Topic: QR code malware (Read 228 times)

@jerry0
In your particular example where you need to fill out a form or register somewhere, it's very inconvenient to type in the whole address. Addresses aren't as simple as www. address. com. Look at the address tab of this thread and how many characters you would have to type in to get to this exact location. Your last post is https://bitcointalksearch.org/topic/m.59379305. Have fun typing that in manually in your browser and see how long it takes and if you make mistakes with it. QR codes simplify the process, but the person really has to know the address where the code is taking him to confirm he is in the correct place. The exact address should be present in normal form. 

QR is just raw data that is encoded in a certain way. It is not an application that runs. The QR reader application on your phone also shouldn't do anything with the data it reads such as automatically opening the link if the QR had encoded a link. If it does then change that application, they should only show you the "translated" result and let you decide what you want to do with it.

So what about this.  Let say you have to fill out your information at a location.  Say it's an office and instead of filling out your name and some personal information on paper, they ask you to scan your QR code from your phone there in order to log into the website and fill it out online before they get to see you.


Then when that happens, a website opens up.  Then you enter information on it.



In an example like this... you should always be able to manually type the name of that website as oppose to scanning the QR code right to get to that website right?  I assume yes because once that website is on your safari browser for example, well you could always enter it again and it should go to the same website?


Is it possible a location intentionally put a QR code that is malicious where even though it goes to the website for you to enter information... that QR code puts some malware/trojan/keylogger to your phone that way?  Thus they have you do that to go to their website as oppose to you manually entering the website url?  Or is that not possible?


Is it possible for an outsider who has nothing to do with that office or location, to tamper with that QR code somehow and make it malicious for anyone to scan it and it put malware/trojan/keylogger to your phone?  Thus an outside could go to the office and scan it and do something malicious with it... then once they are done... nobody has a clue scanning the QR code is dangerous to your phone? 

Websites can infect devices, that's a fact. It doesn't matter if you get to said website through a QR code or through typing it out yourself.

The point in question is whether scanning QR codes is a risk since you're then visiting websites without checking (visually inspecting) the URL first.

Of course, sometimes phishing URLs look 'suspicious' at first sight, but sometimes, if someone needs to visit a website for the first time - as you say, like a restaurant website etc., I think it's easier to fall for a fake website, because you don't yet know what its domain is supposed to look like.
For example, you may think you're being secure by not scanning the QR code, but instead typing it out and the card on the table says: restaurantmcdo.com, so you visit that site since the restaurant is called 'McDonalds' and you're visiting it for the first time. So you have no clue that the real domain is supposed to be called mcdonalds.com and get phished.

In general, if you visit some page for the first time, whether it's via QR code or not, it's easier to get phished than when visiting something that you do know the domain of. For example, if you get a Google support email and a link within it isn't google.com, but g00gle.support.in.com, you know something's fishy.

What about when you are outside and you need to scan a QR code to visit a site at a store or something?   Imagine going to a place and you need to fill out a forum and they say okay scan the QR code here to fill out your information.  Thus it leads to you to a website.


Couldn't you still go directly to the website yourself by manually typing in the address on your phone?



Are there risks with scanning QR codes to a website if that site is dangerous?  Could malware/keyloggers be put on your phone this way or not?

The USB cables need data transfer pins as well. The ones that are suitable for charging only won't be able to establish a connection with the software on the PC where you connected the hardware wallet to. The device needs to communicate with the software, sign the transaction with the corresponding keys, you also have to approve the transaction by pressing the button on your device. None of that can be done with just a charging cable.     

I use a webcam with QR codes on Electrum to avoid connecing any external device to my airgapped cold storage.  I think chances of getting malware from connecting external devices are so much higher than getting malware from QR codes.

If that becomes a worry, maybe interrupt the Internet connection before scanning a QR code?  In case a link pops up, it never even has the chance to load and you are saved from dangerous websites.

I reckon there are USB cables that only allow charging if that even is a thing.  Pretty confident I had at least a few at home before.  Do these work with Hardware Wallets at all or should the USB cable also support data transfer for the Hardware Wallet to function properly?  I remember I did boot my HW's using these charging only cables before but I can not remember whether I ever tried to make a transaction this way.

-
Regards,
PrivacyG

So far I didn't saw a single real example of malware being transferred with QR codes, but it is possible to share phishing links that could lead to malware installation.
If you don't automatically open a page when scanning QR code than you don't have anything to worry about, but always double check and confirm the content.
What I don't like about QR codes is that same address will have different look in generated QR code so you can't verify that code is identical visually, but maybe this is not as bad as I think.

USB exploits are pretty powerful and also pretty expensive. It's understandable: they allow governments (who have them developed or buy them), to plug in users' phones at the border control and get full access to the device, for example.
Due to the high utility of these exploits and ease to build 0-click code execution attacks on them, they are highly sought after. Anyone finding those (in HW wallets or otherwise), will probably sell them for high 6 figures at least, rather than making a funny YT video out of it (referring to Kingping Trezor video).

So my point is, USB exploits do exist, probably also in hardware wallets. That's why I like airgapped wallets so much.

They might not be used to steal funds unless you store large amounts on one device though; since once used, the users will go investigate what happened.
Another use case for 0-click USB attacks on hardware wallets could be, as suggested above, that authorities may want to check out (maybe export xpub?) from a wallet to get an in-depth look about the person and track their payments during (and maybe after) their stay.

It doesn't necessarily have to be a malware infecting the hardware wallet device, there are other ways that could lead to user losing their funds. We have seen many vulnerabilities in the past that have led to or had the risk to lead to losses. If you search on the internet you will find various cases of such vulnerabilities that were found, fixed and were made public. Like this: https://www.wired.com/story/cryptocurrency-hardware-wallets-can-get-hacked-too/

When you connect your phone or a standard USB stick to a USB port, it communicates directly with your computer. You can copy data to and from it. Hardware wallets are different in the way that you can't import or export data to and from them. That's the theory at least. But since there is a physical connection through a cable, it could be exploited. I have personally never heard of an attack where someone got his coins stolen or seed exposed by connecting his HW to a computer. Hardware wallets are even marketed as being secure against such types of attack. Even if you had a malware-infected PC and you connect your HW to it, the private keys have to remain safely on the device.   

What I am thinking was that the USB connection in hardware wallet are not the same like the ones connected to other devices like phones, I mean the way malware can be able to penetrate. Is there any hardware wallet heard of before that was infected through USB connection which makes the seed phrase to be known, the attack I have been hearing is still this clipboard attack. Trezor that is connected to computer using USB stick, is it possible for the Trezor to be infected? Aside the clipboard malware attack.

Completely 100% safe with no chance of anything going wrong? No! But QR codes are safer than connecting a device through a USB port. They are safer than using NFC chips or Bluetooth. Many technologies are considered safe until they suddenly aren't because some security expert somewhere discovered a vulnerability.   

The point is to be safer not  safe. You are never safe but you can improve your security.

What QR codes do is that they eliminate the need to physically attach the other device, which could be an air gap one, and risk contaminating that secondary device. For example you could have an air-gap wallet on an air-gap PC and create the unsigned transaction on your phone and just show the QR to that PC's webcam without connecting the phone to it using a cable.

By using QR codes in this scenario you eliminate the chance of the same malware going to your cold storage too. And to eliminate this other risk you explain here, all user has to do is to double check the transaction they are signing for example by reading the first and last couple of digits of the address.

Obviously, you're talking about an attack not on the QR code, but on the clipboard. If you paste a wrong address into your client, you will get a bad PSBT, no matter if it's then transferred to the hardware wallet through the USB protocol, through an SD card or as a QR code.
No means of transport can make sure the transaction you are transmitting over it, is indeed good.

The only real way to make sure you're signing a transaction going to the intended receiver, is checking on the hardware wallet's screen. The wallet (no matter if it uses QR codes or another communication method) will display what it is about to sign, before you confirm it.

If you sign a transaction that sends funds to a certain Bitcoin address, they will arrive at that address. No matter if it is compromised or not. However, if the receiver's wallet is compromised (leaked seed words, bug in the software etc.), an attacker could immediately send any funds arriving in this wallet, to themselves. Again, this is entirely out of the scope of the communication protocol used, whether it is USB, QR, SD, NFC, BT.

This will be pointless if the address is not shown along the QR code, I will advise people not to use any wallet that will not show both the QR code and address. But all the wallets I have used show both or show only address.

A QR code is nice. But without having the address shown too I have always thought it's pointless.
If I say send coins here and just give you a QR code then you have no way of knowing if the code I generated is correct, or if the site displaying it is not altering it in some way, or if there is any malware on the device that is changing what is being passed to the app.

In general they are secure, but more and more you are not getting any other information with them, so at that point they are still secure but you have no way of knowing.....

-Dave

There are different ways bitcoin transaction can be signed, it can be through USB code or QR code, some wallets support the first or the second. Out of all, the safest among is QR code but I will like people to convince me if it is true. I want to use this means to know if an unsigned transaction transferred through QR code is completely safe.

This is my first instance, assuming the wallet you use to generate unsigned transaction is infected with clipboard malware, you copy the address you are sending bitcoin to and paste it on your wallet to generate an unsigned transaction. What I think is that the clipboard malware can paste a hacker's address instead of the one copied. The QR code will contain the address of the hacker. If signed on a safe hardware wallet, bitcoin will be transferred to a wrong address.

The first instance goes to a cold wallet but the second one I will talk about will go for infected wallet which will be an online wallet. Assuming the person generated an uninfected QR code containing the receiver's address, which means the wallet used for generating unsigned transaction is not infected. If the wallet to signed the transaction is infected with clipboard malware, can it change the address to a hacker's address before signing?