Security Threats and Solutions for Two-Dimensional Barcodes: A Comparative Study
A barcode is a graphical image that stores data in special patterns of vertical spaced lines (linear or 1D barcode), or special patterns of vertical and horizontal squares (2D barcode). The encoded data can be retrieved using imaging devices such as barcode scanner machines and smartphones with specific reader applications. 2D barcodes are considered inexpensive tools in business marketing, and several companies are using them to facilitate the post-sale follow-up procedure of their products. Many previous studies discussed the potential risks in using 2D barcodes and proposed different security solutions against barcode threats. In this paper, we present a comparative study of various attacks to 2D barcodes and of the available protection mechanisms. We highlight the limitations and weaknesses of these mechanisms and explore their security capabilities. According to our analysis, although many of the available barcode security systems offer cryptographic solutions, they can still have weak points such as the adoption of insecure cryptographic mechanisms. In some cases, cryptographic solutions do not even provide enough detail to evaluate their effective security. We revise potential weaknesses and suggest remedies based on the recommendations from the European Union Agency for Network and Information Security (ENISA).
- 1.2D Technology Group Inc. (2016). Barcode security suite. http://www.2dtg.com/node/74.
- 2.Dabrowski, A., Krombholz, K., Ullrich, J., & Weippl, E. (2014). QR inception: Barcode-in-barcode attacks. In Proceedings of the 4th ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’14), November 7, Scottsdale, Arizona, USA (pp. 3–10).Google Scholar
- 3.Denso Wave Inc. (2017). SQRC®; Secret-function-equipped QR Code. https://www.denso-wave.com/en/adcd/product/software/sqrc/sqrc.html.
- 4.European Union Agency for Network and Information Security (ENISA) (2014). Algorithms, key size and parameters report 2014. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014.
- 5.Gao, J., Kulkarni, V., Ranavat, H., Chang, L., & Mei, H. (2009). A 2D barcode-based mobile payment system. In Third International Conference on Multimedia and Ubiquitous Engineering (MUE’09), Qingdao, China, June 4–6 (pp. 320–329)Google Scholar
- 6.GitHub. Official ZXing “Zebra Crossing” project home (website). https://github.com/zxing/zxing/.
- 7.GitHub. Short Payment Descriptor project home (website). https://github.com/spayd/spayd-java.
- 8.Google. Google Safe Browsing API (website). https://developers.google.com/safe-browsing/.
- 9.Ishihara, T., & Niimi, M. (2014). Compatible 2D-code Having tamper detection system with QR-code. In Proceedings of the Tenth International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIHMSP’14), Kitakyushu, Japan, August 27–29 (pp. 493–496). Piscataway, NJ: IEEE.CrossRefGoogle Scholar
- 10.ISO/IEC Standard (2006). ISO/IEC 16022:2006, Information technology – Automatic identification and data capture techniques – Data Matrix Bar code Symbology Specification.Google Scholar
- 11.ISO/IEC Standard (2008). ISO/IEC 16022:2008, Information technology – Automatic identification and data capture techniques – Aztec Bar code Symbology Specification.Google Scholar
- 12.ISO/IEC Standard (2015). ISO/IEC 15438:2015, Information technology – Automatic identification and data capture techniques – PDF417 Bar code Symbology Specification.Google Scholar
- 13.ISO/IEC Standard (2015). ISO/IEC 18004:2015, Information technology – Automatic identification and data capture techniques – QR code 2005 Bar code Symbology Specification.Google Scholar
- 14.Jin, X., Hu, X., Ying, K., Du, W., Yin, H., & Peri, G. (2014). Code injection attacks on HTML5-based mobile for apps: characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14) (pp. 66–77).Google Scholar
- 15.Kaspersky Lab (2011). Malicious QR Codes: Attack Methods & Techniques Infographic. http://usa.kaspersky.com/about-us/press-center/press-blog/2011/malicious-qr-codes-attack-methods-techniques-infographic.
- 16.Kharraz, A., Kirda, E., Robertson, W., Balzarotti, D., & Francillon, A. (2014). Optical delusions: A study of malicious QR codes in the wild. In 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’14), 23–26 June, Atlanta, GA, USA (pp. 192–203)Google Scholar
- 17.Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., & Weippl, E. (2010). QR code security. In Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (MoMM’10), Paris, France, November 8–10 (pp. 430–435)Google Scholar
- 18.Kieseberg, P., Schrittwieser, S., Leithner, M., Mulazzani, M., Weippl, E., Munroe, L., & Sinha, M. (2012). Malicious pixels using QR codes as attack vector. In Trustworthy ubiquitous computing. Atlantis Ambient and Pervasive Intelligence (Vol. 6, pp. 21–38).Google Scholar
- 19.Krombholz, K., Fruhwirt, P., Kieseberg, P., Kapsalis, I., Huber, M., & Weippl, E. (2014). QR code security: A survey of attacks and challenges for usable security. In Proceedings of the Second International Conference on Human Aspects of Information Security, Privacy, and Trust (HAS’14), 8533 (pp. 79–90).Google Scholar
- 20.Peng, K., Sanabria, H., Wu, D., & Zhu, C. (2014). Security overview of QR codes. MIT Student Project: https://courses.csail.mit.edu/6.857/2014/files/12-peng-sanabria-wu-zhu-qr-codes.pdf.
- 21.Phishtank: Phishtank API (website). https://www.phishtank.com/.
- 22.Razzak, F. (2012). Spamming the Internet of Things: A possibility and its probable solution. In Proceeding of the 9th International Conference on Mobile Web Information Systems (MobiWIS’12), Niagara Falls, Canada, August 27–29 (pp. 658–665).Google Scholar
- 24.Soon, T. J. (2008). QR code. Synthesis Journal, 59–78. https://foxdesignsstudio.com/uploads/pdf/Three_QR_Code.pdf.
- 25.Starnberger, G., Froihofer, L., & Goschka, K. (2009). QR-TAN: Secure mobile transaction authentication. In International Conference On Availability, Reliability and Security (Ares ’09), Fukuoka, Japan, March 16th–19th (pp. 16–19).Google Scholar
- 26.Symantec Corporation. (2015). Norton snap QR code reader. https://support.norton.com/sp/en/us/home/current/solutions/v64690996_EndUserProfile_en_us.Google Scholar
- 27.Tec-it. (2015). Overview: 2D Barcode Symbologies. http://www.tec-it.com/en/support/knowbase/barcode-overview/2dbarcodes/Default.aspx.
- 28.Vidas, T., Owusu, E., Wang, S., Zeng, C., Cranor, L., & Christin, N. (2013). QRishing: The susceptibility of smartphone users to QR code phishing attacks. In 17th International Conference on Financial Cryptology and Data Security (FC’13), Okinawa, Japan, April 1, LNCS, 7862 (pp. 52–69). Berlin: Springer.Google Scholar
- 29.Wang, P., Yu, X., Chen, S., Duggisetty, P., Guo, S., & Wolf, T. (2015). CryptoPaper: Digital information security for physical documents. In Proceedings of the 30th Annual ACM Symposium on Applied Computing (SAC’15), Salamanca, Spain, April 13–17 (pp. 2157–2164).Google Scholar
- 31.Yao, H., & Shin, D. (2013). Towards preventing QR code based for detecting QR code based attacks on android phone using security warnings. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIA CCS’13), Hangzhou, China, May 8–10 (pp. 341–346)Google Scholar