QR Inception: Barcode-in-Barcode Attacks


2D barcodes offer many benefits compared to 1D barcodes, such as high information density and robustness. Before their introduction to the mobile phone ecosystem, they have been widely used in specific applications, such as logistics or ticketing. However, there are multiple competing standards with different benefits and drawbacks. Therefore, reader applications as well as dedicated devices have to support multiple standards. In this paper, we present novel attacks based on deliberately caused ambiguities when especially crafted barcodes conform to multiple standards. Implementation details decide which standard the decoder locks on. This way, two users scanning the same barcode with different phones or apps will receive different content. This potentially opens way for multiple problems related to security. We describe how embedding one barcode symbology into another can be used to perform phishing attacks as well as targeted exploits. In addition, we evaluate the extent to which popular 2D barcode reader applications on smartphones are susceptible to these <i>barcode-in barcode</i> attacks. We furthermore discuss mitigation techniques against this type of attack.

DOI: 10.1145/2666620.2666624
View Slides

Extracted Key Phrases

14 Figures and Tables

Cite this paper

@inproceedings{Dabrowski2014QRIB, title={QR Inception: Barcode-in-Barcode Attacks}, author={Adrian Dabrowski and Katharina Krombholz and Johanna Ullrich and Edgar R. Weippl}, booktitle={SPSM@CCS}, year={2014} }