nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

12. Security Threats and Solutions for Two-Dimensional Barcodes: A Comparative Study

verfasst von : Riccardo Focardi, Flaminia L. Luccio, Heider A. M. Wahsheh

Erschienen in: Computer and Network Security Essentials

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

A barcode is a graphical image that stores data in special patterns of vertical spaced lines (linear or 1D barcode), or special patterns of vertical and horizontal squares (2D barcode). The encoded data can be retrieved using imaging devices such as barcode scanner machines and smartphones with specific reader applications. 2D barcodes are considered inexpensive tools in business marketing, and several companies are using them to facilitate the post-sale follow-up procedure of their products. Many previous studies discussed the potential risks in using 2D barcodes and proposed different security solutions against barcode threats. In this paper, we present a comparative study of various attacks to 2D barcodes and of the available protection mechanisms. We highlight the limitations and weaknesses of these mechanisms and explore their security capabilities. According to our analysis, although many of the available barcode security systems offer cryptographic solutions, they can still have weak points such as the adoption of insecure cryptographic mechanisms. In some cases, cryptographic solutions do not even provide enough detail to evaluate their effective security. We revise potential weaknesses and suggest remedies based on the recommendations from the European Union Agency for Network and Information Security (ENISA).

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Using Sports Plays to Configure Honeypots Environments to form a Virtual Security Shield

Nächstes Kapitel Searching Encrypted Data on the Cloud

The use of word “signature” for a symmetric-key based algorithm is quite unusual since any entity knowing the symmetric key might provide a valid “signature.”

2D Technology Group Inc. (2016). Barcode security suite. http://www.2dtg.com/node/74.

Dabrowski, A., Krombholz, K., Ullrich, J., & Weippl, E. (2014). QR inception: Barcode-in-barcode attacks. In Proceedings of the 4th ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’14), November 7, Scottsdale, Arizona, USA (pp. 3–10).

Denso Wave Inc. (2017). SQRC®; Secret-function-equipped QR Code. https://www.denso-wave.com/en/adcd/product/software/sqrc/sqrc.html.

European Union Agency for Network and Information Security (ENISA) (2014). Algorithms, key size and parameters report 2014. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014.

Gao, J., Kulkarni, V., Ranavat, H., Chang, L., & Mei, H. (2009). A 2D barcode-based mobile payment system. In Third International Conference on Multimedia and Ubiquitous Engineering (MUE’09), Qingdao, China, June 4–6 (pp. 320–329)

GitHub. Official ZXing “Zebra Crossing” project home (website). https://github.com/zxing/zxing/.

GitHub. Short Payment Descriptor project home (website). https://github.com/spayd/spayd-java.

Google. Google Safe Browsing API (website). https://developers.google.com/safe-browsing/.

Ishihara, T., & Niimi, M. (2014). Compatible 2D-code Having tamper detection system with QR-code. In Proceedings of the Tenth International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIHMSP’14), Kitakyushu, Japan, August 27–29 (pp. 493–496). Piscataway, NJ: IEEE.CrossRef

10.

ISO/IEC Standard (2006). ISO/IEC 16022:2006, Information technology – Automatic identification and data capture techniques – Data Matrix Bar code Symbology Specification.

11.

ISO/IEC Standard (2008). ISO/IEC 16022:2008, Information technology – Automatic identification and data capture techniques – Aztec Bar code Symbology Specification.

12.

ISO/IEC Standard (2015). ISO/IEC 15438:2015, Information technology – Automatic identification and data capture techniques – PDF417 Bar code Symbology Specification.

13.

ISO/IEC Standard (2015). ISO/IEC 18004:2015, Information technology – Automatic identification and data capture techniques – QR code 2005 Bar code Symbology Specification.

14.

Jin, X., Hu, X., Ying, K., Du, W., Yin, H., & Peri, G. (2014). Code injection attacks on HTML5-based mobile for apps: characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14) (pp. 66–77).

15.

Kaspersky Lab (2011). Malicious QR Codes: Attack Methods & Techniques Infographic. http://usa.kaspersky.com/about-us/press-center/press-blog/2011/malicious-qr-codes-attack-methods-techniques-infographic.

16.

Kharraz, A., Kirda, E., Robertson, W., Balzarotti, D., & Francillon, A. (2014). Optical delusions: A study of malicious QR codes in the wild. In 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’14), 23–26 June, Atlanta, GA, USA (pp. 192–203)

17.

Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., & Weippl, E. (2010). QR code security. In Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (MoMM’10), Paris, France, November 8–10 (pp. 430–435)

18.

Kieseberg, P., Schrittwieser, S., Leithner, M., Mulazzani, M., Weippl, E., Munroe, L., & Sinha, M. (2012). Malicious pixels using QR codes as attack vector. In Trustworthy ubiquitous computing. Atlantis Ambient and Pervasive Intelligence (Vol. 6, pp. 21–38).

19.

Krombholz, K., Fruhwirt, P., Kieseberg, P., Kapsalis, I., Huber, M., & Weippl, E. (2014). QR code security: A survey of attacks and challenges for usable security. In Proceedings of the Second International Conference on Human Aspects of Information Security, Privacy, and Trust (HAS’14), 8533 (pp. 79–90).

20.

Peng, K., Sanabria, H., Wu, D., & Zhu, C. (2014). Security overview of QR codes. MIT Student Project: https://courses.csail.mit.edu/6.857/2014/files/12-peng-sanabria-wu-zhu-qr-codes.pdf.

21.

Phishtank: Phishtank API (website). https://www.phishtank.com/.

22.

Razzak, F. (2012). Spamming the Internet of Things: A possibility and its probable solution. In Proceeding of the 9th International Conference on Mobile Web Information Systems (MobiWIS’12), Niagara Falls, Canada, August 27–29 (pp. 658–665).

23.

Red Dodo. (2014). QR & barcode reader (secure). http://reddodo.com/qr-barcode-scanner.php.

24.

Soon, T. J. (2008). QR code. Synthesis Journal, 59–78. https://foxdesignsstudio.com/uploads/pdf/Three_QR_Code.pdf.

25.

Starnberger, G., Froihofer, L., & Goschka, K. (2009). QR-TAN: Secure mobile transaction authentication. In International Conference On Availability, Reliability and Security (Ares ’09), Fukuoka, Japan, March 16th–19th (pp. 16–19).

26.

Symantec Corporation. (2015). Norton snap QR code reader. https://support.norton.com/sp/en/us/home/current/solutions/v64690996_EndUserProfile_en_us.

27.

Tec-it. (2015). Overview: 2D Barcode Symbologies. http://www.tec-it.com/en/support/knowbase/barcode-overview/2dbarcodes/Default.aspx.

28.

Vidas, T., Owusu, E., Wang, S., Zeng, C., Cranor, L., & Christin, N. (2013). QRishing: The susceptibility of smartphone users to QR code phishing attacks. In 17th International Conference on Financial Cryptology and Data Security (FC’13), Okinawa, Japan, April 1, LNCS, 7862 (pp. 52–69). Berlin: Springer.

29.

Wang, P., Yu, X., Chen, S., Duggisetty, P., Guo, S., & Wolf, T. (2015). CryptoPaper: Digital information security for physical documents. In Proceedings of the 30th Annual ACM Symposium on Applied Computing (SAC’15), Salamanca, Spain, April 13–17 (pp. 2157–2164).

30.

Yakshtes, V., & Shishkin, A. (2012). Mathematical method of 2-D barcode authentication and protection for embedded processing. https://www.google.com/patents/US8297510.

31.

Yao, H., & Shin, D. (2013). Towards preventing QR code based for detecting QR code based attacks on android phone using security warnings. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIA CCS’13), Hangzhou, China, May 8–10 (pp. 341–346)

Titel: Security Threats and Solutions for Two-Dimensional Barcodes: A Comparative Study
verfasst von: Riccardo Focardi
Flaminia L. Luccio
Heider A. M. Wahsheh
Verlag: Springer International Publishing
Buch: Computer and Network Security Essentials
Print ISBN: 978-3-319-58423-2

Electronic ISBN: 978-3-319-58424-9

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-319-58424-9_12

Neuer Inhalt

Bildnachweise

VDI-Icon, Profil Icon, inhalt2, Springer Professional Modul/© Springer Fachmedien Wiesbaden GmbH, Nachhaltigkeitsaward Key Visual/© Cometis AG/Global ESG Monitor | Daniel Rupp | Generiert mit KI, Search Icon, Banner Hanser, Arbeitszeit/© granata68 / Fotolia, E-Autos im Fuhrpark: Lohnt sich das noch?/© Petair / stock.adobe.com, Kryptowährungen/© gopixa / Getty Images / iStock, Zeitschrift Wissensmanagement Cover, PatentFit-Logo/© Springer Fachmedien Wiesbaden GmbH, Sustainibility Finance/© Robert Kneschke / stock.adobe.com / Springer Fachmedien Wiesbaden GmbH, Zukunftswerkstatt Sales Excellence 2024/© AndreyPopov / Getty Images / iStock, 2023_Antrieb/© supervisuell

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Neuer Inhalt

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.