Nowadays, waiting for a delayed flight is not a tedious or even infuriating experience as it used to be. At least for some, of course.
Instead of having to roam for hours in a crowded space, travelers can gain access to fancy airport lounges. It’s all about the comfort, you see? In a first class airport lounge you can rest, shower, have a drink or even buy goods at duty-free shops.
So, what happens if there’s an error and your special QR code based credentials are revoked, thus leaving you out of the heavenly airport lounge? Well, you could just go to the information desk and complaint about it… or you could create a dedicated QR code generator to hack your own QR codes… Just kidding, don’t do it.
The thing is that someone did just that. Przemek Jaroszewski, the head of Poland’s Computer Emergency Response Team and a frequent flyer who has a gold status, wasn’t allowed inside Warsaw’s airport lounge due to a technical error. It so happens that the automated boarding pass reader rejected Przemek QR code.
This issue inspired Przemek to put his hacker skills into “good” use. He developed an Android based QR code generator in which he can create QR codes with fake flight information that can be read by the lounge scanners with no problem whatsoever.
This video uploaded by Przemek himself shows how he bypassed the system in real time. It’s worth to watch.
Przemek is not trying to get away with this (he’d rather avoid the FBI). Instead, he is trying to prove a point. His app, which has been tested in several airports all across Europe, has led him to the conclusion that airport lounges only validate travelers with real flight numbers. They don’t cross-check personal information within the code itself.
This is a major security flaw that can be easily exploited by anyone. Travelers could get access to airport lounges and buy products that are exempt from taxes, without having their own flight ticket.
Wired’s article explains that “fake boarding passes are hardly a new hacker trick”. And we couldn’t agree more. But what about the QR codes themselves? If hackers can generate QR codes to forge credentials, what is stopping them from creating codes that when scanned can infect your mobile device with a virus? The simple answer would be to scan using a secure QR code reader.
Where can you get a Secure QR Code Scanner?
QR codes are usually accompanied by some sort of contextual information. This not only provides motivation for you to scan it but it also helps you feel safe that QR code’s link is not malicious. You wouldn’t just scan a random code and hope nothing bad happens.
In any case, if you accidentally happen to scan a QR code that distributes malware, chances are you wouldn’t have noticed it. Your QR code reader might no be able to check the QR code’s content and determine whether or not it’s safe to open.
In our search for the best QR code scanners out there, we’ve stumbled upon one in particular that outshines the others when dealing with this sensitive issue: Kaspersky’s QR Scanner
Kaspersky Lab is a company that excels at providing IT security services for consumers and businesses alike. Their software catalogue includes ad cleaner, password manager, safe browser and more. They even offer corporate products like file server security and systems management.
Kaspersky’s QR Scanner, it works as you’d expect: point your mobile device’s camera at the code and the app will do the rest. But instead of giving you the option to open the link on your browser right away, it’ll take an extra second to verify if the content is legitimate. If it’s not, it will let you know if there’s a phishing or malicious link.
As far as QR code readers go, Kaspersky brought something unique to the table that relates to those who want to be on the safe side after scanning a QR code; all of us, for that matter. Plus, the app is free 🙂
Heading back to the lounge
Przemek Jaroszewski’s experiment poses a problem that needs to be resolved sooner rather than later. Aside from the obvious which is that lounges are meant to be accessed by VIPs, the real deal here is that through the use of QR codes hackers can achieve a great many things.
Personal information could be retrieved, your device’s storage could get corrupted, mobile payments could be made without your consent… All of this can be prevented by double-checking… or installing Kaspersky’s QR Scanner. No more blind scanning QR codes!