Abstract
QR (Quick Response) codes are two-dimensional barcodes with the ability to encode different types of information. Because of their high information density and robustness, QR codes have gained popularity in various fields of application. Even though they offer a broad range of advantages, QR codes pose significant security risks. Attackers can encode malicious links that lead e.g. to phishing sites. Such malicious QR codes can be printed on small stickers and replace benign ones on billboard advertisements. Although many real world examples of QR code based attacks have been reported in the media, only little research has been conducted in this field and almost no attention has been paid on the interplay of security and human-computer interaction. In this work, we describe the manifold use cases of QR codes. Furthermore, we analyze the most significant attack scenarios with respect to the specific use cases. Additionally, we systemize the research that has already been conducted and identified usable security and security awareness as the main research challenges. Finally we propose design requirements with respect to the QR code itself, the reader application and usability aspects in order to support further research into to making QR code processing both secure and usable.
Keywords
- qr codes
- security
- hci
- usability
Chapter PDF
References
The WebKit Open Source Project (2013), http://www.webkit.org (last accessed on July 2, 2014)
Agusta, G.M., Hulliyah, K., Bahaweres, R.B., et al.: Qr code augmented reality tracking with merging on conventional marker based backpropagation neural network. In: 2012 International Conference on Advanced Computer Science and Information Systems (ICACSIS), pp. 245–248. IEEE (2012)
Akhawe, D., Felt, A.P.: Alice in Warningland: A Large-scale Field Study of Browser Security Warning Effectiveness. In: Proceedings of the 22Nd USENIX Conference on Security (SEC 2013), pp. 257–272 (2013)
Bellman, S., Johnson, E.J., Kobrin, S.J., Lohse, G.L.: International differences in information privacy concerns: A global survey of consumers 20(5), 313–324 (2004)
Biddle, R., van Oorschot, P.C., Patrick, A.S., Sobey, J., Whalen, T.: Browser interfaces and extended validation ssl certificates: an empirical study. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, pp. 19–30. ACM (2009)
Borgaonkar, R.: Dirty use of ussd codes in cellular network (2012), http://www.youtube.com/watch?v=Q2-0B04HPhs (last accessed on July 2, 2014)
Dow, C., Lee, Y., Yang, H., Koo, W., Liao, J.: A location-based mobile advertisement publishing system for vendors. In: Eighth International Conference on Information Technology: New Generations, pp. 24–29 (2011)
Choi, H., Zhu, B.B., Lee, H.: Detecting Malicious Web Links and Identifying Their Attack Types. In: Proceedings of the 2Nd USENIX Conference on Web Application Development (WebApps 2011), p. 11. USENIX Association, Berkeley (2011)
Lorenzi, D.: B Shafiq, J. Vaidya, G. Nabi, S. Chun, V. Atluri. Using QR codes for enhancing the scope of digital government services. In: Proceedings of the 13th Annual International Conference on Digital Government Research, pp. 21–29 (2012)
Pirrone, D., Andolina, S., Santangelo, A., Gentile, A., Takizava, M.: Platforms for human-human interaction in large social events. In: Seventh International Conference on Broadband, Wireless Computing, Communication and Applications, pp. 545–551 (2012)
Moth, D.: PayPal trials QR code shop in Singapore subway (2012), http://econsultancy.com/at/blog/8983-paypal-trials-qr-code-shop-in-singapore-subway (last accessed on July 2, 2014)
DENSO Wave Incorporated. What is a QR Code (2013), http://www.qrcode.com/en/ (last accessed on July 2, 2014)
Downs, J.S., Holbrook, M., Cranor, L.F.: Behavioral Response to Phishing Risk. In: Proceedings of the Anti-Phishing Working Groups 2Nd Annual eCrime Researchers Summit (eCrime 2007), pp. 37–44. ACM, New York (2007)
Egelman, S., Cranor, L.F., Hong, J.: You’Ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In: Proceedings of the 2008 SIGCHI Conference on Human Factors in Computing Systems (CHI 2008), pp. 1065–1074 (2008)
Esponce. Innovative QR Code campaigns (About QR codes) (2013), http://www.esponce.com/about-qr-codes (last accessed on July 2, 2014)
Esponce. Innovative, Q.R.: Esponce. Innovative QR Code campaigns (Real world case studies) (2013), http://www.esponce.com/case-studies (last accessed on July 2, 2014)
Hanser, C., Slamanig, D.: Blank digital signatures. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIA CCS 2013), pp. 95–106. ACM, New York (2013)
Harbach, M., Fahl, S., Muders, T., Smith, M.: Towards measuring warning readability. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 989–991. ACM (2012)
Reed, I., Solomon, G.: Polynomial Codes Over Certain Finite Fields 8(2):300–304 (1960)
Gao, J., Kulkarni, V., Ranavat, H.: Lee Chang Hsing Mei. A 2D barcode-based mobile payment system. In: Third International Conference on Multimedia and Ubiquitous Engineering, pp. 320–329 (2009)
Wang, J., Shyi, C., Hou, T.-W., Fong, C.P.: Design and implementation of augmented reality system collaborating with QR code. In: International Computer Symposium (ICS), pp. 414–418 (2010)
Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., Weippl, E.: Qr code security. In: Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia, pp. 430–435. ACM (2010)
Korkidis, J.: The world’s first qr-code hair cut (2014), http://www.complex.com/art-design/2011/11/the-worlds-first-qr-code-hair-cut (last accessed February 4, 2014)
Leyden, J.: That square QR barcode on the poster? Check it’s not a sticker
Ebling, M., Caceres, R.: Bar Codes Everywhere You Look 9(2), 4–5 (2010)
Talbot, M.: QR Codes: Scanning For Loyalty And Payment (2013), http://blogs.sap.com/innovation/industries/qr-codes-scanning-for-loyalty-and-payment-3-025064 (last accessed on July 2, 2014)
Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., Weippl, E.: Qr code security. In: Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (MoMM 2010), pp. 430–435 (2010)
Paterson, K.G., Stebila, D.: One-time-password-authenticated key exchange. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 264–281. Springer, Heidelberg (2010)
Wagenseil, P.: Anti-Anonymous hacker threatens to expose them (2012), http://www.nbcnews.com/id/46716942/ns/technology_and_science-security/ (accessed July 2, 2014)
Pay, Q.: Qr pay - scan, pay, done (2014), http://www.qrpay.com/ (last accessed on July 2, 2014)
QRStuff. QR Code Error Correction (2011), http://www.qrstuff.com/blog/2011/12/14/qr-code-error-correction (last accessed on July 2, 2014)
QRStuff. What’s a QR Code (2011), http://www.qrstuff.com/qr_codes.html (last accessed on July 2, 2014)
Rouillard, J., Laroussi, M.: Perzoovasive: contextual pervasive qr codes as tool to provide an adaptive learning support. In: Proceedings of the 5th International Conference on Soft Computing as Transdisciplinary Science and Technology, pp. 542–548. ACM (2008)
Russ Cox. QArt Codes (2012), http://research.swtch.com/qart (last accessed on July 2, 2014)
Seeburger, J.: No cure for curiosity: linking physical and digital urban layers. In: Proceedings of the 7th Nordic Conference on Human-Computer Interaction: Making Sense Through Design, pp. 247–256. ACM (2012)
Sharma, V.: A study of malicious qr codes 3(3) (May 2012)
Steeman, J.: QR code data capacity (2004), http://blog.qr4.nl/page/QR-Code-Data-Capacity.aspx (last accessed on July 2, 2014)
Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: An empirical study of ssl warning effectiveness, 399–416 (2009)
Moore, T., Edelman, B.: Measuring the perpetrators and funders of typosquatting. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 175–191. Springer, Heidelberg (2010)
Thonky.com. QR Code Tutorial (2012), http://www.thonky.com/qr-code-tutorial/ (last accessed on July 2, 2014)
Ceipidor, U.B., Medaglia, C.M., Perrone, A., De Marsico, M., Di Romano, G.: A museum mobile game for children using QR-codes. In: Proceedings of the 8th International Conference on Interaction Design and Children, IDC 2009, pp. 282–283 (2009)
Vidas, T., Owusu, E., Wang, S., Zeng, C., Cranor, L.F., Christin, N.: QRishing: The susceptibility of smartphone users to QR code phishing attacks. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 52–69. Springer, Heidelberg (2013)
Vratonjic, N., Freudiger, J., Bindschaedler, V., Hubaux, J.-P.: The Inconvenient Truth about Web Certificates, pp. 79–117 (2013)
Kao, Y., Luo, G., Lin, H., Huang, Y., Yuani, S.: Physical access control based on QR code. In: International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 285–288 (2011)
Yao, H., Shin, D.: Towards preventing qr code based attacks on android phone using security warnings. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 341–346. ACM (2013)
Zhang, Y., Egelman, S., Cranor, L., Hong, J.: Phinding phish: Evaluating anti-phishing tools. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Krombholz, K., Frühwirt, P., Kieseberg, P., Kapsalis, I., Huber, M., Weippl, E. (2014). QR Code Security: A Survey of Attacks and Challenges for Usable Security. In: Tryfonas, T., Askoxylakis, I. (eds) Human Aspects of Information Security, Privacy, and Trust. HAS 2014. Lecture Notes in Computer Science, vol 8533. Springer, Cham. https://doi.org/10.1007/978-3-319-07620-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-07620-1_8
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07619-5
Online ISBN: 978-3-319-07620-1
eBook Packages: Computer ScienceComputer Science (R0)