December 10, 2011

QRbot - iPhone QR botnet

Every time that new technology is revealed, lots of security researchers seek for vulnerabilities in it. In my case, I was looking for security holes in the integration between QR readers and smart phones, especially on iPhone.

Few days ago I posted an article in Pentest Magazine about QRbot . This article is related to both social engineering and cyber-crime.

Why social engineering?
Since QR usage is based on interactive actions of mobile users, which might lead to threats on their devices, as explained in detail in the article.

Why cyber-crime?
The actions taken by criminals not only harm the mobile phone/device users, but also may steal sensitive information or aid in launching massive actions using controlled, Zombie-based networks (Botnets), e.g. DDoS – Distributed Denial of Service attacks.

In order to explain the whole process, my article begins from the basics of QR and iPhone Usage. After understanding the basics, I dive into the actions needed to build a QRbot. Finally, avoidance recommendations explained.

In general, QRbot based on the following facts:
1. QR code is unreadable to human eye.
2. 6 of 10 QR readers (that I tested) are vulnerable to automatic URL redirection.
3. There is an option to upload compiled application (IPA) to IIS server.
4. iPhone runs iOS, which is a version of FreeBSD Linux (like Mac OS X).
5. Jailbroken iPhones have root privileges, while non-jailbroken iPhones run applications in a sandbox. Therefore the QRbot is limited to DDoS attacks on non-jailbroken iPhones, but there are no limitations on jailbroken iPhones, e.g. steal all GPS history, emails, contact, backup iPhone etc.

Download the full article on this page:
If you are not familiar with PenTest Magazine, I suggest to check out the teser in the link above.