Fortinet

In my last post, I mentioned the use of 2D codes on on-line ready-to-print stamps for the French Post Office. In particular, I was surprised to find out those codes could embed an URL and automatically have the 2D barcode reader follow that link.

Far enough to prick my curiosity: I tried it out. 2D codes are really amazing because you do not need any particular equipment to read them, only a mobile phone with a camera (but this is getting quite common) and a barcode reader application. I tried it out on a freeware mobile application download server and it worked straight away: launch the application, aim the 2D code with the camera, and there it is, it reads the embedded URL. This is really easier than typing complicated URLs on mobile phones.

QRCode is just one type of barcode, others exist (DataMatrix, Trillmark, Shotcode…) with different looks and capacities. 2D barcodes may also embed other contents: SMS, MMS, e-mails, business cards etc. Creating such a barcode is as simple as feeding in the appropriate URI to an on-line generator.

Awesome ? Perhaps… or perhaps not. Unfortunately, virus gangs could use this technology to have the end-user follow malicious links or send messages to premium numbers. Wouldn’t a 2D barcode seem more ‘legitimate’ to you if you found it on your car’s windshield? This raises the issue of sanitizing the contents of 2D codes: can the embedded URL trigger a binary on the phone? can the code contain a virus? 2000 bytes is little space, but enough for evil ideas.

– The Crypto Girl