Using QR Codes To Issue Commands To Infected Machines


Thankfully It’s Slow, As In 438 bytes/s

Using a QR code to infect your mobile device or really just about anything with a camera and the ability to process the codes is not new.  Unfortunately marketers never got that message and we are seeing them everywhere from restaurant menus, to the sign up process for a club, to advertising for products and services.  Security professionals have given it cute names like quishing but the vast majority of people and businesses seem to have fallen in love with them.  It will likely take a number of successful high profile attacks before the general public realizes that a QR code is not just an innocent way to open a webpage.

The latest vulnerability has been discovered by Mandiant and goes beyond breaking someones iPhone.  This attack is used to bypass browser isolation, a popular security procedure that feeds webpages through a remote machine and a render of that page to the system actually requesting the webpage.  That means any nasty HTTP buried in the site might run on the remote machine, but can’t be triggered on the local machine as it is just showing a render of what the page looks like, sans code.  However the researchers discovered they could embed QR codes on the site, which would be rendered and found a way to issue commands to the target machine.

Thankfully there are a lot of limitations to this technique which would limit it to only being able to issue commands to a machine already infected by malware, it wouldn’t be able to spread it.  The maximum theoretical payload is 2,189 bytes, assuming a perfect translation makes it to the targeted machine and that the hidden interpreter is 100% successful at translating the QR code to actual code.  As well each request takes roughly five seconds, which translates to around 438 bytes/sec which is not enough to do a lot.  It is however, a novel way to avoid browser isolation, and that is not good news.



Source link