From Tourist Information to Malware in one easy step…

This week BBC News and others reported that Gibraltar is joining another well known destination, Monmouth UK, by tagging locations around the country with printed 2 dimensional bar codes (QR Codes) which can be scanned by your smartphone to link you to Wikipedia articles.

As a regular traveler, tourist, and conveyor of useless information, to me this seems like a great idea. Rather than fumbling through a guide book, I can just scan a QR code and find out all kinds of interesting factoids about a place. It would seem ideal in fact, and the Wikipedia link is a bit of genius – they don’t even have to author the articles, the “community” (i.e you and I) will do that for them.

So everyone wins – cost savings for the city/country, increased tourist enlightenment, and growth of online knowledge.

BUT there’s a down side.

As my colleague Robert Siciliano (and many others) have reported – QR codes can be a little dangerous. Because they are not human readable, you really don’t know what information they contain. And, their main purpose here is of course to direct you to a web page.

What other group, apart from the tourist information office, want you to visit web pages without knowing the URL? Oh, yes, that would be cybercriminals.

Trevi Fountain

Imagine this for a scenario – Rome decides to get on the band wagon and QR-code up the famous landmarks. One of my favorites is the Trevi Fountain, which of course you can find information on by scanning the poster next to the fountain with the QR code –

Trevi Fountain

Now, one evening I go and put a sticker over the official poster with something else – say…

 

 

Can you tell the difference?

Of course, it would be funny, and quickly discovered if I did use that particular QRCode – but I could have easily set up a site which mirrored the Trevi Wikipedia page, but also installed a rootkit or something evil on your PC.

Robert’s advice still stands here. There is nothing bad about QR codes – they don’t contain enough data to do anything on their own. They are just a machine readable way of encoding something like a website address.

But, websites can be bad as we all know so be safe when using your smartphone to browse QR codes which could have been tampered with, or just plain evil to start with – make sure you have some Mobile Security software installed.

 

Leave a Reply