Hacker News new | comments | show | ask | jobs | submit login
Barcode-in-barcode attacks [pdf] (iseclab.org)
53 points by sp332 on Dec 18, 2014 | hide | past | web | favorite | 4 comments

A low-tech MITM attack for barcodes:

Step 1: Buy a ruler and put it in your pocket

Step 2: Whenever you see a QR code on a poster or sign, measure its width and make a note of it.

Step 3: Have a bunch of stickers printed in the most common widths, and carry them in your bag.

Step 4: Whenever you see a QR code on a poster, place a sticker with your fun/malicious code on top of it.

Or just print out QR codes that are bigger than the original and stick it over it... Or just print a new poster and paste it over... Iunno, I'm just not buying that this is a worthwhile vector.

It's interesting, but is it much of an attack? Ok, so you can determine what OS your phone is running, but you can do that by coding a QR code that brings them to a webpage that registers it with javascript; you need to direct them to a site regardless to collect your findings from this attack.

You might be able to attack a specific code reader, or a left-handed person who waves their phone over the dots in a different order? Or sneak a malicious code past QA and into the wild.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact