By default, when attacking a mobile device in Core Impact Pro, we would use the Client-Side Rapid Penetration Test (RPT). This method gives us the ability to generate, host, and send an email with a link to a malicious webpage or a malicious application - depending on which type of mobile device we are attacking. The easiest way to generate a malicious link is to use the RPT and select your own email as the recipient. From this point, we can then take that malicious link and use it however we like. We may decide to use the link in an email on our own terms, or possibly elsewhere to expand the attack surface even further. Any way you look at it, these testing methods were designed to safely compromise a mobile device and deliver proof of the vulnerability.
In come QR codes. In a nutshell (or outside of a nutshell), a QR code is a type of two-dimensional matrix barcode that’s becoming more and more common. The code provides information when scanned; usually contact details or a website. One area they are gaining popularity with is on advertisements (e.g., "Scan now to visit our website!" or "Scan now for a free 'blah'!"). Even business cards are starting to print QR codes these days.
By now you should see where this is going …
There are many free QR code generators on the internet that are very simple to use. You just type in the contact info or URL and hit "generate." Now you have an image file of your very own QR code! This would be a good time to use it to send actual malicious code, or in our case, the link we generated with IMPACT Pro. For this example I’m using www.quikqr.com.
Once the code is generated, we can right click on the image and save it for use elsewhere. The above example generates the QR code visible in this blog.
Clearly, when displaying the QR code with physical pamphlets or advertising, we will not encounter safeguarding measures such as anti-virus, IDS/IPS or spam filters. Once the attack is successful, we could then leverage the device even further by dumping the device profile, GPS location, contact information, SMS, and MMS messages via a number of different Local Information Gathering modules found in IMPACT Pro. Not only could I dump all of that information, but I could then report on the results of the test/attack by using the Mobile Devices Report.
One final note I should mention is that these do not have to be used only in physical attacks, as it’s still entirely possible to embed the image into an email. Once again, you can just generate a random template that includes some text such as "Scan here for the free mobile app" and then embed the image into the body of the email. A phone can scan a QR code on a monitor just as easily as it scans one on paper. If the image is in the email and it’s only accompanied by text (no hyperlinks), you will very likely increase your chance of bypassing the spam filter.
To the eyes of a security professional, a mobile device is another thing to secure and protect. To the eyes of a hacker, a mobile device is another way in.