Computing | Feature

QR Codes: A Back Door for Malware

Prevalent on many campuses, QR codes are an open invitation to mobile malware. Protecting campus constituents comes down to a combination of education and technical safeguards.

• By Toni Fuhrman
• 10/11/12

Quick Response codes--those glorified barcodes that can be read by mobile devices--can be a boon to campus communications. They're also an open invitation to mobile malware. As the use of QR codes grows, both on campus and in everyday life, universities and their constituents need to take precautions to protect themselves from one of the most glaring security weaknesses in the mobile environment.

QR codes are undoubtedly fun. Campus communications, recruiters, marketers, and library services--to name a few--are finding imaginative ways to use them to reach their customers. QR codes appear on everything from ads and flyers to campus signage, clothing--even buildings. When users scan the code with the cameras on their mobile devices, they are directly connected to a website or video that provides additional information or entertainment.

"QR codes are appealing because of their simplicity," said Bob Rafferty, co-founder of Knowble Media and former director of new media at Wittenberg University (OH). "They take someone from the real world into a virtual world without having to input a URL. A user can open up a QR reader and have an instant display or response."

While he was at Wittenberg, for example, Rafferty deployed QR codes on buildings campuswide. The codes launch websites that display video, photos, and text descriptions about the location, giving incoming and prospective students a virtual tour.

Instant Vulnerability
But what if the QR source is not trustworthy? Unfortunately, a browser-based attack can be initiated within seconds of scanning.

"A single poisoned link is all it takes to expose an entire organization to a full-scale attack," said David Maman, CTO and founder of GreenSQL, a database security company located in Tel Aviv. To prove his point, Maman decided to launch a fake attack at a three-day security conference in London. He created a small poster featuring a big security company's logo and the words, "Just Scan to Win an iPad." Over the next three days, 455 people scanned the accompanying QR code and browsed the link. No one even questioned the sign.

In Maman's view, if it can happen at a security conference, it can happen anywhere. "Most of us don't have the same A/V or URL-filtering technology on our phones or tablets that we have on our PCs," he explained. Can we fully trust QR codes? "Regretfully," he added, "the answer is no."

One of the security weaknesses inherent in mobile phones is the fact that users can't turn off the browser. "The mobile device is exposed even when you're not using it," noted Maman. "It's running codes without your interaction."

According to Maman, the risk of exposure to malware is 10 times greater on a mobile device than on a desktop computer. "Viruses and Trojan horses happen daily on mobile phones," he continued. "Most massive attacks involve SQL injections, a technique used to attack a database through a website. And 99 percent of the time, QR codes are used to deliver a website."

A combination of both network security and mobile security is the best defense. Even then, certain malware, such as a rootkit that hides, can circumvent the built-in defenses of the mobile operating system.

Defending against QR-launched malware must start with individual users. "[Responding to a QR code] is akin to responding to electronic solicitations and would have the same risks as responding to an unknown advertising source," advised Scott Gordon, vice president, worldwide marketing, for ForeScout Technologies, a provider of automated security-control solutions. "There is the potential to go to a site or invoke a request for an application that appears to be reputable but is not.

To minimize mobile security threats--from QR codes as well as other sources--Gordon recommends that schools use the following combination of non-technical and technical controls, as well as utilizing an acceptable-use policy:

Non-technical controls might include:

educating users about the risks of phishing and the use of rootkits in connection with personal mobile devices

utilizing existing communication mechanisms--from student orientation to simple video tutorials--to educate campus users about the risks associated with mobile devices

promoting preventative behavior and encouraging campus constituents to report possible threats

Technical controls might include:

a requirement that all campus constituents employ antivirus software; the use of web and e-mail filtering security systems to filter disreputable sites and potential phishing, and to monitor for unusual port scanning or traffic activity

network access control systems to identify, limit, and monitor all network access; respond to and block threats; and enforce resource-use policy.

installing management software that provides device and data-level protection for faculty mobile devices

An acceptable use policy--either as a legal form or as guidance--might include a list of dos and don'ts for how students (and even faculty) can use their personal mobile devices on campus.