QR Codes are a two-dimensional type of matrix barcode that are used for a variety of uses. They’re one way of turning a long piece of string data into an easily machine-readable format. For this reason, they can be used to store private keys for encryption and crypto-currency purposes. [Roger Ver] attempted to use a QR code containing a private key to give away some cryptocurrency on TV, but the code was blurred out by the broadcaster. Not ones to give up easily, [Michael] and [Clément] decided to see if they could reconstruct it anyway.
The work begins, as so many cryptographic exploits do, with the collection of as much of the plaintext key as possible. By stepping through the footage frame by frame, small pieces of the unobscured QR code were found, as well as some of the private key itself. By combining this with enhanced images of the blurred code, the team were able to put together less than one third of the QR code. The team had other tricks up their sleeve though – they knew the QR contained a private key of a particular format, and were able to figure out the QR code was 41×41 pixels.
By using this data along with a careful study of the QR code format, the team were able to put together some code in Python to brute force the key. After 838849 trials, the key was found, and the team were able to claim the prize. It’s a great example of cryptographic analysis – and so is this story on hacking your own password.
[Thanks to Esko for the tip!]