Author

Topic: QR code malware (Read 243 times)

legendary
Activity: 2730
Merit: 7065
February 28, 2022, 02:47:09 AM
#18
@jerry0
In your particular example where you need to fill out a form or register somewhere, it's very inconvenient to type in the whole address. Addresses aren't as simple as www. address. com. Look at the address tab of this thread and how many characters you would have to type in to get to this exact location. Your last post is https://bitcointalksearch.org/topic/m.59379305. Have fun typing that in manually in your browser and see how long it takes and if you make mistakes with it. QR codes simplify the process, but the person really has to know the address where the code is taking him to confirm he is in the correct place. The exact address should be present in normal form. 
legendary
Activity: 3472
Merit: 10611
February 27, 2022, 11:26:20 PM
#17
~
QR is just raw data that is encoded in a certain way. It is not an application that runs. The QR reader application on your phone also shouldn't do anything with the data it reads such as automatically opening the link if the QR had encoded a link. If it does then change that application, they should only show you the "translated" result and let you decide what you want to do with it.
full member
Activity: 1750
Merit: 186
February 27, 2022, 07:12:17 PM
#16
So what about this.  Let say you have to fill out your information at a location.  Say it's an office and instead of filling out your name and some personal information on paper, they ask you to scan your QR code from your phone there in order to log into the website and fill it out online before they get to see you.


Then when that happens, a website opens up.  Then you enter information on it.



In an example like this... you should always be able to manually type the name of that website as oppose to scanning the QR code right to get to that website right?  I assume yes because once that website is on your safari browser for example, well you could always enter it again and it should go to the same website?


Is it possible a location intentionally put a QR code that is malicious where even though it goes to the website for you to enter information... that QR code puts some malware/trojan/keylogger to your phone that way?  Thus they have you do that to go to their website as oppose to you manually entering the website url?  Or is that not possible?


Is it possible for an outsider who has nothing to do with that office or location, to tamper with that QR code somehow and make it malicious for anyone to scan it and it put malware/trojan/keylogger to your phone?  Thus an outside could go to the office and scan it and do something malicious with it... then once they are done... nobody has a clue scanning the QR code is dangerous to your phone? 
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
February 27, 2022, 04:58:25 PM
#15
Are there risks with scanning QR codes to a website if that site is dangerous?  Could malware/keyloggers be put on your phone this way or not?
Websites can infect devices, that's a fact. It doesn't matter if you get to said website through a QR code or through typing it out yourself.

The point in question is whether scanning QR codes is a risk since you're then visiting websites without checking (visually inspecting) the URL first.

Of course, sometimes phishing URLs look 'suspicious' at first sight, but sometimes, if someone needs to visit a website for the first time - as you say, like a restaurant website etc., I think it's easier to fall for a fake website, because you don't yet know what its domain is supposed to look like.
For example, you may think you're being secure by not scanning the QR code, but instead typing it out and the card on the table says: restaurantmcdo.com, so you visit that site since the restaurant is called 'McDonalds' and you're visiting it for the first time. So you have no clue that the real domain is supposed to be called mcdonalds.com and get phished.

In general, if you visit some page for the first time, whether it's via QR code or not, it's easier to get phished than when visiting something that you do know the domain of. For example, if you get a Google support email and a link within it isn't google.com, but g00gle.support.in.com, you know something's fishy.
full member
Activity: 1750
Merit: 186
February 27, 2022, 02:56:13 PM
#14
What about when you are outside and you need to scan a QR code to visit a site at a store or something?   Imagine going to a place and you need to fill out a forum and they say okay scan the QR code here to fill out your information.  Thus it leads to you to a website.


Couldn't you still go directly to the website yourself by manually typing in the address on your phone?



Are there risks with scanning QR codes to a website if that site is dangerous?  Could malware/keyloggers be put on your phone this way or not?


legendary
Activity: 2730
Merit: 7065
February 27, 2022, 02:41:37 AM
#13
I reckon there are USB cables that only allow charging if that even is a thing.  Pretty confident I had at least a few at home before.  Do these work with Hardware Wallets at all or should the USB cable also support data transfer for the Hardware Wallet to function properly?
The USB cables need data transfer pins as well. The ones that are suitable for charging only won't be able to establish a connection with the software on the PC where you connected the hardware wallet to. The device needs to communicate with the software, sign the transaction with the corresponding keys, you also have to approve the transaction by pressing the button on your device. None of that can be done with just a charging cable.     
hero member
Activity: 882
Merit: 1873
Crypto Swap Exchange
February 26, 2022, 08:00:50 PM
#12
I use a webcam with QR codes on Electrum to avoid connecing any external device to my airgapped cold storage.  I think chances of getting malware from connecting external devices are so much higher than getting malware from QR codes.

So far I didn't saw a single real example of malware being transferred with QR codes, but it is possible to share phishing links that could lead to malware installation.
If you don't automatically open a page when scanning QR code than you don't have anything to worry about, but always double check and confirm the content.
If that becomes a worry, maybe interrupt the Internet connection before scanning a QR code?  In case a link pops up, it never even has the chance to load and you are saved from dangerous websites.

Hardware wallets are different in the way that you can't import or export data to and from them. That's the theory at least.
I reckon there are USB cables that only allow charging if that even is a thing.  Pretty confident I had at least a few at home before.  Do these work with Hardware Wallets at all or should the USB cable also support data transfer for the Hardware Wallet to function properly?  I remember I did boot my HW's using these charging only cables before but I can not remember whether I ever tried to make a transaction this way.

-
Regards,
PrivacyG
legendary
Activity: 2212
Merit: 7064
February 26, 2022, 02:26:26 PM
#11
So far I didn't saw a single real example of malware being transferred with QR codes, but it is possible to share phishing links that could lead to malware installation.
If you don't automatically open a page when scanning QR code than you don't have anything to worry about, but always double check and confirm the content.
What I don't like about QR codes is that same address will have different look in generated QR code so you can't verify that code is identical visually, but maybe this is not as bad as I think.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
February 26, 2022, 05:42:35 AM
#10
I have personally never heard of an attack where someone got his coins stolen or seed exposed by connecting his HW to a computer. Hardware wallets are even marketed as being secure against such types of attack. Even if you had a malware-infected PC and you connect your HW to it, the private keys have to remain safely on the device.   
USB exploits are pretty powerful and also pretty expensive. It's understandable: they allow governments (who have them developed or buy them), to plug in users' phones at the border control and get full access to the device, for example.
Due to the high utility of these exploits and ease to build 0-click code execution attacks on them, they are highly sought after. Anyone finding those (in HW wallets or otherwise), will probably sell them for high 6 figures at least, rather than making a funny YT video out of it (referring to Kingping Trezor video).

So my point is, USB exploits do exist, probably also in hardware wallets. That's why I like airgapped wallets so much.

They might not be used to steal funds unless you store large amounts on one device though; since once used, the users will go investigate what happened.
Another use case for 0-click USB attacks on hardware wallets could be, as suggested above, that authorities may want to check out (maybe export xpub?) from a wallet to get an in-depth look about the person and track their payments during (and maybe after) their stay.
legendary
Activity: 3472
Merit: 10611
February 26, 2022, 03:52:09 AM
#9
What I am thinking was that the USB connection in hardware wallet are not the same like the ones connected to other devices like phones, I mean the way malware can be able to penetrate. Is there any hardware wallet heard of before that was infected through USB connection which makes the seed phrase to be known, the attack I have been hearing is still this clipboard attack. Trezor that is connected to computer using USB stick, is it possible for the Trezor to be infected? Aside the clipboard malware attack.
It doesn't necessarily have to be a malware infecting the hardware wallet device, there are other ways that could lead to user losing their funds. We have seen many vulnerabilities in the past that have led to or had the risk to lead to losses. If you search on the internet you will find various cases of such vulnerabilities that were found, fixed and were made public. Like this: https://www.wired.com/story/cryptocurrency-hardware-wallets-can-get-hacked-too/
legendary
Activity: 2730
Merit: 7065
February 26, 2022, 03:39:40 AM
#8
What I am thinking was that the USB connection in hardware wallet are not the same like the ones connected to other devices like phones, I mean the way malware can be able to penetrate. Is there any hardware wallet heard of before that was infected through USB connection which makes the seed phrase to be known?
When you connect your phone or a standard USB stick to a USB port, it communicates directly with your computer. You can copy data to and from it. Hardware wallets are different in the way that you can't import or export data to and from them. That's the theory at least. But since there is a physical connection through a cable, it could be exploited. I have personally never heard of an attack where someone got his coins stolen or seed exposed by connecting his HW to a computer. Hardware wallets are even marketed as being secure against such types of attack. Even if you had a malware-infected PC and you connect your HW to it, the private keys have to remain safely on the device.   
legendary
Activity: 1064
Merit: 1298
Lightning network is good with small amount of BTC
February 26, 2022, 03:22:51 AM
#7
By using QR codes in this scenario you eliminate the chance of the same malware going to your cold storage too. And to eliminate this other risk you explain here, all user has to do is to double check the transaction they are signing for example by reading the first and last couple of digits of the address.

Many technologies are considered safe until they suddenly aren't because some security expert somewhere discovered a vulnerability.

What I am thinking was that the USB connection in hardware wallet are not the same like the ones connected to other devices like phones, I mean the way malware can be able to penetrate. Is there any hardware wallet heard of before that was infected through USB connection which makes the seed phrase to be known, the attack I have been hearing is still this clipboard attack. Trezor that is connected to computer using USB stick, is it possible for the Trezor to be infected? Aside the clipboard malware attack.
legendary
Activity: 2730
Merit: 7065
February 26, 2022, 03:06:51 AM
#6
I want to use this means to know if an unsigned transaction transferred through QR code is completely safe.
Completely 100% safe with no chance of anything going wrong? No! But QR codes are safer than connecting a device through a USB port. They are safer than using NFC chips or Bluetooth. Many technologies are considered safe until they suddenly aren't because some security expert somewhere discovered a vulnerability.   
legendary
Activity: 3472
Merit: 10611
February 25, 2022, 10:57:02 PM
#5
The point is to be safer not  safe. You are never safe but you can improve your security.

What QR codes do is that they eliminate the need to physically attach the other device, which could be an air gap one, and risk contaminating that secondary device. For example you could have an air-gap wallet on an air-gap PC and create the unsigned transaction on your phone and just show the QR to that PC's webcam without connecting the phone to it using a cable.

This is my first instance, assuming the wallet you use to generate unsigned transaction is infected with clipboard malware, you copy the address you are sending bitcoin to and paste it on your wallet to generate an unsigned transaction. What I think is that the clipboard malware can paste a hacker's address instead of the one copied. The QR code will contain the address of the hacker. If signed on a safe hardware wallet, bitcoin will be transferred to a wrong address.
By using QR codes in this scenario you eliminate the chance of the same malware going to your cold storage too. And to eliminate this other risk you explain here, all user has to do is to double check the transaction they are signing for example by reading the first and last couple of digits of the address.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
February 25, 2022, 01:02:20 PM
#4
This is my first instance, assuming the wallet you use to generate unsigned transaction is infected with clipboard malware, you copy the address you are sending bitcoin to and paste it on your wallet to generate an unsigned transaction.
Obviously, you're talking about an attack not on the QR code, but on the clipboard. If you paste a wrong address into your client, you will get a bad PSBT, no matter if it's then transferred to the hardware wallet through the USB protocol, through an SD card or as a QR code.
No means of transport can make sure the transaction you are transmitting over it, is indeed good.

The only real way to make sure you're signing a transaction going to the intended receiver, is checking on the hardware wallet's screen. The wallet (no matter if it uses QR codes or another communication method) will display what it is about to sign, before you confirm it.

The first instance goes to a cold wallet but the second one I will talk about will go for infected wallet which will be an online wallet. Assuming the person generated an uninfected QR code containing the receiver's address, which means the wallet used for generating unsigned transaction is not infected.
If you sign a transaction that sends funds to a certain Bitcoin address, they will arrive at that address. No matter if it is compromised or not. However, if the receiver's wallet is compromised (leaked seed words, bug in the software etc.), an attacker could immediately send any funds arriving in this wallet, to themselves. Again, this is entirely out of the scope of the communication protocol used, whether it is USB, QR, SD, NFC, BT.
legendary
Activity: 1064
Merit: 1298
Lightning network is good with small amount of BTC
February 25, 2022, 07:00:29 AM
#3
A QR code is nice. But without having the address shown too I have always thought it's pointless.
This will be pointless if the address is not shown along the QR code, I will advise people not to use any wallet that will not show both the QR code and address. But all the wallets I have used show both or show only address.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
February 25, 2022, 06:41:03 AM
#2
A QR code is nice. But without having the address shown too I have always thought it's pointless.
If I say send coins here and just give you a QR code then you have no way of knowing if the code I generated is correct, or if the site displaying it is not altering it in some way, or if there is any malware on the device that is changing what is being passed to the app.

In general they are secure, but more and more you are not getting any other information with them, so at that point they are still secure but you have no way of knowing.....

-Dave
legendary
Activity: 1064
Merit: 1298
Lightning network is good with small amount of BTC
February 25, 2022, 06:36:02 AM
#1
There are different ways bitcoin transaction can be signed, it can be through USB code or QR code, some wallets support the first or the second. Out of all, the safest among is QR code but I will like people to convince me if it is true. I want to use this means to know if an unsigned transaction transferred through QR code is completely safe.

This is my first instance, assuming the wallet you use to generate unsigned transaction is infected with clipboard malware, you copy the address you are sending bitcoin to and paste it on your wallet to generate an unsigned transaction. What I think is that the clipboard malware can paste a hacker's address instead of the one copied. The QR code will contain the address of the hacker. If signed on a safe hardware wallet, bitcoin will be transferred to a wrong address.

The first instance goes to a cold wallet but the second one I will talk about will go for infected wallet which will be an online wallet. Assuming the person generated an uninfected QR code containing the receiver's address, which means the wallet used for generating unsigned transaction is not infected. If the wallet to signed the transaction is infected with clipboard malware, can it change the address to a hacker's address before signing?
Jump to: