QR codes are everywhere these days, from being printed onto receipts to chiseled into granite tombstones. [Will] came up with a way to modify existing QR codes, and his hack has the potential to cause quite a bit of harmless mischief.
[Will]’s hack involves a little photo editing, transparency film, and some white-out/Liquid Paper/Tippex. After the ‘target’ and ‘destination’ QR codes have been imported into Gimp, the differences are found and the result printed out on a transparency sheet. After that, hang the transparency over the original and the QR code now goes to the URL of your choice.
On a ‘high’ level of error correction, a lot of neat stuff can be done with the design of a QR code including putting logos inside a QR code by modifying the 359 ‘data pixels’ of a 25×25 code. We’re wondering if anyone has ever written a script to exploit the error correction of QR codes. In any event, it is possible to brute-force changes until the least number of pixels are changed.
The ISO 18004 standard is available online if anyone would like to take up that challenge. If a Hack A Day reader figures it out, send in the code on the tip line and we’ll put that right up.
http://wordpress.mrreid.org/2011/08/06/hacking-qr-codes/
If you modify QR codes this way you’re an asshole. This is not about security it’s about fucking over people when they want to save time.
You need to relax. A prank is a prank. If you are soooo distraught over losing a couple seconds that you COULD have used to easily type out the address manually, then you really need to rethink your priorities.
Actually, this is valuable as a teaching tool. People need to understand that just because the words says “google” doesn’t mean that’s what the black-and-white blocks have in them.
Nothing is easier to forge than a barcode, because most humans simply can’t read them. They can’t inherently know if they’re looking at a good one or a malicious one.
I see too many people who simply trust barcodes completely. They confuse the human readable for the data. Or they think it’s a good idea to slap on a barcode that represents the actual value instead of a pointer to the value (coupons).
For that matter, you can even do SQL barcode injection attacks just like on the web. Some guy presented it at C3 a couple years ago where he hacked a video rental kiosk by injecting bad barcodes. Do you still think it’s a great idea to have your cash register scan your customer’s iPhone screen, Starbucks?
I believe it is a reasonable teaching tool as well. The reason is very clear— If a person can manipulate the code this way, then what do you think they can do to your bank account information if or when you cash a check using this thing. Sometimes the easiest way to do something is not always the best way, and I believe this teaches the limitations, and problems with this type code.
Real link is a search away: http://wordpress.mrreid.org/2011/08/06/hacking-qr-codes/
(the author probably edited the post so the date in the URL changed.)
Thanks icebrain. I fixed the link. It looks like the author changed it in the last hour or so.
Correct link is http://wordpress.mrreid.org/2011/08/06/hacking-qr-codes
Not too hard to find yourself unless you’re a lazy sob that just likes to complain….
surely the true hack would be doing it with just a marker or something :P
I’m sure it would be possible to modify a QR code with just a marker, but you’ll invariably run into situations where you’ll need to change a black pixel to a white pixel.
Looking at the ISO spec, it’s possible, but I can’t find anything on a script that will find the most efficient change from an original QR code to a ‘target’ code.
would it not be easier to print on a white sticker and place that over the qr code.
I was thinking the same thing. then you could just produce your code in mass, and stick them not only over other ones but anywhere in general.
100% what i was thinking. I guess the only advantage is that a transparent film could hang over anything where as a white paper could potentially look out of place against a colored background.
wouldnt it be easier to generate a completly new on with the right size and just glue it over the old one?
yes mon frere, yes it would. With the right type of sticker paper it would look official, albeit an official afterthought.
Now I need a deck of pain series QR stickers in my wallet at all times.
Aaand it’s back
Hey guys, didn’t you read the post a couple days ago about Hackaday cleaning up their comments policy? Umm… d and zee you really need to take a peek. I’d say Matseng you too. http://hackaday.com/2011/07/27/hackaday-comment-policy-were-cleaning-up/
Just click the “report comment” button, the admins will take care of the problem :)
Haha, you’re right. Didn’t think of that. lol
Perhaps you should read it again. I am not breaking any rules.
Perhaps you should read it again. I am not breaking any rules.
I am no criticizing the hack but I am calling out the people that would use it just to spite people.
I was thinking about this the other day when I noticed lots of stores hanging this on their windows for easy access to their website.
Excellent “rick rollin'” target if you ask me.
@Zee: QR codes are inherently unsafe. It is unwise to use them; at least with a URL you can see what it’s visiting. For all, it could link to a PDF file exploiting native browser or operating system vulnerabilities… THAT would be really nasty…
Excellent idea … We make a site that uses flash/pdf/whatever exploit to install a rickroll spyware.
Software Description:
Sit silently until a set of events occur (eg the user types “Rick”). Then turn the volume down low and play pieces of “Never Going To Give You Up”. The target will have that song stuck in their heads and not know why! Epic trolling!
I’ve only used one QR code reader (on my Android phone) but I would assume they all show you the decoded information and make you press a button to view the data (e.g. browse to the URL). Besides that, some codes aren’t even a URL at all, just text, etc.
Now, that doesn’t remove the danger of “phishing” using a URL that, at first glance, looks legit, but that doesn’t make QR codes any more “inherently unsafe” than human-readable codes, if you’re paying attention.
If the QR code points to a shortened URL, this could be a real problem.
@zehn is right on. Just like people hack UPCs when they go school shopping to make the $100 Super Deluxe Graphing calculator cost $50
This is just silly. As an aside. A lot of advertisement posters are actually put up illegally. So, the better question is: Is vandalizing a vandal’s work really morally evil?
The BBC hacked a QR code to put their logo in some time ago: http://2d-code.co.uk/bbc-logo-in-qr-code/
Umm.. why would you waste your time overlaying it and manually drawing in the white splotches when you could just print the QR code straight up and paste it over top or something similar?
I get how the idea is neat, but it’s never pratical.
Little example, how strong is error correcting alghoritm in QR.
And my little business card ;P
If you’re going to stick something over it then you may as well stick a whole new code sticker over it.
must…change…all…qr codes…to…goatse
I had the same idea… I think goatse will have 99,99% mobile browser hits from now on..
I thought this was an interesting bit of research into how to analyze QRs and find their differences…but yeah, in practice it would make much more sense to simply cover over the entire QR.
Like already said, if you are going to physically stick something over the code in the first place, you might as well replace the whole thing.
A friend and I had discussed this very thing, and had our Facebook profile pics set as QR codes.
His led to a page that said “You just lost the game”
Mine led to Goatse
The comedy potential for this is near-infinite.
Protest Signs (HELLO news) are wonderful targets
**** WARNING****
this leads to Goatse, via a QR code
http://tinypic.com/r/35clylz/7
(you won’t get goatse on the link – just the QR code)
****WARNING****
I’m not sure why you would need to, but you could place these overlays on your own ad like a flip chart to have multiple QR codes without needing to take up more space on your advertisement.
QR Code ‘switching’ or ‘code-jacking’ in this old post on 2d-code.
i for one appreciate this for 1 reason
he didnt take the obvious route of simply replacing it(which would work alot better)
he went the needlessly complicated route for 1 reason
because he can appear geekier than ever!
@edonovan: That’s actually a really good idea!
I did that designing a couple of days ago, its actually quite fun :)
http://img4.imageshack.us/img4/6522/qrcodea.png
IMHO replacing a QR code isn’t much different from giving someone an obscure url like lemonparty…Or one that is supposed to look legit like bankofamerica.123.com. So in essence it’s not really a new thing.
I predict that this will be the next wave in advertising. In the same way that websites have integrated ads until the usefulness of the web has been reduced to the point where I won’t go online without an adblocker, advertisers will start plastering QR codes all over the place. The fact that people can’t just look at a QR code and know what it says or where it goes makes most people an easy target. Even worse, most QR code apps don’t tell you what the code says before they happily send you to a target URL.
I’m not looking forward to being QR rick-rolled.
That is fine, as QR codes become more ‘viral’ QR code reading devices will be forced to become ‘secure’ in the sense that they will warn users of the site they’re about to visit.
Hopefully the app makers will catch on quickly enough to where it’s not a real problem. Luckily we don’t have to get QR codes thrown at us like popups, we can simply ignore them.
I’m with everyone else on simply overlaying a new barcode sticker. As for the graphic overlay; this has been utilised for a while. I’ve been overlaying my EJ logo over my codes’ centres without issue for a while.
we need to have an android app that programatically finds the smallest differences needed, and displays what you needed to colour in black/white. its all well and good saying its easier to print out a whole QR code, but i for one dont usually carry a printer around with me.
SO I plan on getting a QRCode tattooed on my neck with all my info in it and found a website about custom QR Codes but I can’t find it now… Similar to this site: http://qrarts.com/
http://a7.sphotos.ak.fbcdn.net/hphotos-ak-snc6/199110_10150105942041646_506756645_6941799_1919320_n.jpg
http://a8.sphotos.ak.fbcdn.net/hphotos-ak-ash4/200315_10150105506036646_506756645_6936786_3310017_n.jpg
http://a6.sphotos.ak.fbcdn.net/hphotos-ak-snc6/199433_10150105552541646_506756645_6937589_147589_n.jpg
Then I found EZCodes…
http://a3.sphotos.ak.fbcdn.net/hphotos-ak-ash4/189794_10150105929501646_506756645_6941660_467024_n.jpg
They are smaller…
Micro QR Code…
http://a7.sphotos.ak.fbcdn.net/hphotos-ak-snc6/197042_10150105942111646_506756645_6941800_7163373_n.jpg