Hex dump of Gibe-F worm.

Risks of QR Codes and Near-Field Communications

How do you decide what to believe?

A great deal of what you believe is based on who told you a thing, or told you how to find information about a thing. In traditional classroom settings or face-to-face communication, either it is very clear just who is providing information to you, or it is equally clear that you don't really know and therefore don't especially trust the source of the information.

In addition to your perception of the identify of the information source, some meta-information is available to you. That is, in addition to "She is my usual teacher (or at least she seems to be)" and "He is wearing a policeman's uniform (or at least it certainly looks like one)", you also have your perceptions about the information. "The story makes sense" and "The story seems plausible" and "The story seems to agree with what I've heard so far."

The Internet can make it difficult to assess an information source's identity and cognitive authority, or effect upon what you believe to be true. While there are technical means for identifying and authenticating information sources to a high degree of confidence, the irony is that the Internet — as commonly used even within academia, business, and government — often leaves identity rather vaguely defined.[1] Two trends being taken up by marketing and business may make this even worse.

[1] See the papers "Delving Deeper into Evaluation: Exploring Cognitive Authority on the Internet", R. L. Cromwell and J. W. Fritch, References Services Review, vol 30, no 3 (2002), pp 242-254; and "Evaluating Internet Resources: Identify, Affiliation, and Cognitive Authority in a Networked World", J. W. Fritch and R. L. Cromwell, JASIST (Journal of the American Society of Information Science and Technology), vol. 52, no. 6 (2001), pp 499-507.

QR code for http://cromwell-intl.com/

QR codes are two-dimensional barcodes, or really matrix codes, used to encode arbitrary digital information. A Toyota subsidiary created QR codes to track vehicles during the manufacturing process. They can encode up to 7,089 numeric characters, 4,296 alphanumeric characters, or 2,953 bytes of 8-bit data. They are frequently used to encode URLs. See the Wikipedia article for lots of technical details on the code design.

For example, using this very useful online QR code generator, I created the QR code you see at right here. It encodes the URL http://cromwell-intl.com/ in a 250x250 pixel representation. However, careful counting reveals that the code pattern is really 25x25 cells each 10x10 pixels, making it a Version 2 QR code. You can select different image sizes and different encoding schemes to encode different types of information sets. This QR code generator is usefully flexible.

All this is great as long as we are cooperating, playing nicely together across the network with neither of us trying to mislead the other. The risk, as I see it, comes about because these codes are especially opaque to the would-be human user. Compare these two reasonably human-friendly URLS: http://www.fsb.ru/ and http://www.disney.com/

ФСБ, transliterated into Latin letters as FSB, stands for Федеральная Служба Безопасности or Federal'naya Sluzhba Bezopasnosti, literally meaning "Federal Service of Security".

The first of those is the website of ФСБ, the Russian FSB or Federal Security Service and the successor to the KGB. The second is The Walt Disney Company. If an Internet user recognizes either or both of these rather different organizations, the URLs (or really the 2nd-level domain names, fsb.ru and disney.com) pretty clearly indicate which is which.

Humans use word-based domain names in URLs: www.fsb.ru and www.disney.com. The .ru and .com top-level domains mean "in Russia" and "a company", and fsb and disney are names of prominent entities within those domains. However, computers and the routers that interconnect the Internet use IP addresses, which are 32-bit patterns in the case of IPv4 or 128-bit patterns with IPv6. You type one of the two URLs above and your browser asks your operating system to resolve the fully-qualified domain name to an IP address. Those domain names resolve to, respectively, the IPv4 addresses written in "dotted quad" format for us humans as and

If you know how to use fundamental networking tools like nslookup, dig, and whois, you could figure out at least some of what those IP addresses meant and, if you would use traceroute and a bit of thought, you could get a pretty good idea of just where those servers are located. Moscow, Russia, and somewhere near Burbank, California, the last time I checked.

However, QR codes are considerably more removed from direct human use. The two smaller QR codes below correspond to http://www.fsb.ru/ and http://www.disney.com/, but you can't tell that, or tell which is which, by looking at them.

QR code for http://www.fsb.ru/ QR code for http://www.disney.com/

Which one is children's entertainment?
Which is the Russian security services?

I could easily say "Kids, scan this to learn more about Mickey and his friends!" Well, for purely legalistic reasons I would need to add "Make sure to get your parents' permission first!" But the parents won't have any idea what URL might be encoded in that QR matrix. Maybe it will be gruesome pictures in which the FSB shows off the latest sudden and noisy death of a suspected terrorist.

Silly Department of Homeland Security poster.

Now consider this U.S. Department of Homeland Security poster. I photographed this poster on a bus shelter in Washington, D.C. What is strange about it?

I'm not asking what is silly about the sign. That would be the unfortunate wording caused by leaving out a phrase and making the poster suggest that we will see strange monsters riding the subway or eating their breakfasts. It should have been worded:
Did you see something suspicious while you were commuting to work or grabbing a bite to eat?

Neither am I asking about the sad part, which is the fear-mongering practiced by the U.S. Government as it does the work of the terrorists.

No, the strange looking thing is that this poster did not have a QR code! I took the picture in December, 2010, and I am surprised that it did not have a QR code. Today's poster surely would include one because that's the trend, a trend possibly leading to trouble.

Businesses and government agencies are effectively training the public to expect to see QR codes and to trust whatever comes up when they point their smartphones at them.

Project Mayhem was my favorite part of Fight Club.

Consider how easy it would be for pranksters or activists to create QR code stickers of an appropriate size to place over existing QR codes on posters, or to add to posters not yet bearing one. This DHS poster is behind a pane of tempered glass or plastic which would it hard to get away with such a stunt, but the bare posters in subway stations would be easy targets.

The bogus QR codes could lead users to sites obviously opposed to the media's owner. Or, to sites obviously irrelevant or filled with malicious software.

But what if bogus QR code stickers added to Citibank advertising led instead to carefully crafted malicious sites that appear to be Citibank sites but really are under the control of the hackers? Please enter your account information and your personal authentication information here...

Compared to that, Project Mayhem style pranks like QR codes encoding URLs for pornography or other offensive imagery are relatively amusing. Shall we print T-shirts and walk around the city? Or shall we just put stickers everywhere?

Also see the various URL shortening services for an effect of obfuscating URLs. I have been amused to see bit.ly used in trade magazines like Military & Aerospace Electronics, largely read by engineers involved in U.S. defense work. The .ly top-level domain is for Libya, so every use of bit.ly in defense publications (or on Twitter, where it is the default URL shortener) sent a little more baksheesh to Muhammad Gaddafi, Muammar al-Gaddafi's eldest son and head of Libya's Ministry of Telecommunications and Technology. Since the fall of the Gaddafi regime, bit.ly has been configured to redirect to bitly.com. Does the new government get any baksheesh from this, or was that only for the Gaddafis? Maybe we should use the Finnish shortener gadaf.fi, created by an opponent of Gaddafi.

John Fritch, my co-author on the two journal papers referenced above, is a reference librarian in the Purdue University libraries. He teaches first and second-year courses on using libraries and doing simple research. From what he tells me, it appears that many U.S. high school students are taught how to spell google and then told to type their largely unplanned search terms and simply believe that whatever comes up must be true.

If it's on the Internet, it must be true. Or so many people believe.

I can't see an increasing reliance on cryptic QR codes making things anything but far worse.

Near-field communication (NFC) might be able to make things even worse yet. This is a short-range wireless technology intended to operate over a range of no more than about 20 centimeters. The plan is for greatly increased use of NFC with smartphones, including making payments with your mobile handset.

NFC uses radio-frequency communication at 13.56 MHz with data rates of 106 to 424 kbits/second. Some of its physical specifications are similar to those used by RFID smart tags.[2] Read the basic NFC specifications here.

[2] Some pages strangely claim that NFC "uses magnets", but that's simply incorrect. Yes, radio waves are electromagnetic, but that isn't "using magnets". I suspect that the author saw that electrically short antennas are used, specifically magnetic loop antennas, multi-turn loops a small fraction of the wavelength in diameter, and misunderstood that that meant that magnets were somehow involved.

NFC is similar to Bluetooth in some ways. Both are short-range communication technology easily integrated into mobile phone handsets. But they operate at entirely different frequencies — Bluetooth operates at 2.4-2.5 GHz, about 180 times the frequency and thus 1/180th the wavelength — and NFC consumes far less power while transferring data at slower speeds.

NFC establishes its links very quickly, in less than 0.1 second as compared to Bluetooth's 6 seconds or less. This might provide more opportunity for quick and subtle data grabs that go unnoticed.

However, the main risk I see for rogue NFC is similar to that of rogue QR codes: bogus "Hold your phone near this" devices. But the potential impact is far worse — instead of simply subjecting the user to offense or nonsense, possibly leading to phishing-type attacks, rogue NFC by definition has the target or victim device in direct communication with the attacker.

Thanks to Ashley and Ms Massingill at the Bright Futures Charter School in Oregon for asking a question and pointing me to a web page, thereby motivating me to put together a page on something I had been thinking about for a while!

It seems to me that the potential for abuse is limited only by the imagination and resourcefulness of the attackers.

Now if you'll excuse me, I need to go print some stickers.

Back to the main Security Page