Malicious quick response (QR) codes are not a new idea. Some readers might remember last year when it was found that a popular Android smartphone could be wiped by a malicious USSD code embedded within a QR code. QR codes have been in use for many years now, but when scanning them with a mobile phone the user can never tell where they will end up.
To protect against automated redirection to malicious sites with QR codes, Symantec created the Norton Snap application which scans any URL before the user is redirected to the destination address. Currently, we get a few thousand URL lookup requests each day from our users. During the last month, only 0.03 percent of those URLs were malicious. That is not a huge risk but we have, for example, seen cases where QR codes used to make purchases at snack vending machines were replaced, causing snacks purchased through the code to be released at a different location.
Figure. Google Glass and QR codes
Don’t look now
Google Glass is one of the hottest pieces of technologies out at the moment and we’ve got our hands on a number of them for research purposes in our labs. As far as the relationship between Glass and QR code goes, the codes provide an easy way to configure the device; after all it would be quite difficult to input text using your eyes. Our colleagues at Lookout analyzed how Google Glass can be manipulated using malicious QR codes. Wearable devices by their nature can open up new attack vectors because the user interacts with them differently. Lookout have stated when taking a photo of a QR code, it could cause Glass to silently connect to a potentially malicious WiFi access point. This gives the word photobombing a whole new meaning. Glass doesn't support all general QR codes, but does use them for reconfiguring the device's preferred WiFi access point.
Once the Google Glass device connects to the access point of an attacker, the attacker can sniff all the traffic or even redirect users of the device to a malicious website. Fortunately, Google is aware of this issue and have already fixed it—so you don’t have to keep looking away from QR codes while taking pictures.
QR code is not the only way to PWN a device…
So, while Glass’ ability to get QR photobombed was interesting, there are far easier ways to get a mobile device connected to a rogue WiFi access point. Many people have WiFi enabled all the time on their smartphones (or with Google Glass). This means the device constantly probes the surroundings to see if there is a known access point to connect to. Similar behavior is expected in new wearable devices to make it easier for them to connect to the Internet. However, there is software available that will impersonate any network that a device searches for, and this software is quite easy to use. You can even buy a small device called WiFi Pineapple that will do all the work for you. For example, suppose your smartphone is configured to always connect to your home WiFi network with the SSID name “myPrivateWiFi”. Now, imagine you take this smartphone to your local coffee shop where an attacker has installed a malicious WiFi Pineapple. When your device searches for “myPrivateWiFi”, the attacker’s WiFi Pineapple will simply answer the probe request and pretend to be that specific network. From that point on classic man-in-the-middle (MITM) attacks, such as session hijacking or sniffing, can be performed. Such attacks can be executed without the device having to recognize any QR code. So even with Google's patch against QR photobombing, Glass remains vulnerable to WiFi hijacking.
Unfortunately the WiFi hijacking issue is not trivial to solve. Users want a smooth experience that works seamlessly, without the hassle of pairing the devices each time they use a WiFi hotspot. Remembering the MAC addresses of the regularly-used access points together with the SSID could help in some instances, but it reduces the seamless experience users desire when roaming. In addition, MAC addresses can be easily spoofed by the WiFi Pineapple.
The more practicable solution to WiFi hijacking is to treat every network as hostile and ensure that all the applications use encrypted communications like SSL or tunnel through a VPN. That way you don’t have to worry about where you are or what you are looking at, but instead can relax and enjoy the sunshine.