Can a QR code run malware? Canada requires proof of Vax via QR Code. Asking for a fren
(media.greatawakening.win)
You're viewing a single comment thread. View all comments, or full comment thread.
Comments (17)
sorted by:
"I can only show you the door, you have to walk through it". The QR Code is the door, you have to open it, then step through.
Since the code is just an encoding of data or a web url, it cannot execute anything on its own. The app you use may have flaws in it that could allow a buffer overflow or the like though.
As to using it for vaccines, I've not probed anything like this yet. How I would program it would be my app uses encryption to encode personal information (name, dob, amountofjabs). I would then create the QR code from that. The counterapp would then read that code, decode it, and show the person how many jabs. I would hack this by either modifying the app to have a bogus amountofjabs before it goes to the qrcode creation as that would be the easiest point. If someone extracts the encryption method, they can just create their own qrcode, however encoding personal identification in prevents you from using someone else's code. I wouldn't be surprised if they rushed this and made it easier than the above though.
I am constantly amazed at the level of sophistication and knowledge of my fellow Pedes. Thank you!
So, first step is get APK, decompile and then find methods of attack.
My first step would be to get a couple of datasets/qrcodes then put them into a QR Reader site and determine if the data is raw or encrypted.
If it's encrypted, then I would attack the app at that point as I've never been good at dealing with encryption functions and prefer to just MITM the app before encryption/decryption. I haven't touched modern cell apps, but the tools used to be pretty good for taking apart Blackberry apps and such when I used those. Heard that they're not too horrible but don't know much about the process using the tools, or the tools required afterwards ala getting it signed so your cell phone doesn't have to use debug mode for normies to use and etc.
If the QR Code is not encrypted I would just work on making my own spoofer app/site that generates the appropriate QR code if I was able to determine all the elements with my dataset. The app may still need to go through some analysis though in the event of something like a nonstandard checksum method.
Getting the data is tricky, but yes that would also be a good approach.
The little bit I know about reading QR codes is that the larger the code the more fragile they are to start.
My initial search shows the government app as about 2 stars with mostly vaxxed reviews of false negatives.
I think making a QR code that would break the app might be enough where you just say that it's their fault the machine doesn't work.