Green Light, Red Flag? Unveiling the Security Concerns of Olympic QR Codes
- By Morey Haber, BeyondTrust
- July 15, 2024
This month’s Olympic Games in Paris is noteworthy because of the widespread usage of Quick Response (QR) codes, known as Pass Jeux. A Pass Jeux is needed to enter physical security perimeters, where security checks will be carried out at all access points, verifying an individual’s identity.
From athletes to attendees, everyone accessing the Olympic zones will require a single point of entry: a valid QR code. These codes, stored on smartphones or printed for scanning, offer convenience. But for authorities, athletes, attendees, and sponsors alike, this reliance creates a security vulnerability. If you consider paper can be copied, and even some of the most advanced dynamic QR codes hacked (TicketMaster), then implementing QR codes at the Olympics represents a risk for all attendees that they should be knowledgeable about.
QR codes became popular during the pandemic thanks to their seamless connection between physical and digital worlds. However, this leads to an emerging challenge on a new scale: QR codes are becoming normalized, and people are mostly unaware of how they can be misused. Scanning one and proceeding can be as dangerous as clicking on a link in a phishing email. Then, instantly, it could be too late to recover. Ultimately, we have become trusting based on their simplicity but are generally ignorant of their potential malicious capabilities.
QR codes are not inherently dangerous, but threat actors with malicious intentions could make use of QR codes to trick unsuspecting individuals into scanning these codes and exposing themselves to various threats, such as phishing, QR code swaps, malware distribution/infection, and malicious advertisements, zero-day attacks, according to the Cyber Security Agency of Singapore.
In the case of Paris, the fact that QR codes are the official format for digital passes to the inner city will legitimize them in the eyes of attendees and athletes. It also likely means third parties, within and outside the secure zones, may leverage QR codes to engage visitors with potentially malicious offers. For game attendees, the question becomes which QR codes they trust. They could end up scanning one too many QR codes in their time at the event, and one of those scans could mask something nefarious.
And it’s not just game-goers who are at risk. The same risk applies to authorities scanning QR codes at checkpoints — particularly as they will accept paper-based code printouts. Given the demand for entry to areas, they may be presented with legitimate-looking codes that infect their device or the network they’re connected to with malicious code. For example, if a zero-day was embedded in a QR code link, could it compromise official systems validating QR codes for access and ultimately compromise Olympic systems? The possibility does exist.
Behind the code
While QR codes may seem harmless, there could be cybersecurity risks behind them. The key concern is that by scanning them, the user is essentially placing his/her trust in the codes themselves. The assumption is that the code will direct our device to a safe and legitimate website, download, or other content, but there’s always the risk the action might be malicious. Suppose you consider QR codes to contain almost a dozen embedded items, from contacts to reminders. In that case, we implicitly trust that the contents contained beneath will not add anything malicious to your device.
But anyone who’s ever scanned one will know it often displays a URL generated by a URL shortener. While shorteners were once useful in character-constrained contexts (such as to achieve brevity in bite-sized social media posts), these days, many people recognize these links as suspicious. The ubiquity of QR codes is training people to override that caution and not review the link or domain name. The more significant challenge participants face is that shortened URLs are just one of an ever-increasing variety of avenues to malicious content payloads that can be masked with a QR code. The reality is that QR codes can redirect users to information stored in various other formats.
As mentioned, QR codes can be used for more than Internet links. QR codes can automatically connect a device to a nearby Wi-Fi network, where Man-in-the-Middle and other traffic interception attacks can become possible. These attacks can include stealing user credentials or purporting to point the user to their app store to download an app but taking them to a download hosted outside of the security of the official store.
In more sophisticated cases of malicious intent, the content displayed to the user might be dynamic, with the redirect based on contextual factors like geolocation, operating system, and device model simply based on the scanned QR code.
Reducing your risk
To reduce the risk of falling victim to a QR code scanning attack during the Games, attendees and authorities — as well as those watching the Games or interacting with Games-related content online — can follow some simple rules if they need to scan a QR code:
- Verify that the QR code is not a sticker or overlay. The poster, flyer, billboard or other place where the QR code is displayed may be genuine (even if electronically displayed on another screen), but a malicious actor might generate their own QR code on a sticker and place it over a legitimate one.
- For web-based QR codes, confirm that the website address is legitimate and not a deliberately misspelled “lookalike” page. Alternatively, search for the required page using your favorite search engine.
- Exercise care when scanning QR codes tied to performing financial transactions. For a parking meter, for example, only scan a code on the meter with a dedicated app for that parking operator. If the app doesn’t recognize it, it simply won’t accept payment. Scanning a code on the meter with your phone camera could compromise the device if that QR code is malicious.
- Check any QR code that asks you to click on a link. This is the same attack vector when you receive a link by email, SMS, calendar invite, or any other format. Scanning a QR code is similar to clicking on a link, and you never know the payload behind the image. Where possible, find an alternative method for accessing the needed information.
- Cyber teams responsible for corporate security should look for suspicious behavior associated with user accounts — especially those accessing sensitive information or systems — that might be attending the Games or sponsoring an event. Geolocation verification for all corporate access during the games should be a priority for all cybersecurity professionals.
- Ensure multi-factor authentication (MFA) is enabled for anyone accessing corporate accounts associated professionally or personally with the Games. And remember, SMS text messages are not a secure method for two-factor authentication. Push notifications and FIDO2-compliant solutions are much better technologies for securing access.
For all attendees of the Games, enjoy this historical event. For all cybersecurity professionals, having a view of all the identities of attendees at the Games and their paths to privilege will allow one to pick up early warning signs that something is wrong.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Alla Tsyganova
Morey Haber, BeyondTrust
Morey Haber is the chief technology officer at BeyondTrust.