
Barcode-in-barcode attacks [pdf] - sp332
https://www.iseclab.org/people/atrox/qrinception.pdf
======
rahimnathwani
A low-tech MITM attack for barcodes:

Step 1: Buy a ruler and put it in your pocket

Step 2: Whenever you see a QR code on a poster or sign, measure its width and
make a note of it.

Step 3: Have a bunch of stickers printed in the most common widths, and carry
them in your bag.

Step 4: Whenever you see a QR code on a poster, place a sticker with your
fun/malicious code on top of it.

~~~
jszymborski
Or just print out QR codes that are bigger than the original and stick it over
it... Or just print a new poster and paste it over... Iunno, I'm just not
buying that this is a worthwhile vector.

------
jszymborski
It's interesting, but is it much of an attack? Ok, so you can determine what
OS your phone is running, but you can do that by coding a QR code that brings
them to a webpage that registers it with javascript; you need to direct them
to a site regardless to collect your findings from this attack.

~~~
sp332
You might be able to attack a specific code reader, or a left-handed person
who waves their phone over the dots in a different order? Or sneak a malicious
code past QA and into the wild.

