MasQRade

Do you think twice before scanning a QR code? We demonstrate a novel technique to minimally alter existing QR codes while changing their content, highlighting a potential vulnerability.

Comment

Check out our code!

The Problem

When was the last time you thought twice about scanning a QR code? QR codes are all around us, from restaurant menus to parking payment stands to event check-ins. QR codes can be dangerous because you do not see their contents until you scan the code, at which point your device may already be navigating to a malicious URL. While it is common for attackers to entirely replace an existing QR code, or place new ones in public spaces, we are concerned about a slightly more sophisticated QR code attack which involves modifying an existing QR code in place - for example, drawing over a large QR code on a billboard.

What MasQRade Does

We demonstrate that this is a possible vulnerability with MasQRade. Given an existing QR code - which the attacker may acquire by simply scanning a legitimate QR code in public - MasQRade finds a QR code that looks very similar to the original, and can easily be created by minimally painting over an existing code, but which leads to a potentially malicious URL (we just find an available URL, which an attacker would be able to take control of).

How Does This Work?

The first step is to decode an existing QR code, including metadata like its version type, mask type, and the level of error correction. We then search through possible small changes in the link, looking for available domain names. A big part of the data portion of the QR code is error-correcting code - specifically, Reed-Solomon error correction - which means that even a small change in the link may lead to a large change in the pixels of a QR code. So after finding a desired similar URL and generating the appropriate error-correcting code, we introduce errors to the QR code, searching through possible changes in this new QR code that would make it look more the original. Valid solutions in this search are those where the QR code is able to recover the fraudulent link, using error-correction, and optimal solutions look as much as possible like the original QR code. After finding a satisfactory solution, we generate the fraudulent QR code.

What's next for MasQRade

We were working on, but did not have enough time to complete, a tool which would be able to predict if a QR code has been modified in this way, which would guard users against this type of scam.

Inspiration

We took inspiration from https://research.swtch.com/qart

Built With

Share this project:

Updates