Tag, You’re It!
Wednesday, January 12th, 2011The Internet is full of examples of simplifications creating vulnerabilities. A good number of these can be represented as indirection enablers. IP addresses, domain names, URIs, tiny URLs, QR Codes and now Microsoft tags. Each of these serves the purpose of simplifying and decoupling. We have seen many exploits for the first four, what about these last two?
As you likely know, QR Codes and Microsoft tags are graphical images targeted at print media, though there is no reason they can’t be used in an online fashion. They are most often presented as rectangular graphics (examples below). The reason for using them is to provide an easy way for someone to access a web page (or other online resource) related to the printed content. Since these images represent character data they can also be used to house information, like contact details, that do not require online access to interpret.
The use case is simple: install a special program that interprets the codes or tags; point the camera from a smart phone or computer at the graphic; and voilà, your phone presents a web page, phone number or other embedded content. Basically this avoids having to manually enter a URL. Depending on a company’s marketing strategy this is a powerful feature since a particular ad might want to direct a person to a URL that embeds information about the specific advertisement, media source, publication page and so forth. Typing in a complicated URL would put off many people but this removes most of the effort while making the print media interactive.
The main issues with adoption are educating the public about the use of these codes and getting people to install the reader software. Some of you may recall Radio Shack trying to do something similar several years ago. They created a scanning device, given out for free, that people had to connect to their PCs. They could then scan a specific item in a Radio Shack catalog or advertisement and be brought to a web page with detailed information and ordering instructions.
Although that particular attempt failed, these newer approaches have the advantages of being broadly available, leveraging a common accessory on a smart phone (camera) and providing benefits to more than one company. It will be interesting to see if any of the competing standards catch on with the general public (beyond the two mentioned already there are others such as Data Matrix, Quickmark and PDF417).
My concern, however, isn’t whether these graphical links become popular, it is whether they present another security risk. I believe that they do, in a manner similar to Tiny URLs, yet possibly more insidious.