Followers

Showing posts with label QR Code. Show all posts
Showing posts with label QR Code. Show all posts

Tuesday, July 19, 2022

How QR codes work, and how they are hacked

 The ubiquitous QR code was invented in 1994 by Japan’s Denso Wave; company engineer Masahiro Hara created it originally with the intention to make manufacturing operations more efficient

In this era of digitalisation, there is never a day that passes without the use of a QR code. This technology has become a part of our lives, more so after the COVID-19 pandemic in 2020 with an emphasis on going contactless to avoid the spread of the deadly virus.

The ubiquitous QR code (quick response code) was first invented in 1994 by Japan’s manufacturer Denso Wave. August 8, 2021, marked the 27th anniversary of the QR code.

The QR code was developed by Denso company engineer Masahiro Hara, originally with the intention to make manufacturing operations more efficient.

According to Denso, it decided to make the technology license-free in order to encourage its use by as many people as possible and released QR codes for general use.

What is a QR code?

It is a type of barcode with a series of black pixels in a square-shaped grid on a white background. It contains various forms of data, like website links, account information, phone numbers, or even coupons.

Unlike the standard barcodes that read in only one direction – top to bottom and store only less amount of information, QR codes are two-dimensional (2D). QR codes can be read in two directions – top to bottom and right to left. This allows them to store more data – 7,089 digits or 4,296 characters. They use approximately 10 times less space than a traditional barcode.

A QR code can encode numerals, alphabetical characters, symbols, binary data, control codes and other data. They can be read at high speed regardless of the scanning angle. The secret lies in three position detection patterns, which are located in each code, enabling stable high-speed reading without being affected by the background patterns.

Position detection pattern

The most challenging problem for the development team of the QR code was how to make 2D codes read as fast as possible; it is more difficult for scanners to recognise the location of a 2D code than that of a barcode. One day, Hara hit on the idea of adding, to the code, information that indicates its location, which might solve this problem.

Based on this idea, a position detection pattern, located at three corners of each code, was created. He expected that by incorporating this pattern into a 2D code, a scanner could accurately recognise the code and thereby read it at high speed.

However, developing the shape of the position detection pattern was extremely difficult because when a similarly shaped figure was near the code, the pattern could not be recognised accurately. To prevent false recognition, the position detection pattern had to have a unique shape.

“The development team members began an exhaustive survey of the ratio of white to black areas in pictures and characters printed on leaflets, magazines, corrugated cartons and other documents after reducing them to patterns with black and white areas. They continued to study numerous printed matter day and night, and at last, identified the ratio that least appeared on the printed matter. It was 1:1:3:1:1. In this way, the widths of the black and white areas in the position detection pattern were determined and scanners became able to detect the code regardless of the scanning angle by finding this unique ratio,” the company explained.

How do QR codes work?

According to anti-virus provider Kaspersky, the patterns within QR codes represent binary codes that can be interpreted to reveal the code’s data. A QR reader can identify a standard QR code based on the three large squares outside the QR code. Once it has identified these three shapes, it knows that everything contained inside the square is a QR code. The QR reader then analyses the QR code by breaking the whole thing down into a grid. It looks at the individual grid squares and assigns each one a value based on whether it is black or white. It then groups grid squares to create larger patterns.

Parts of a QR code

A standard QR code is identifiable based on six components: Quiet Zone, Finder pattern, Alignment pattern, Timing pattern, Version information, and Data cells, said Kaspersky and explained the following.

  • Quiet Zone: This is the empty white border around the outside of a QR code. Without this border, a QR reader will not be able to determine what is and is not contained within the QR code (due to interference from outside elements).
  • Finder pattern: QR codes usually contain three black squares in the bottom left, top left, and top right corners. These squares tell a QR reader that it is looking at a QR code and where the outside boundaries of the code lie.
  • Alignment pattern: This is another smaller square contained somewhere near the bottom right corner. It ensures that the QR code can be read, even if it is skewed or at an angle.
  • Timing pattern: This is an L-shaped line that runs between the three squares in the finder pattern. The timing pattern helps the reader identify individual squares within the whole code and makes it possible for a damaged QR code to be read.
  • Version information: This is a small field of information contained near the top-right finder pattern cell. This identifies which version of the QR code is being read.
  • Data cells: The rest of the QR code communicates the actual information, i.e., the URL, phone number, or message it contains.

Types of QR code

QR codes can be used for multiple purposes, but there are four widely accepted versions of QR codes. The version used determines how data can be stored and is called the “input mode”. It can be either numeric, alphanumeric, binary, or kanji. The type of mode is communicated via the version information field in the QR code.

  • Numeric mode: This is for decimal digits 0 through 9. A numeric mode is the most effective storage mode, with up to 7,089 characters available.
  • Alphanumeric mode: This is for decimal digitals 0 through 9, plus uppercase letters A through Z, and symbols $, %, *, +, –, ., /, and : as well as a space. It allows up to 4,296 characters to be stored.
  • Byte mode: This is for characters from the ISO–8859–1 character set. It allows 2,953 characters to be stored.
  • Kanji mode – This is for double–byte characters from the Shift JIS character set and used to encode characters in Japanese. This is the original mode, first developed by Denso Wave, according to Kaspersky.

Are QR codes safe?

Kaspersky warns that attackers can embed malicious URLs containing custom malware into a QR code which could then exfiltrate data from a mobile device when scanned. It is also possible to embed a malicious URL into a QR code that directs to a phishing site, where unsuspecting users could disclose personal or financial information. Because humans cannot read QR codes, it is easy for attackers to alter a QR code to point to an alternative resource without being detected.

Can QR codes be hacked?

“The QR codes themselves can’t be hacked – the security risks associated with QR codes derive from the destination of QR codes rather than the codes themselves. Hackers can create malicious QR codes which send users to fake websites that capture their personal data such as login credentials or even track their geolocation on their phones. This is why mobile users should only scan codes that come from a trusted sender,” says the company.

Source: The Federal, 19/07/22