Since QR codes became ubiquitous in public places, I started thinking about someone planting fake ones, on top of the original ones, that would redirect to shady websites. If the website is similar enough to the one it impersonates, it would be hard for the user to distinguish.
I live in Finland and I see them every now and then. I myself read them quite rarely, though. Only if it's a good offer or it benefits me some other way. Most of those codes are just for more info -type which don't really seem to interest people, including myself. The idea of QR codes are kinda okay but the implementations lack of imagination.
I can pay at my local store by scanning the QR code for the specific register. The app then let me chose to pay for the currently ongoing transaction at that register. It's neat.
Besides such application specific use cases they seem dead though.
Almost any user manual nowadays has a QR code, I also see it on magazines, even in printed ads (in Finland also).
However, the UX is really bad:
1. most people don't know what they are
2. if they learn, then they have to find a QR reader app
3. reading experience: pick phone from pocket, open it, find the app, start it, scan it.
Possible solution:
1. phones should have it pre-installed
2. it should be simple to snap a qr tag (e.g. without opening, e.g. with hotkey)
3. url should go to notifications queue or very easily accessible, also for integrations
4. users should be better educated, e.g. when there is a qr tag in a magazine there should be a short explanation. (https://www.quikklytags.com/#/ seems very promising from this point of view)
Yeh your phone camera app should just do it. I spent ages going through the android store to phone an app the didn't[0] want my entire contacts list or browsing history to scan a glorified sudoku.
In the same spirit, it is mindblowing that some Android phones do not even have a flashlight app (I had a flashlight in my dumbphone 8 years ago), and the same applies - most flashlight apps need exorbitant permissions; I found [0] as the only one that doesn't need anything else than, well, camera and flashlight access.
I see Android as OS may not want to support it as some phones/tablets do not have physical flashlight. This would be a genuine occasion for vendors to provide something themselves which is not a bloated crapware, but not all of them do it.
I've not updated my moto gallery app because it wants new permissions to "Contacts" for god knows why. So I don't think the OEMs would do it properly anyway.
Street view update now wants identity, photos/files, camera and wifi info. On top of location of which as least made sense.
<most flashlight apps need exorbitant permissions>
Good find! I've been using LampA, which was a "Show HN" a few months ago (I thought), but I can't find it now. Privacy Flashlight is fuller-featured anyway.
There were reported instances of fake QR codes on political posters in Germany and Switzerland back in 2012. Somebody put a sticker on top of the original code and forwarded the people scanning it to porn websites.
(I'm actually surprised somebody discovered the manipulation.)
This is possible on code128 barcode. This kind of barcode accepts not only numbers but also chars. Usually consumers deal with EAN13 barcode on the supermarket, they only accept numbers and this attack is impossible.
Because the "A" variant of Code128 allows you to have control characters in there. Many barcode readers act like keyboards to the computer - so the clerk/user positions their cursor to the item number field, waves the item in front of the scanner, and the scanner hardware inserts what it read into the field. Fast, reliable, and easy.
But if the barcode contains control characters, it acts like a keyboard macro and will send them to the application. So if I embed a Ctrl-S in my hostile barcode, I can tell the software to save the record with data I supplied.
I actually wanted to know how marvel_boy knows that consumers usually deal with EAN13 barcode instead of code128. As he or she states, EAN13 barcodes would make this kind of attack impossible so I wanted to know if this is a real everyday problem concerning most of the stores or only a minority of them.
Look at the products you buy at the store (supermarket, Walmart, Target, etc) - the barcode is almost always EAN (now IAN)¹ There are exceptions for smaller items like packs of gum, which use UPC-E² encoding (if the manufacturer portion ends in zeros). Hundreds of thousands of products being purchased by billions of people mean they're the dominant barcode system.
So far as attacks via UPC/EAN/IAN, they're not really possible as it only encodes digits, and only 13 of them.
Most barcode scanners are programmed by scanning special barcodes provided by the manufacturer. You can enable/disable any barcode standard. Then you can use the barcode scanner as a slow keyboard.
I've written barcode processing software specifically for the retail market. There is a wide array of barcodes that will be used in the retail grocery store. UPC-E, EAN-8, UPC-A, EAN-13, EAN-14, GS1, GTIN, CODE128, and PDF417 (for drivers license scanning or smart phone apps, e.g. Starbucks app barcodes).
28 comments
[ 4.0 ms ] story [ 74.3 ms ] threadBesides such application specific use cases they seem dead though.
However, the UX is really bad: 1. most people don't know what they are 2. if they learn, then they have to find a QR reader app 3. reading experience: pick phone from pocket, open it, find the app, start it, scan it.
Possible solution: 1. phones should have it pre-installed 2. it should be simple to snap a qr tag (e.g. without opening, e.g. with hotkey) 3. url should go to notifications queue or very easily accessible, also for integrations 4. users should be better educated, e.g. when there is a qr tag in a magazine there should be a short explanation. (https://www.quikklytags.com/#/ seems very promising from this point of view)
I think QR tags have huge untapped potential.
[0]: https://play.google.com/store/apps/details?id=tw.mobileapp.q...
I see Android as OS may not want to support it as some phones/tablets do not have physical flashlight. This would be a genuine occasion for vendors to provide something themselves which is not a bloated crapware, but not all of them do it.
[0] https://play.google.com/store/apps/details?id=com.snoopwall....
Street view update now wants identity, photos/files, camera and wifi info. On top of location of which as least made sense.
Good find! I've been using LampA, which was a "Show HN" a few months ago (I thought), but I can't find it now. Privacy Flashlight is fuller-featured anyway.
(I'm actually surprised somebody discovered the manipulation.)
But if the barcode contains control characters, it acts like a keyboard macro and will send them to the application. So if I embed a Ctrl-S in my hostile barcode, I can tell the software to save the record with data I supplied.
So far as attacks via UPC/EAN/IAN, they're not really possible as it only encodes digits, and only 13 of them.
¹ https://en.wikipedia.org/wiki/International_Article_Number_(...
² http://www.barcodeisland.com/upce.phtml
https://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab12...