Chapter 2 Malicious Pixels Using QR Codes as Attack Vector Peter Kieseberg, Sebastian Schrittwieser, Manuel Leithner, Martin Mulazzani, Edgar Weippl, Lindsay Munroe, Mayank Sinha SBA Research gGmbH, 1040 Vienna, Austria [1stletterfirstname][lastname]@sba-research.org This work examines QR codes and how they can be used to attack both human interaction and automated systems. As the encoded information is intended to be machine readable only, a human cannot distinguish between a valid and a maliciously manipulated QR code. While humans might fall for phishing attacks, automated readers are most likely vulnerable to well-known types of attacks where input data is not sanitized properly such as SQL and command injections. Our contribution consists of an analysis of the QR code as an attack vector, showing different attack strategies from the attackers point of view and exploring their possible consequences in a proof-of-concept phishing attack against QR codes, that is based on the idea of changing the content of a QR code by just turning white modules (pixels) into black ones. 2.1 Introduction A QR (“quick response”) code is a two dimensional barcode invented by the Japanese corporation Denso Wave. Information is encoded in both the vertical and horizontal di- rection, thus holding up to several hundred times more data than a traditional bar code (Figure 2.1). Data is accessed by taking a picture of the code using a camera (e.g. built into a smartphone) and processing the image with a QR code reader. QR codes have rapidly gained international popularity and found widespread adoption, especially in Japan where its ability to encode Kanji symbols by default makes it espe- cially suitable. Popular uses include storing URLs, addresses and various forms of data on posters, signs, business cards, public transport vehicles, etc. Indeed, this mechanism has a vast number of potential applications [1–5]. For instance, the sports brand Umbro has 21 I. Khalil and T. Mantoro (eds.), Trustworthy Ubiquitous Computing, Atlantis Ambient and Pervasive Intelligence 6, DOI: 10.2991/978-94-91216-71-8_2, Ó Atlantis Press 2012