One photo to rule your phone
Have you ever seen those black-wide squares (picture below) called “Quick Response Codes”? Such QR tags are the two-dimensional forms of EAN codes (International Article Number, the black-white bars scanned at Migros’ check-outs) encoding a web address. Scanning those codes with your smart phone can lead you to a webpage, send an SMS or an e-mail depending on the contents of the tag. Beautiful, isn’t it? But wait. Can you trust that QR tag? What if the QR tag leads to something malicious? Just to add more fun, we have recently heard about a vulnerability for Android devices prior to version 4.1.1 on its so-called “USSD code handling”.
_image.jpg?subformat=icon)
The USSD code allows a phone to be reset or a SIM card to be blocked. Combined with clicking on a malicious link or tagging a malicious QR tag, this is a lethal combination that can convert your phone into a useless brick.
In the past, we’ve suggested to “Stop - Think - Click!” before browsing webpages, clicking on strange links or opening email attachments. In this respect, QR tags are not very different from web-links provided by URL shortening services like “bit.ly” or “tinyurl.com” *. You are blind to where those links lead you to. Thus, using a QR tag might compromise your mobile phone like a bad link might infect your PC. So beware! Just as you should take care what links you click, only tag QRs from sources you trust! Take advantage of your mobile’s preview feature to understand what the QR tag contains, and only continue when you are comfortable (click here to learn how to do this for URL shortening services). Many mobile phones provide you with a pop-up window with the QR tag’s content which you have to approve.
In fact, this is where the aforementioned Android vulnerability comes in… Please test whether you are affected at this site. A confirmation window should pop up if all is fine and you should just click on “Cancel”. Otherwise, your "IMEI" code will be displayed immediately: your Android phone is affected. We recommend you update to version 4.1.1, if possible, or STOP - THINK - CLICK.
* If you would like to shorten a CERN URL, check out IT’s newest service. Take a look!
For further information, please check our web site (click here or use our QR tag below) or contact us at Computer.Security@cern.ch.
Access the entire collection of Computer Security articles here.
