Wednesday, 5 October 2011

QR code vulnerabilities

Buffer under/overflows #evilqr

A paper on QR code security examines ways in which QR codes can be used to "attack both human interaction and automated systems."

The document, published by Secure Business Australia, notes that while people may fall foul of phishing attacks automated systems "are most likely vulnerable to SQL injections and command injections."

Two main approaches for attack are explored: buffer underflows and buffer overflows.

The QR readers are naturally a source of concern:
"As QR Codes are a standardized way of encoding information we strongly believe that the majority of software developers do not treat the encoded information as possibly insecure input."
The paper's authors are: Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Lindsay Munroe, Sebastian Schrittwieser, Mayank Sinha, Edgar Weippl