This simple QR Code could jeopardize our company

In 2021, we no longer present the QR codes or their cousins ​​the 2D-Doc. These “Datamatrix” type codes, once scanned, allow you to receive coded information: an identity or an Internet address to which you are redirected. It was established in 1994 by Masahiro Hara, an engineer of the company Denso-Wave, to initially allow easier tracking of spare parts from factories Toyota. It was only 5 years later that Denso-Wave makes technology copyright free and therefore usable by everyone. If it does not fascinate the crowds at the start, its use is exploding with the generalization of mobile phones which all turn into QR code readers. Today, it is found everywhere, whether on your packages received by the post office, on bus stops to display timetables, plane tickets, etc. In these times of the Covid-19 epidemic, it is even more in our daily lives since it is present on health passes. When the application AllAntiCovid Verif the scan, the customer’s last name, first name, date of birth, as well as the validity of the health pass is displayed on the reader.

Its advantage is that it is scanned very quickly. After all, “QR” meaning “Quick Response”, or “rapid response”, it is not surprising and rather reassuring on the nominative promise. Yet its generalization in most of the machines around us could pose a big problem because of the EICAR chain.

EICAR: the little chain that takes apart

The EICAR channel is not a new television channel talking about cars, but rather a series of characters of all kinds set up by the computer industry years ago to test the antiviruses of their systems. It makes it possible to make believe in a virus attack and to see how the program reacts. Here is the precious, deceptively evil sesame:

X5O! P% @ AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Dès qu’un logiciel tombe sur ces 68 caractères, il passe en mode élimination ! Selon le système, cela peut se matérialiser par une mise en quarantaine, un redémarrage pure et simple, mais aussi parfois par un blocage total du programme. D’où l’idée saugrenue venant du hacker Richard Henderson de l’encoder sous forme de QR Code et de voir des gens s’amuser avec son virus noir et blanc partout où il est possible de le scanner. Dans une vidéo diffusée sur le compte YouTube DEFCONconference, il a démontré, vidéos à l’appui, la dangerosité de ce code EICAR sous cette forme-là. Scanné par un lecteur de code-barres dans un supermarché, celui-ci cesse de fonctionner. Même résultat lors de sa présentation à un lecteur de passeport dans un aéroport ou la caisse automatique d’une sortie de parking.

So it would be that easy to damage a system and completely crash a machine? Absoutely ! Not even need sophisticated material and the hacker blames the multifunctionality of the readers who are not all prepared to receive this kind of information. As the information received is generally sent to servers running Windows, they face an antivirus which, confronted with the EICAR chain, reacts accordingly. He points out that the makers of these readers do not prepare enough to face attacks of this kind, not imagining the carnage that a simple loophole found by hackers can create.

Chaos project

Richard Henderson has also not ordered a whole battery of stickers of the QR code from the EICAR chain and we dare not imagine what he could do with it. In the hands of an anti-social organization as in the film Fight Club, joint and coordinated action could destabilize entire cities. Be aware, however, that this kind of hacking is punished by five years imprisonment and a fine of 150,000 euros by law if it is proven that you did it on purpose. Afterwards, if you sabotage a submarine with chewing gum, is it really your fault or that of the designers who have not thought through the safety of their machine until the end? The question arises and shows well the fragility of a company that launches and generalizes technologies without having tested 100% security. And for those who are wondering: no, Richard’s QR code does not work on AllAntiCovid Verif, but that doesn’t mean the app is foolproof. It was even recently shown that by changing the language of the application on a terminal, an invalid code could slip through the cracks…