Topic: QR codes vs NFC in Bitcoin Wallets - page 2. (Read 854 times)

That's honestly great advice; also a thought on sandboxing: maybe QR codes are less risky than assumed, taking in consideration that you usually don't scan those with an (unsandboxed) desktop OS. Since probably all mobile OSes today are reasonably sandboxed, the risk of system takeover through visiting a webpage should be minimized compared to visiting an unknown webpage on a laptop / desktop PC.

I agree with the 'separate browser' idea, since malicious websites can for example steal your other website's cookies and stuff like this.

There are two things you can do on your phone when scanning QR codes (other than just not scanning them at all) to protect yourself from these kinds of attack. The first is set it up so when you a scan a QR code, rather than it immediately visiting a website or whatever, it decodes the QR code and shows you the plain text decoding. You can then examine the URL manually to see if it is pointing to where you think it should be pointing or if it looks malicious. Secondly, if you do visit the website then open it a completely separate browser to your usual browser(s), preferably one which is sandboxed so to prevent any malware from escaping in to your device.

This is an interesting topic that I recently thought about a lot, when experiencing a small 'outrage' on Twitter lately, after a Coinbase ad which was shown during Superbowl that just contains a QR code. Infosec Twitter went crazy about how huge of an attack vector this is (people just scanning random QR codes), while on the other hand voices came up in the community, suggesting people should be able to scan random QR codes without being hacked.

It's an interesting discussion and I have no definitive opinion on this; it's clear that opposed to URLs which you can read out before visiting, QR codes do hide it, on the other hand that's what they're meant to do. The parser & OS should be secured against attacks on the QR parser as well as protected against any type of 0-click attack that is triggered by simply visiting a website.

I do believe the worst thing happening when opening a random QR code should be landing on a phishing site (something the OS can't / shouldn't control); against everything else, there should be mechanisms in place. If they don't work, the whole field of web security as well as cookie protections and OS sandboxing has kinda failed, to be honest.

From pure stats / numbers this looks a lot better to me! Thanks for digging up another open source alternative.

I think it's fair to say that QR code has exploded in the past couple of years due to the COVID virus. Nowadays whenever I go to a restaurant I'm given a little piece of paper (or most of the time it's printed to the table) with a QR code that allows me to see the menu in the restaurant website (thus avoiding sharing menus with other clients). While it's a good idea to reduce "attack vectors" (the menu themselves), I often wonder that it would be very easy for a malicious agent to get a hold of a couple of tables and just stick his/her malicious QR code on top of those stickers and most probably people will never notice the switch. In fact, the FBI had already warned about such issue about one month ago[1]:
What about Zinct*[3]? It's also free, open sourced and has been updated fairly often according to their activity on the SourceForge page[4]. A quick definition for it can be found on GitHub page[5]:
*Thank you dkbit98!

---

[1]https://www.ic3.gov/Media/Y2022/PSA220118
[2]https://www.axios.com/qr-code-safety-coinbase-4b7f97d0-940c-45f4-9366-bf5d7f2f3c8f.html
[3]https://www.zint.org.uk/
[4]https://sourceforge.net/projects/zint/
[5]https://github.com/zint/zint

I am not trusting QRworkshop or any other software that has open source label and I know it wasn't updated for a long time, I just posted it as only option I know for windows os.
Don't trust me and my words but go and check last github releasel of this program from 2014, or find something better for windows.
Electrum wallet is fine but we all remember phishing attacks they had with update notifications, so scammers could make something similar with QR codes again.

I found one article talking about history of NFC technology that was first created back in 2003 by Philips and Sony, and promoted by both of them and Nokia in 2004 (something I didn't know).
Today we have several manufacturers who are making NFC chips, and we know some of them are also making secure elements used in hardware wallets, or in mobile devices:

- NXP Semiconductors
- STMicroelectronics
- Infineon Technologies
- Samsung
- Texas Instruments
- Marvell Technology
- Broadcom
- Qualcomm
- MediaTek
- Intel
- Sony
- Ams
- Renesas
- MStar Semi

That's a pretty good way to put it, honestly. Most people still believe NFC is some magical thing transferring data by touching two devices, as if the bytes were flowing through the devices' plastic casings or something.
It's 13.56 MHz radio waves, while WiFi is 2.4GHz.. WiFi also has different modulation scheme etc., but that's beside the point.

If you have this level of confidence in your devices' integrity, then you might just as well use a cable though.

I'm 99% sure it's a raw PSBT in cleartext, but I will verify and DM or @ you.

Please stay vigilant about the 'open source = secure' fallacy. Especially that QRworkshop which has been abandoned almost a decade ago; I wouldn't trust that over what's built into Electrum without thoroughly reading all the code myself (which I have little to no time for).

I didn't know about this experimental feature, but I am not interested in using any of their closed source windows junkware that nobody can verify, and QR workshop is portable open source software so there is no need for any installation.
Electrum can be used only for generating bitcoin addresses, and QR workshop can be used for generating QR codes with anything, including website links, addresses, etc.
Even better option is switching to Linux OS and using CoBang.

CoBang is probably the best option we have for Linux os right now.
I know there are some online websites doing similar thing but this can't be verified or checked, and there is always a danger of getting phishing attack with altered results.

On Windows 10, if you want to read QR codes, all you have to do is enable the experimental features on the "stock" camera application. No need to install other stuff.
Should I mention that Electrum already creates and reads the QR codes it needs? That way one doesn't have to rely on 3rd party software which has happened to generate the wrong QR code in case of Bitcoin addresses (of course, it was websites doing this, not open source programs).

If you can please test how Passport is dealing with QR codes (encrypted or not) and post it in this topic, I will later see if I will add information in first post or created new topic for that.
Thank you in advance.

I found few free opensource programs that can be used for reading QR codes on regular computers, so we don't have to trust any phones or other devices.

For Linux it's program called CoBang that can work in most Linux OS and there is even Flatpak version... developer even mentioned other Linux alternative called Decoder in his github page:
https://github.com/hongquan/CoBang

For Windows it's open source portable program called QRworkshop, that can be used for generating and reading any QR codes from images.
https://www.fluxbytes.com/software-releases/qr-workshop/

I think they are going to push even harder for NFC now that apple iphones are promoting it heavily for payments with easy tap. 

If you are transmitting data between two devices which are permanently in your control, such as a phone and a hardware wallet, when you can ensure they have not been tampered with and you can be sure there are no other devices in the vicinity which could intercept the data then maybe there is an argument for using NFC over QR codes. But when scanning a merchant's terminal, I see no benefit to using NFC.

Just FYI in case you are interested, but there are a number of phones already on the market with built in hardware kill switches for various pieces of hardware, such as the PinePhone and Librem phone.

I have a "Digipass" from ING bank. It scans a "QR" code, but instead of black it uses red, green and blue dots. And it doesn't have the "3 squares" to identify the orientation of the QR-code. The most impressive part is the speed: it scans almost instantly, while my phone needs about a second to read a QR-code.
By using multiple colors, the QR-code can be smaller.

I had a bank account that started requiring it. I closed the account. I refuse to use their software to give them access to a chip in my passport.

I love the user interface a cable provides It's very clear what's happening. I usually use a (very old) USB stick to transfer data to and from an offline system, QR-codes require a working camera (with drivers).
Or I just enter the data on the keyboard.

The main difference is error correction. A QR-code still works even if a part of it can't be read.
For the same reason shops use barcodes.

Well, with QR, you have to scan twice, right. So it's one extra step in a way. But a single extra QR code scan (usually doable in ~1s can hardly justify the weakened security.

That's correct. When using QR codes, you know that data can only be exchanged when the phone is physically out of your pocket and pointed at a QR code, while NFC can work through clothes and inside bags without user notice. If I walk around with my phone in my hand and someone tries to hold a QR code in front of it, I'd obviously notice, while that can't be said about a powerful 'evil' NFC transceiver in someone's backpack probing for vulnerable devices.

This is a terrible idea. Aside the fact that you can't verify a PSBT by just looking at it anyway, QR codes are much faster and reliable to scan through the pattern, alignment squares and built-in checksum / error correction. OCR often messes up things like l and I (lowercase L and uppercase I) or sometimes mistakes those even for a pipe |. It's even hard to distinguish for humans.

Good idea; if you whip up a thread for it, I'd contribute by analyzing / sending in Passport v1 and v2 codes. Pretty sure it's standard PSBT (unencrypted) by looking at the code, but I have to verify. I also expect / hope this is the industry standard and only Safepal puts some closed-source encryption around it, but it would be interesting to gather info on all QR-based HW models in one place.

This is kind of off-topic, but I'm following Framework's developments and recently they mentioned starting development for a new 'product category'. I really hope it will be a Linux smartphone with hardware toggles for sensors and antennas, just like on their laptop. I don't have it, but would buy it if I needed a laptop, from what I've seen about it so far.

Well, if you know all the websites you visit and all the applications / programs you use, are restricted to HTTPS and deny connections to outdated SSL / TLS standards, it should be safe to use. In practice, it's not so simple to ensure this, so any data transmitted without encryption to an open WiFi router, can be intercepted and read by anyone. One mitigation would be using a VPN, since that 'packages' up everything, no matter if HTTPS or HTTP traffic, however VPNs pose a risk themselves, too. Soo 'I don't think there is any way to inject anything into your device through WiFi' is honestly wrong.

We are here, don't worry
I was thinking how to test all wallets to see how exactly they are using QR codes and NFC chips in their devices.
Some wallets use encrypted QR codes but they all lack in documentation explaining what they are using and how exactly.
I found that most NFC chips are coming from one or two companies, so it's closed source monopoly black box.

Same goes for smartphones, even old phones have cameras that can read QR codes.

Maybe you can turn off NFC function on smartphones but can you really prove you really turned it off, or it's just on stand by?
I know some phones can spy their users and perform some functions even if they are turned off, so best way would be to put phone or device in faraday cage bag.

Not for all wallets if they are encrypted.
It's a bit more complicated than I was first thinking... doing some more research about that now.

This is not true.
Wi-fi has multiple times higher risk, especially if you are using public spot network.

QR codes have a number of advantages, including being able to scan the whole thing instantly and not having to pan back and forth or display multiple screen of text as you might have to do with a string of characters, and built in error correction.

Most people can't make sense of the kind of data you would want to scan to use bitcoin either. A raw address maybe, but the vast majority of people can't translate a raw unsigned or signed transaction and understand if there is a problem with it.

with ocr being so advanced why are qr codes needed over just human readable strings? i cant translate a qr code by looking at it. even if the string was long between NFT capabilities and human readable addresses a better compromise could be made.

i love your input on nfc and its disadvantages.

I've already got the camera lens broken/blurry at one phone and one tablet, maybe that's why I may be overthinking this a little


I agree 100% that it's an unnecessary risk. Just in my head it doesn't look like so much likely (nor big).
I mean that I expect that you will have to do more than for a CC, i.e. take a look and sign/allow the transaction, which hopefully won't be skipped.

Is it really any more convenient though? Open your wallet and hold it next to the terminal for a second or two versus open your wallet and point it at a QR code for a second or two. It really doesn't seem any different to me?

I disagree here. NFC provides a route for data to enter and leave your device, which has the potential to be exploited. Who's to say someone can't develop malware which can be loaded on to your device just by standing or sitting near you, similar to RFID skimming? Unlikely, but possible. It's an unnecessary risk.

Indeed, QR issues may be more related to privacy (if you are sure the wallet/system generating them is not corrupted).
Still, neither of the systems can be called perfect. I prefer QR, but we cannot deny that NFC, where it's supported, can be much more convenient to use (and of course, this means lower security).


You are not late and I can say that you've done a pretty good sum up.

---

My conclusion is that although QR is safer than NFC, if the HW and companion software wallet used are good enough, everything can be properly double checked before signed.
And then the only problem remaining may be that NFC is not supported by so many devices (as QR would be). _{My current smartphone doesn't have NFC at all.}

I'm not sure how they could pull off such an attack though? Sure, they could create a malicious QR code, but they can't exactly upload that to the merchant's terminal or print it out and stick it over the screen of the terminal. And if the merchant has a single QR code printed and stuck on the wall which the attacker replaces, then at most they can scam a single customer before the merchant goes "Hey, your payment didn't arrive, let's figure out why."

You don't even need to connect to a malicious device or network to fall victim. Chips containing malware can be hidden inside USB cables, charging terminals, etc. I wouldn't physically connect any of my devices to anything public, ever.

Security risk of connecting to WiFi is the same as connecting to internet any other way. I don't think there is any way to inject anything into your device through WiFi, but it is trivial to inject something through a direct connection via cable.