Could scanning a QR code be an invitation to malware? Zapp2Photo/Shutterstock.com
You’ve probably been told it’s dangerous to open unexpected attachment files in your email – just like you shouldn’t open suspicious packages in your mailbox. But have you been warned against scanning unknown QR codes or just taking a picture with your phone? New research suggests that cyberattackers could exploit cameras and sensors in phones and other devices.
As someone who researches 3-D modeling, including assessing 3-D printed objects to be sure they meet quality standards, I’m aware of being vulnerable to methods of storing malicious computer code in the physical world. Our group’s work is in the laboratory, and has not yet encountered malware hidden in 3-D printing instructions or encoded in the structure of an item being scanned. But we’re preparing for that possibility.
At the moment, it’s not very likely for us: An attacker would need very specialized knowledge about our system’s functions to succeed in attacking it. But the day is coming when intrusions can happen through normal communications with or sensing performed by a computer or smartphone. Product designers and users alike need to be aware of the risks.
In order for a device to become infected or compromised, the nefarious party has to figure out some way to get the computer to store or process the malware. The human at the keyboard has been a common target. An attacker might send an email telling the user that he or she has won the lottery or is going to be in trouble for not responding to a work supervisor. In other cases, a virus is designed to be unwittingly triggered by routine software activities.
Researchers at the University of Washington tested another possibility recently, embedding a computer virus in DNA. The good news is that most computers can’t catch an electronic virus from bad software – called malware – embedded in a biological one. The DNA infection was a test of the concept of attacking a computer equipped to read digital data stored in DNA.
Similarly, when our team scans a 3-D printed object, we are both storing and processing the data from the imagery that we collect. If an attacker analyzed how we do this, they could – perhaps – identify a step in our process that would be vulnerable to a compromised or corrupted piece of data. Then, they would have to design an object for us to scan that would cause us to receive these data.
A 3-D scanning rig in our lab. Jeremy Straub, CC BY-ND
Closer to home, when you scan a QR code, your computer or phone processes the data in the code and takes some action – perhaps sending an email or going to a specified URL. An attacker could find a bug in a code-reader app that allows certain precisely formatted text to be executed instead of just scanned and processed. Or there could be something designed to harm your phone waiting at the target website.
The good news is that most sensors have less precision than DNA sequencers. For instance, two mobile phone cameras pointed at the same subject will collect somewhat different information, based on lighting, camera position and how closely it’s zoomed in. Even small variations could render encoded malware inoperable, because the sensed data would not always be accurate enough to translate into working software. So it’s unlikely that a person’s phone would be hacked just by taking a photo of something.
But some systems, like QR code readers, include methods for correcting anomalies in sensed data. And when the sensing environment is highly controlled, like with our recent work to assess 3-D printing, it is easier for an attacker to affect the sensor readings more predictably.