Morey Haber, Chief Security Advisor, BeyondTrust on the danger of Games-goers scanning one-too-many QR codes.
This month’s Olympic Games in Paris is notable because a quick response (QR) code is needed to pass physical security perimeters around the opening ceremony and competition venues.
That goes for all people attempting to access the zones: workers, drivers, riders, attendees and more.
The QR code can either be stored in a smartphone app or printed out in hard copy and be presented for a scan.
And that, for authorities, athletes, attendees, organisations and sponsors, is where a new attack vector may surface.
Ever since the pandemic, when contact tracing, venue check-in and contactless ordering at hospitality venues thrust QR codes into the spotlight, there’s been a proliferation in QR code use.
QR codes have become normalized and people are mostly unaware of how they can be misused – until after they scan one.
And by then it’s too late.
We have ultimately become trusting of their diverse and potentially malicious capabilities.
In the case of Paris, the fact that QR codes are the official format for digital passes to the inner-city will legitimize them in the eyes of Games-goers. It also likely means third parties, within and outside the secure zones, will also display QR codes to expose visitors to a range of content or offers – some legitimate, others less so, like a simple watering hole attack.
The danger for Games-goers is that they could end up scanning one-too-many QR codes in their time at the event – and one of those scans could mask something nefarious.
And it’s not just Games-goers who are at risk. The same risk applies to authorities scanning QR codes at checkpoints – particularly as they’ll be accepting paper-based printouts of codes. Given the demand for entry to areas, they may be presented with legitimate looking codes that turn out to be anything but.
Aside from declining entry to the person presenting that QR code, authorities may be unaware of what they’ve just scanned, and what it has done on their device or to the network they’re connected to.
In 2020, I wrote an article titled: I Don’t Scan QR Codes, And Neither Should You’.
The main point was the cybersecurity risks associated with QR code misuse: that by pointing a device at a QR code, you’re trusting it takes you to a link or download that’s genuine and not malicious.
But for anyone who’s ever scanned one, they’ll know it often displays a URL generated by a shortener.
While shorteners were once useful in character-constrained contexts (such as to achieve brevity in bite-sized social media posts), these days, many people recognise these links as suspicious. The ubiquity of QR codes is training people to override that caution – during the Games that could pose a major problem.
The bigger challenge faced by Games-goers is that shortened URLs are just one of an ever-increasing variety of avenues to malicious content payloads that can be masked with a QR code. The reality is that QR codes can redirect users to information stored in a variety of formats.
For example, a QR code scan may contain contact information in a vCard format that gets automatically added to the user’s address book; or it could more directly prompt the user to call a phone number or send a specifically worded SMS or email message from their device to an unknown recipient.
Other malicious uses of QR codes that have been observed include automatically connecting the scanning device to a nearby Wi-Fi network where Man-in-the-Middle and other traffic interception attacks become possible; or purporting to point the user to their app store to download an app – but taking them to a download hosted outside of the security of the official store.
In more sophisticated cases of malicious intent, the content displayed to the user might be dynamic, with the redirect based on contextual factors like where and when the QR code was scanned.
To reduce the risk of falling victim to a QR code scanning attack during the Games, attendees and authorities—as well as those watching the Games or interacting with Games-related content online—can follow some simple rules if they need to scan a QR code:
- Verify that the QR code is not a sticker or overlay. The poster/flyer or other place where the QR code is displayed may be genuine, but a malicious actor might generate their own QR code on a sticker and place it over -a legitimate one. For web-based QR codes, confirm that the address of the website is legitimate and not a deliberately mis-spelled “lookalike” page.
- Exercise care when scanning QR codes tied to performing financial transactions. For a parking meter, for example, only scan a code on the meter with a dedicated app for that parking operator. If the app doesn’t recognise it, it simply won’t accept payment. Scanning a code on the meter with your phone camera could compromise the device if that QR code turns out to be malicious.
- Check any QR code that asks you to click on a link. This is the same attack vector when you receive a link by email, SMS, calendar invite, or any other format. Just scanning a QR code is similar to clicking on a link and you never know what the payload can be behind the image.
- For cyber teams responsible for corporate security, be on the lookout for suspicious behaviour associated with user accounts—especially those accessing sensitive information or systems—that might be attending the Games or sponsoring an event.
- Ensure multi-factor authentication (MFA) is enabled for anyone accessing corporate accounts associated professionally or personally with the Games. And remember, SMS text messages are not a secure method for two factor authentication.
For all attendees of the Games, enjoy this historical event. For all cybersecurity professionals, having a view across all of the identities of attendees at the Games and their paths to privilege will allow you to pick up early warning signs that something is wrong.
In this security professional’s opinion, QR as an identity-based attack vector will be the easiest way to date for threat actors to compromise unsuspecting athletes, attendees, and organisations at the event.
Click below to share this article