More and more advertisement posters in public spaces are featuring QR codes to bridge the physical world with the digital one. This is posing a great threat to our mobile devices. I’ve always been skeptical about Blue Tooth or Wifi attacks on mobile device but this time QR codes are different.
Imagine that someone’s put a sticker with a fake sticker on the official QR code of the poster or that someone changes the QR code during the printing process.
QR Code app donwload link
This new QR code points to a website which enables the user to download an application. This application has the same name as the official one on the poster but needs you to untick the “install application from know source” setting. After all the application is free and is coming from a reputable company paying thousands of € to advertise in the streets. So the user goes on and installs the app.
The user gets the company splash screen then a message like “ not available as the moment” or “retrieving data, please wait.”. But the app is not retrieving any data on the network but pushing all your address book and personal data to thefts.
Few days later the user discovers its Social Network accounts have been hacked or worse some of its payment details have been stolen.
This is not a science fiction scenario and it can be easily implemented. So think twice before installing an application pushed through a QR code. Mobile security software vendors have golden days ahead.
Do you remember these spy movies where the hero smashes any mobile to avoid being located by the bad guys? And the News of the World phone hacking scandal ?
And these journalists in Homs shelled by the Syrian army located by their satellite phone?
As we all carry a mobile phone in our pocket would it be a very simple feature phone or the most advanced smartphone we need to understand the risk of being spied on or hacked. I’ve been advised once to change phone and use a prepaid SIM card when travelling in China for business.
For all these questions, I recommend to have a close look at this website SaferMobile which give you some very good advices if you are in some insecure location and / or doing some risky business like human rights activist, or journalist.
Here is a video about Geolocation on your Mobile Network
I’ve been a long time skeptical about mobile security but as the mobile is truly a pervasive technology today even the bad guys have learnt to use it. Now you’re warned.
Bankers have always been the first to use new technologies. Mobile technologies and the new app ecosystem are not different. Banks are investing a lot in Mobile Banking allowing their customers to manage their bank accounts remotely from their preferred smartphone.
Barclays Mobile Banking poster ad
Visa is providing in Europe a safe way to shop in the internet. You get a One Time Password by SMS on your registered mobile number to confirm your internet purchase.
HSBC is giving to their customer a Secure Key to secure access to their Internet Banking account. HSBC customers now need to have this nice calculator looking device in their pockets. They enter their PIN and get a One Time Password to access the HSBC internet website.
HSBC Secure Key
What if this device has been integrated securely into a SIM card? You launch the application, enter your PIN and here you get the OTP. It would replace the SMS to secure your Internet purchases and this piece of electronics.
This, would just require some bank & telco cooperation.
WiFi in enterprise is back. It has long been considered as a convenience that is more comfortable than an Ethernet link. If the WiFi network doesn’t work where you want to connect, just go a few steps away or plug that dawn RJ45. So nobody was really in charge and nobody complained for this comfort feature.
It is dramatically changing with the appearance of tablets within enterprises. Tablets usually don’t have an RJ45, the only ways to connect them are through 3G network or WiFi.
Connecting a tablet on the company campus with 3G will prove a waste of money as mobile operators price their data dearly. The only reasonable way to connect a tablet is with WiFi. But what CIO will realize very soon is that their WiFi networks are poor in both terms of security and coverage.
WiFi networks are usually protected by a WEP key which a software like aircrackNG can break in less than 15 minutes. IT Departments will have to rethink their security so their WiFi networks aren’t the weakest link. (You’re out!)
WiFi the weakest link?
The other hard discovery for IT Departments will be the coverage quality. They usually have taken a map of the site, drawn a few circles and positioned the WiFi Access Points at the center of the circles. Hence the Quality of Service of their network is poor as it doesn’t take into account any interferences coming from the outside or from the building structures. CIO will have to re think their WiFi networks in terms of usage, application, device and Quality of Service.
The wakeup call might come from the CEO’s office, where the unboxed new tablet won’t be able to connect.