Consider the humble QR code: an older marketing device that exploded in popularity when the world needed touchless solutions for information and payments.
In fact, according to Chief Security Officer Phil Richards and Head of Endpoint Security Product Management Chris Goettl, the latest cybersecurity research suggests that hackers aren't far behind in leveraging QR code vulnerabilities -- and security teams may be unprepared for a new attack on their managed devices and endpoints.
Today's conversation covers:
Consider the humble QR code: an older marketing device that exploded in popularity when the world needed touchless solutions for information and payments.
In fact, according to Chief Security Officer Phil Richards and Head of Endpoint Security Product Management Chris Goettl, the latest cybersecurity research suggests that hackers aren't far behind in leveraging QR code vulnerabilities -- and security teams may be unprepared for a new attack on their managed devices and endpoints.
Today's conversation covers:
Adrian: Hi, everyone. Welcome to another episode of Ivanti Insights. I'm Adrian Vernon. And with me today is our usual cast of characters, Chris Goettl and Phil Richards.
Gentlemen, today, we're talking about quick response codes; much more commonly known as QR codes. Those were invented in the mid-1990s in Japan. They've grown in popularity this past year as the world has looked for touch-free solutions during the pandemic.
Now, Ivanti today released a new report. It's called QRURB Your Enthusiasm 2021: Why the QR Code Remains a Top Security Threat and What You Can Do About It. Now, that "Curb Your Enthusiasm", is spelled Q-R-U-R-B. Chris, how would you pronounce that?
Chris: Let's stick with curb.
Phil: Adrian, two things that I've learned already in the first four minutes of this podcast. One, I did not know QR stood for quick response. And I did not know, when I saw that article, that it was pronounced curb. So I've learned two things.
Adrian: You know what? We might as well just stop right now.
Chris: Mission accomplished.
Adrian: All right. So QRURB Your Enthusiasm 2021: Why The QR Code Remains a Top Security Threat and What You Can Do About It report just released today by Ivanti is a follow-up to a report that was published in September, 2020 by MobileIron prior to being acquired by Ivanti. I was with MobileIron at that time. I remember that report.
So, Phil, let's start with you. When I say QR code, and now that it's quick response, when I say QR code, what's the first thing that jumps to mind for you as a Chief Security Officer?
Phil: Well, it's interesting. QR codes translate directly to a URL. It basically is the same. It's one-to-one. A QR code translates to a whole line of characters that show up on your address line in your browser bar.
So the first thing that pops into my mind is it has all of the same inherent vulnerabilities that a regular URL address would have; individuals not knowing that this is a malicious URL versus a good URL. But it doesn't have some of the constructs that we normally associate with address bars in the first place.
Obviously, I can't look at a QR code and know that that says ivanti.com or microsoft.com, whatever. I have to trust that QR code because I can't read it. I can't look at it and read it.
So, yeah. It has additional security defects or vulnerabilities already in place, simply because it's not human-readable. I can't look at the thing and say, "Those little boxes are in the wrong spots. That's not the URL I'm expecting to go to."
So that's one of the things that really concern me. We've got vulnerabilities that it's possible for somebody to rewrite the QR code. And there would be no way for us to know that that's a rewritten code.
Adrian: Chris, let me ask you about usage. So this report does talk about the usage increasing, somewhat significantly, over the past year as a result of the pandemic because of this touchless model. But this is really only potentially the tip of the iceberg, isn't it? We really haven't seen this really expand out, but that's coming around the corner, don't you think?
Chris: Yeah. I mean, seeing the number of people who have paid for something or picked up a prescription or something like that going just from like 9% in 2020 to 14%. That seems like a small number yet. But QR codes, yeah, I've used it to go to a URL before. I've used it to download an application to install an app on my phone.
I've even seen them used at trade shows to get somebody like, "Hey, scan my QR code and that'll just connect you with my social media network. Follow me." Making a payment; I haven't actually done that yet. I don't know if I would trust it, yet, just because, again, it's like I don't know what I'm scanning. I already fear a little bit that URL and the download piece.
So, it's growing in popularity. Here's something that's pretty fresh news as well. Facebook has now announced that they're going to be providing support for QR code transactions through Facebook shortly as well. There will be a shop that supports that. This will join other organizations that have done this. CVS partnered with Venmo and PayPal to provide contacts with QR codes for over 8,200 stores across the US.
All of these things are starting to ramp up. What this means is that actors are going to start to pay attention to it. Why do more vulnerabilities exploit a Windows system versus a Mac system? It's not because a Mac is less vulnerable, it's because there are more Windows systems in the world. There are more windows systems that they can try to take advantage of and spread things around.
Another attack factor is like why do people go after ransomware versus data theft more often now? Because ransomware has a better payout. As QR codes for transactions like these become more popular, threat actors are going to follow suit with that as well.
And I think Phil made a good point. Are they going to try to replace the QR code sitting somewhere with their own? Maybe not right away but as it goes forward, we've had pin skimmers at gas station pumps and other things like that. Once it becomes prevalent enough that they can skim enough information or enough value off of it, that threat will increase.
Phil: Exactly. In the city where I live, there are parking spots. And rather than feed a parking meter, you can take a picture of a QR code on your phone, and that, supposedly, would process payment for your parking.
That's great. It works fine. As far as I know, nobody has taped over One QR code with another one. To Chris's point, as soon as that becomes more prevalent, you're going to start to see that. You're going to start to see QR skimmers or potentially fraudulent QR codes showing up in those kinds of places.
That way, people can funnel large sums of money over to those things. Nobody wants to scam me out of 10 bucks for parking, but if you replay me a thousand times, all of a sudden, that becomes real money.
Adrian: Now, here are a couple of stats. Let me throw these out to you from this QRURB Your Enthusiasm 2021 report that just came out today from Ivanti. Go check it out on ivanti.com. 43% of respondents have scanned a QR code in the past week. 66% have scanned a QR code in the past month and 83% have scanned it for one use or another in the past year. So people are out there.
Chris, you mentioned that you haven't used it yet for payment. I've gone to a restaurant, I've sat outside, and I've used a QR code on the table to actually pay my bill. What are the chances today that that $80 bill I could wake up and see my credit card statement a couple of days down the road and find out it's $8,000, all of a sudden? Is that very likely or not?
Chris: I don't think I've seen any specific cases like that yet. Again, it's something where the possibility is absolutely there, especially because we get to the point where these things become convenient and comfortable. And once that happens, we stop paying attention. Contactless payments, things like that; how many times do you actually look to see the amount that was transacted is what actually showed up on your bill?
Adrian, your point is absolutely valid. Has it happened yet? I don't think so. If it is happening, not at a level where it's made major news yet. But once it does, we're going to find that there's going to be skimming happening at various levels.
To Phil's point; is it really worth going after a couple of hours of meter payments in a downtown area? That might be 10 bucks. Sure. But to his point, if you can do that across 30 or 40 meters in a downtown area, and during the course of a night, you can make a couple of thousand dollars. All right. Multiply that by a few more. Yeah, we're going to start to see things like that happening more often.
Phil: And to be fair, the QR code is only the tip of the iceberg in terms of how that kind of attack would happen. The mechanics of an attack like that wouldn't just be to replace the QR code. It would be to understand what's going on in the payment system for that particular restaurant, for example, and understanding and finding some flaws in the modality of that payment being taken. That would lead to a possible exploit by changing the URL. And that would lead to a QR code change.
One of the reasons why you're not going to see somebody do it for a $10 or even an $80 bill is because it's going to cost thousands of dollars to try to figure out how to orchestrate that attack. But as soon as I have that attack, I can replay it hundreds of times. And that's where the value comes in.
Chris: If you look at other areas like ransomware, the one-off ransomware attacking one system, you can get three to four-digit payouts there. The infrastructure behind that is complex to gather those payments in; to make that process easy.
This QR skimming type challenge is going to be one where they've got to build that backend infrastructure, understand how these payments transact and figure out how am I going to bring that into a place where I can then extract that money? That's the ultimate part. How do I get it to a place where I can extract it and get away with it?
They're going to have to build some sophistication behind this, but when they do, it's going to be pretty easy to do. Now, can I get somebody to a malicious URL? Could I have them download an application that they may not have wanted? There's a number of other risks here besides just the payments to QR codes, for sure.
Adrian: Sorry, Phil. You had something to add? Go ahead.
Phil: I was going to say Chris is exactly right. There are simple ways of exploiting probably that don't involve payment dollars, but then there are more complex ways that will involve transaction type arrangements.
Adrian: All right. So as we take this home today, gentlemen, there is one percentage stat that stood out to me in this QRURB Your Enthusiasm 2021 report. And that is that only. 51% of respondents knew for sure that they had installed security software on their mobile devices. Phil, I would think, as a CSO, that's got to scare the bejesus out of you.
With that in mind, what can IT administrators do to ensure that employees and the organization stay protected?
Phil: Well, one of the biggest things is, obviously, with MobileIron. MobileIron is an orchestration solution. And that is, from a centralized IT perspective, one of the most important things. Don't rely on your employees' memory of whether or not they installed some sort of antivirus capability or anti-malware capability on their machine. Orchestrate that and make sure that it happens.
One of the nice things about the way MobileIron works is it allows the phone to still be usable by the employees. So they can go about their regular business. And by the way, they happen to be protected during their regular day as well when they're using their phone as a BYOB for work purposes.
Adrian: Chris, what would you add? Final parting pearls of wisdom.
Chris: Yeah, I would say that it's absolutely a rising challenge. Mobile devices have been around in our society for so long now, we've gotten used to them. But the attackers are absolutely capitalizing on this gap. For most organizations, it's a BYOB device. That means that most organizations aren't enforcing much, if anything, on those devices.
Phishing happens to be the number one challenge on mobile devices. So how can somebody get access to that credential that they're going to, later on, use to get into your network? They phish a user. And they can do that straight through your mobile phone. Mobile Threat Defense will help to try to defend against malicious applications getting onto your phone. It will help to protect against phishing attempts, so anti-phishing. QR codes are yet another threat that absolutely is going to be affecting the mobile platform.
So when you're looking at your Mobile Threat Defense choices, there are a lot of different options available. There are even options where, for the Android, you've got your work and your personal side of the phone; you can even get Mobile Threat Defense that helps to support both sides of that.
So, absolutely a rising threat definitely; one that more and more IT organizations are acknowledging and taking into account because that mobile device is one of the easiest ways that the attacker can get at your user. And your user is the biggest weakness in your overall security for your organization.
We can't take the user out of the organization, but we can try to protect them or take the weaknesses out of that user. And defending that mobile device is absolutely one of those.
Adrian: And Mobile Threat Defense, what we call MTD is a way to do that. Guys, I think that's about all the time we have for today. We want to make sure Phil gets to a very important meeting at the bottom of the hour. But as always, gentlemen, it's a pleasure hanging with you guys for these 15, 20 minutes. I look forward to doing it again in a couple of weeks.
Folks, if you want to hear any more or read any more about this report, remember it's called QRURB Your Enthusiasm 2021: Why The QR Code Remains a Top Security Threat and What You Can Do About It. Check it out on ivanti.com. Until next time, folks, stay safe, be secure, and keep smiling.