Tag, You’re It!
The Internet is full of examples of simplifications creating vulnerabilities. A good number of these can be represented as indirection enablers. IP addresses, domain names, URIs, tiny URLs, QR Codes and now Microsoft tags. Each of these serves the purpose of simplifying and decoupling. We have seen many exploits for the first four, what about these last two?
As you likely know, QR Codes and Microsoft tags are graphical images targeted at print media, though there is no reason they can’t be used in an online fashion. They are most often presented as rectangular graphics (examples below). The reason for using them is to provide an easy way for someone to access a web page (or other online resource) related to the printed content. Since these images represent character data they can also be used to house information, like contact details, that do not require online access to interpret.
The use case is simple: install a special program that interprets the codes or tags; point the camera from a smart phone or computer at the graphic; and voilà, your phone presents a web page, phone number or other embedded content. Basically this avoids having to manually enter a URL. Depending on a company’s marketing strategy this is a powerful feature since a particular ad might want to direct a person to a URL that embeds information about the specific advertisement, media source, publication page and so forth. Typing in a complicated URL would put off many people but this removes most of the effort while making the print media interactive.
The main issues with adoption are educating the public about the use of these codes and getting people to install the reader software. Some of you may recall Radio Shack trying to do something similar several years ago. They created a scanning device, given out for free, that people had to connect to their PCs. They could then scan a specific item in a Radio Shack catalog or advertisement and be brought to a web page with detailed information and ordering instructions.
Although that particular attempt failed, these newer approaches have the advantages of being broadly available, leveraging a common accessory on a smart phone (camera) and providing benefits to more than one company. It will be interesting to see if any of the competing standards catch on with the general public (beyond the two mentioned already there are others such as Data Matrix, Quickmark and PDF417).
My concern, however, isn’t whether these graphical links become popular, it is whether they present another security risk. I believe that they do, in a manner similar to Tiny URLs, yet possibly more insidious.
These codes move beyond the ability of humans to interpret in any fashion. One cannot tell by looking whether the embedded information in the graphic represents a URL to a web page, URL to a photo, phone number or other data. All one can do is trust that the publisher’s description of the graphic’s intent matches the actual result of using it. Given the inherent simplicity, how likely is it that people could become accustomed to pointing their phones at these tags, not necessarily considering the risk?
Unfortunately, as has been proven over-and-over, people tend to ignore online risks. Advertisers are not motivated to discuss risks since the idea is to have people become comfortable with using the images with their smart devices, driving traffic and more customers to the advertisers’ web sites. The double whammy in this case is that the use of the tag is simple and the target devices are smart phones which are extremely vulnerable to malware, given the infancy of effective protection tools in the space.
My guess is that some form of these graphical links will become popular. They provide a tracking ability marketing executives would really like to have and a real-time immersion that other venues, like restaurants and theaters, could leverage. The tracking, between potential customers and companies; marketing departments and channels; and even between advertising campaigns provides more information in an business component that is constantly seeking (and paying for) better and richer data.
Given a blossoming user base, attackers won’t be far behind. Based on the simple use of its camera, a smart phone can be led to a malicious website. Perhaps the graphical code can be setup to call a certain number, providing a distributed denial of service attack against some company’s call center. All manner of interesting attacks can be considered since the user is simply letting the graphic type data into the phone on his or her behalf.
I doubt there is much that can be done to make these safer other than the usual banter about educating users. Microsoft’s tags, when used for URLs, don’t actually encode the URL. Rather the tag leads to a Microsoft service that looks up the URL and directs the browser to the ultimate address. This allows for a control point that could shutdown a link to a malicious site. However other coding approaches place the payload in the graphic so there is no control point.
As is common with each advance in simplifying computer-human interactions there will be good and bad to come of it. So start educating users now as they begin to see more and more of these graphical links between the physical and online worlds.
Have you begun using any of these technologies in your print media? Do they seem to be catching on with your customers and prospects? Do you perceive any interesting attack vectors that this type of technology makes more likely? I look forward to having an opportunity to discuss these subjects in more detail.
Tags: education, Internet, linkedin, marketing, media, Microsoft tags, QR Codes, Security