Weitere Kapitel dieses Buchs durch Wischen aufrufen
A barcode is a graphical image that stores data in special patterns of vertical spaced lines (linear or 1D barcode), or special patterns of vertical and horizontal squares (2D barcode). The encoded data can be retrieved using imaging devices such as barcode scanner machines and smartphones with specific reader applications. 2D barcodes are considered inexpensive tools in business marketing, and several companies are using them to facilitate the post-sale follow-up procedure of their products. Many previous studies discussed the potential risks in using 2D barcodes and proposed different security solutions against barcode threats. In this paper, we present a comparative study of various attacks to 2D barcodes and of the available protection mechanisms. We highlight the limitations and weaknesses of these mechanisms and explore their security capabilities. According to our analysis, although many of the available barcode security systems offer cryptographic solutions, they can still have weak points such as the adoption of insecure cryptographic mechanisms. In some cases, cryptographic solutions do not even provide enough detail to evaluate their effective security. We revise potential weaknesses and suggest remedies based on the recommendations from the European Union Agency for Network and Information Security (ENISA).
Bitte loggen Sie sich ein, um Zugang zu diesem Inhalt zu erhalten
Sie möchten Zugang zu diesem Inhalt erhalten? Dann informieren Sie sich jetzt über unsere Produkte:
The use of word “signature” for a symmetric-key based algorithm is quite unusual since any entity knowing the symmetric key might provide a valid “signature.”
2D Technology Group Inc. (2016). Barcode security suite. http://www.2dtg.com/node/74.
Dabrowski, A., Krombholz, K., Ullrich, J., & Weippl, E. (2014). QR inception: Barcode-in-barcode attacks. In Proceedings of the 4th ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’14), November 7, Scottsdale, Arizona, USA (pp. 3–10).
Denso Wave Inc. (2017). SQRC®; Secret-function-equipped QR Code. https://www.denso-wave.com/en/adcd/product/software/sqrc/sqrc.html.
European Union Agency for Network and Information Security (ENISA) (2014). Algorithms, key size and parameters report 2014. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014.
Gao, J., Kulkarni, V., Ranavat, H., Chang, L., & Mei, H. (2009). A 2D barcode-based mobile payment system. In Third International Conference on Multimedia and Ubiquitous Engineering (MUE’09), Qingdao, China, June 4–6 (pp. 320–329)
GitHub. Official ZXing “Zebra Crossing” project home (website). https://github.com/zxing/zxing/.
GitHub. Short Payment Descriptor project home (website). https://github.com/spayd/spayd-java.
Google. Google Safe Browsing API (website). https://developers.google.com/safe-browsing/.
Ishihara, T., & Niimi, M. (2014). Compatible 2D-code Having tamper detection system with QR-code. In Proceedings of the Tenth International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIHMSP’14), Kitakyushu, Japan, August 27–29 (pp. 493–496). Piscataway, NJ: IEEE. CrossRef
ISO/IEC Standard (2006). ISO/IEC 16022:2006, Information technology – Automatic identification and data capture techniques – Data Matrix Bar code Symbology Specification.
ISO/IEC Standard (2008). ISO/IEC 16022:2008, Information technology – Automatic identification and data capture techniques – Aztec Bar code Symbology Specification.
ISO/IEC Standard (2015). ISO/IEC 15438:2015, Information technology – Automatic identification and data capture techniques – PDF417 Bar code Symbology Specification.
ISO/IEC Standard (2015). ISO/IEC 18004:2015, Information technology – Automatic identification and data capture techniques – QR code 2005 Bar code Symbology Specification.
Jin, X., Hu, X., Ying, K., Du, W., Yin, H., & Peri, G. (2014). Code injection attacks on HTML5-based mobile for apps: characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14) (pp. 66–77).
Kaspersky Lab (2011). Malicious QR Codes: Attack Methods & Techniques Infographic. http://usa.kaspersky.com/about-us/press-center/press-blog/2011/malicious-qr-codes-attack-methods-techniques-infographic.
Kharraz, A., Kirda, E., Robertson, W., Balzarotti, D., & Francillon, A. (2014). Optical delusions: A study of malicious QR codes in the wild. In 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’14), 23–26 June, Atlanta, GA, USA (pp. 192–203)
Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., & Weippl, E. (2010). QR code security. In Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (MoMM’10), Paris, France, November 8–10 (pp. 430–435)
Kieseberg, P., Schrittwieser, S., Leithner, M., Mulazzani, M., Weippl, E., Munroe, L., & Sinha, M. (2012). Malicious pixels using QR codes as attack vector. In Trustworthy ubiquitous computing. Atlantis Ambient and Pervasive Intelligence (Vol. 6, pp. 21–38).
Krombholz, K., Fruhwirt, P., Kieseberg, P., Kapsalis, I., Huber, M., & Weippl, E. (2014). QR code security: A survey of attacks and challenges for usable security. In Proceedings of the Second International Conference on Human Aspects of Information Security, Privacy, and Trust (HAS’14), 8533 (pp. 79–90).
Peng, K., Sanabria, H., Wu, D., & Zhu, C. (2014). Security overview of QR codes. MIT Student Project: https://courses.csail.mit.edu/6.857/2014/files/12-peng-sanabria-wu-zhu-qr-codes.pdf.
Phishtank: Phishtank API (website). https://www.phishtank.com/.
Razzak, F. (2012). Spamming the Internet of Things: A possibility and its probable solution. In Proceeding of the 9th International Conference on Mobile Web Information Systems (MobiWIS’12), Niagara Falls, Canada, August 27–29 (pp. 658–665).
Red Dodo. (2014). QR & barcode reader (secure). http://reddodo.com/qr-barcode-scanner.php.
Soon, T. J. (2008). QR code. Synthesis Journal, 59–78. https://foxdesignsstudio.com/uploads/pdf/Three_QR_Code.pdf.
Starnberger, G., Froihofer, L., & Goschka, K. (2009). QR-TAN: Secure mobile transaction authentication. In International Conference On Availability, Reliability and Security (Ares ’09), Fukuoka, Japan, March 16th–19th (pp. 16–19).
Symantec Corporation. (2015). Norton snap QR code reader. https://support.norton.com/sp/en/us/home/current/solutions/v64690996_EndUserProfile_en_us.
Tec-it. (2015). Overview: 2D Barcode Symbologies. http://www.tec-it.com/en/support/knowbase/barcode-overview/2dbarcodes/Default.aspx.
Vidas, T., Owusu, E., Wang, S., Zeng, C., Cranor, L., & Christin, N. (2013). QRishing: The susceptibility of smartphone users to QR code phishing attacks. In 17th International Conference on Financial Cryptology and Data Security (FC’13), Okinawa, Japan, April 1, LNCS, 7862 (pp. 52–69). Berlin: Springer.
Wang, P., Yu, X., Chen, S., Duggisetty, P., Guo, S., & Wolf, T. (2015). CryptoPaper: Digital information security for physical documents. In Proceedings of the 30th Annual ACM Symposium on Applied Computing (SAC’15), Salamanca, Spain, April 13–17 (pp. 2157–2164).
Yakshtes, V., & Shishkin, A. (2012). Mathematical method of 2-D barcode authentication and protection for embedded processing. https://www.google.com/patents/US8297510.
Yao, H., & Shin, D. (2013). Towards preventing QR code based for detecting QR code based attacks on android phone using security warnings. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIA CCS’13), Hangzhou, China, May 8–10 (pp. 341–346)
- Security Threats and Solutions for Two-Dimensional Barcodes: A Comparative Study
Flaminia L. Luccio
Heider A. M. Wahsheh
- Chapter 12