What kind of technology is QR code and what is dangerous?

The new coronavirus infection (COVID-19), which was prevalent worldwide in 2020, has led to the rapid spread of contactless technologies such as touch payments. One of these non-contact technologies, the

QR code , which reads a square black-and-white code with a camera, is explained by Assistant Professor Scott Ruoti of the Department of Computer Science, University of Tennessee, who is an expert in cryptographic protocols.

How QR codes work and what makes them dangerous – a computer scientist explains

QR code is a technology developed in 1994 by Denso , an automobile parts manufacturer belonging to the Toyota Group. At that time, DENSO's manufacturing plant managed various parts with barcodes, but it was developed in response to the voice of the field that 'it is necessary to read multiple barcodes for only one work and it takes time and effort'. Mr. Masahiro Hara of the department has developed a QR code that 'has information vertically and horizontally' unlike barcodes that have information only in the horizontal direction. When it was provided as open source based on the idea of 'first popularization,' it rapidly spread beyond the boundaries of the automobile industry.

History of QRcode-YouTube

According to Assistant Professor Ruoti, the QR code consists of four elements: '1) data,' '2) positioning markers,' '3) blank areas, and' 4) logo.

The QR code data is recorded by the pattern of 'cells' which are black and white squares, and roughly speaking, information such as URLs are stored by the binary system of 'white is 1 and black is 0'. The cell capacity that can be described in one QR code is from 21 cells x 21 cells to 177 cells x 177 cells, and the maximum amount of data is 7089 characters for numbers, 4296 characters for alphanumerical characters, and 1817 characters for Chinese characters. As mentioned above, most of the cells are black and white squares, but Assistant Professor Ruoti says, 'Actually, there is no color or shape specified.'

The positioning markers are squares on the upper left, upper right, and lower left corners of the QR code, and are used by devices such as smartphone cameras to correctly determine the orientation of the QR code. The blank area is for the computer to recognize the recording range of the QR code normally. The logo is a part for describing company information etc., and it seems that it is OK with or without it.

One of the features of the QR code related to the logo that Assistant Professor Ruoti cites is the 'error correction function'. The error correction function restores the data even if a part of the QR code cannot be read due to damage or stains, and at the highest setting, it is possible to restore the data even if 30% of the whole cannot be read. thing. The QR code is a specification that can be operated without problems even if a part is hidden by the logo by this error correction function.

In addition, in 2019, DENSO WAVE, which was born as a spin-out of the development department of DENSO, is developing a 'new QR code that works even if 50% of the whole cannot be read', and incorporated this new QR code. A demonstration experiment of an automatic platform door opening / closing system is being conducted in 2020.

Platform door open / close control system using new QR code developed by DENSO WAVE starts demonstration experiment at JR Kanayama Station | DENSO WAVE

As mentioned above, QR code is a technology for storing character string information such as URL, and there is essentially no danger. However, just as there is a security issue when clicking the URL provided in the email, there is a security issue in accessing the URL provided in the QR code.

According to Assistant Professor Ruoti, if you access the URL described in the QR code, there is a risk of phishing that imitates a normal site and steals account information. Therefore, even if the QR code contains a familiar company logo, it is the opinion of Assistant Professor Ruoti that the URL should be thoroughly verified before access.

In addition, there was a case that there was a 'vulnerability in which the device was hijacked when reading a malicious QR code' in the QR code scanning application. This vulnerability does not mean that the device is hijacked when the URL described in the malicious QR code is accessed, but the device is hijacked 'the moment the malicious QR code is read', Ruoti said. Please use the QR code reading app / function provided by the device manufacturer. '

in Note, Posted by darkhorse_log