Sunday, 22 July 2012

Social engineering using QR codes

The HOPE Number 9 conference has come and gone and I had some fun this year. Unlike the last time around, I did not prepare anything well in advance of the conference but had come up with a fun social engineering project the week before.

QR codes are becoming more and more ubiquitous in North America after having gained traction in Eastern Asia (specifically Japan) and most of Europe. Depending on what you put inside, you can have up to almost 3 KB in binary data or almost 7 KB if it is just numeric data. You'll find them in ads in newspapers and subway stations, and almost anyone with a smartphone is capable of scanning these codes.

However, people will scan them without much thought and will in most cases act along with whatever the code requests. An excellent case in point is a friend of mine who has a site called QR Code Promos, in which he uses to track people who scans QR codes placed in various locations in the United States and Italy. During DEFCON 19, he slapped a code on one of the female presenters at the Saturday night showing of Hacker Jeopardy and got a large number of males to run up and scan with their phones. It was downright funny and also sad to see these guys just race right up.

This got me thinking about taking it one step further and asking people to call a voicemail and leave some details for me. It was a two-sided idea: can I get people to call my voicemail and leave these details while at the same time get people wondering what is going on and find something else embedded inside? This ended up being a nice data mining slash puzzle so to speak.

The message

If one was to scan the above code, you'd get a message as follows:

The voicemail number was a K7 account that I had set up for free. Feel free to call it until whenever it expires.

There were about 50 or so printouts of these pieces of paper with every 6 or 7 having a different code. I did attempt to scatter the codes evenly across the whole hotel, but when you look at a QR code, they just blur and look all the same anyhow.

I had managed to snag a few photos of people scanning the codes too. Towards the end of the conference, a lot of them were also vandalised. Security had also asked around about who was putting them up and whether or not they were malicious.

Based on the writings on them, I can see that I got some attention here.

What is the deal with the codes then?

I decided to make the cipher for the decoding process rather simple. I thought about making it a monoalphabetic substitution cipher (as in swap letters around a la ROT13-esque) and use letters as opposed to numbers, but I then decided to run with using a telephone keypad as the decoding method.

In case you're not familiar with the keypad for whatever odd reason, it looks as follows:


Using the above, I encoded the following message:


So really it should read:
afreak dotca slash hope canyou solve the puzzle

By going to, you'd be presented with the following:

It was pretty simple but I will mention in a bit why there were some problems with my methodology.

Success rate?

Well, I did manage to get quite a number of voicemails:

However, when you break it down, I didn't get that many people calling as only 34 unique calls were registered. The vast majority were from the northeastern part of the United States, with the notably repeat callers (more than two) being from area codes in Washington DC (9), Trenton, New Jersey (9); Westchester County, New York (7); and Vermont (4).

One fellow, Dan had managed to figure out that "solve" "the" "hope" "puzzle" were words used in the codes. Good job! However, as you have probably already read, this isn't the order of the words. I believe one aspect that made the codes confusing is that while it was probably easy to pick up that they meant something, order was not available. Perhaps what I should have done is introduced a value into them to give some semblance of order and perhaps a ninth code with "HTTP" as a value would have made things a bit more clear.


One aspect that I neglected with this experiment was to keep track of where the codes were scanned most. What placement was most effective and what level of foot traffic should be sufficient to get the most amount of hits? I was able to keep track of what codes were scanned most, but since I didn't keep note of where the codes were being placed, it was impossible for me to know what was successful or not.

Additionally, nobody managed to decode the whole message. Was it too difficult to figure out? As I mentioned earlier, I believe a ninth code with "HTTP" in it would have made things a bit clearer.


This was a fun exercise and I imagine that I will probably do more of these social engineering exercises as time goes on. However, this is the last time I will be at the HOPE conference. DEFCON next year? Likely!