On a train recently I became fascinated by the hacking opportunities presented by QRCode. Those 2D barcodes that marketing folks seem to be putting on everything. They strike me as a potentially brilliant method of infecting the smartphones of the general public.
Using QRCode for malicious attacks
From a tech point of view, the idea is simple; the victim scans the QRCode which then directs them to a malicious web site which delivers the payload.
I ended up with an internal dialogue about the social aspects of this. Questions popped up like
“What sort of person would actually visit these links?”
“How would the placement of the QRCode affect the level of response?”
“Would a stand-alone QRCode get any hits at all?” and so on.
Whilst the marketing industry has jumped on this bandwagon. I am yet to see any compelling statistics that actually show that people are using QRCode. I decided to try and find out the answer to some of these questions. Hopefully, I will find some other data with a social experiment.
Creation of QRCode social experiment
So to be clear before you start asking questions.
My experiment is going to contain no malicious actions or intent whatsoever – this is just an anonymous data-gathering exercise.
This weekend I produced the technical bits behind my project. I decided to run a sort of middle man operation, the idea is simple.
Create my own QRCodes on stickers to put over the top of other companies QRCodes.
My QRCodes would send people to a unique page on a web site of my own creation. This website will record their visit and instantly forward them on to the original QRCodes destination without the user even knowing. I would pre-populate my database with data about the placement of the QRCode and not just the location either…
I hope to be able to identify many qualities about the QRCodes that have been installed. Some examples are: the time and date the sticker was installed; whether it has been placed neatly so that it’s not noticeable; sloppily so anyone who pays attention will notice; whether its a large sticker or a small one; whether I make use of the error correction facilities available in QRCodes and place an image in the code itself; and so on.
It was obvious pretty quickly that this method was going to be a bit limited. I would only be able to place my stickers over the top of existing QRCodes.
To get a more interesting spread of data I would also like to add stickers randomly in public places and see what response these get, again collecting the same placement data. If in 6 months time I have a reasonable amount of data – I would hope to be able to analyse it and pull some interesting trends.
Social experiment legal issues
In the meantime, there are legal questions to which I am not sure I know the answer. I believe that potentially I could be told off / given an on-the-spot fine by the police for littering. I suspect that some of the companies’ QRCodes I will inevitably cover with my own stickers may not be very happy – don’t know what this would be classed as but I am sure they will come up with something. For the record folks – all the stickers I have so far / will get in the future are designed to be removable for these very reasons. I hope that should I end up in bother about this, I can at least state truthfully that it is just a social experiment and that it was designed to cause as little if any damage.
Watch this space for the data analysis – my bet; hardly any of the stickers will get scanned.