I think it's a great idea, in theory (although Microsoft's use of it here is pointless though, as implemented). QR codes are just machine-readable text. Cryptic codes only accessible visually that are time-consuming and error prone to copy by hand? QR codes were designed for this.
Security issues with QR codes, while they exist, should be considered flaws in the QR reader. Doing anything with a QR code by default apart from displaying its content (not the content behind the URL that might be in the QR code, the actual QR code content) should be considered a security risk. And if visiting URLs = ownage for your device, you've got bigger problems.
If little bits of plain text are too insecure for us to handle, we may as well give up on the whole web, never mind QR codes.
Seems pretty convoluted to the point of absurdity.
If your threat model automatically assumes links are directly proportionate to infections then you're already screwed since getting a user to click a link is insanely easy, and if you had a link that would infect mobile devices you'd likely just drop it on a few news aggregators rather than go through this mess.
Threat modeling is about evaluating the risks, including how realistic they are. Your risk model is just unrealistic, you're now infecting PCs with malware for the sole purpose of generating a fake BSOD, which in turn creates a link, which in turn infects mobile devices. Why even infect PCs in that scenario? Seems much MUCH easier to trick mobile users into clicking links OR redirecting them (e.g. AD hijacking).
If you really wanted to attack mobile devices from an infected PC you'd likely use their direct USB connection, seems like a much more reliable route. Also may accomplish infections not normally possible from a simple link.
Not absurd at all. The malware infects the PC and does its bad thing.
After it's finished doing the bad stuff, it creates a full screen window which looks just like a BSOD screen with the QR code containing the attacker's URL.
User scans the QR code and navigates to that URL. Now he thinks he's on microsoft.com and will readily hand over his Microsoft credentials.
When you have Bitcoin, bank accounts, credit cards, etc as potential rewards, bad guys can (and do) get quite creative..
Oh man, you have no idea what the state of security is, or how persistent attackers are. This is definitely not absurd. In fact, I'll bet that attackers are writing code for this right now.
I've encountered Bad Guys who happily walk users through enabling Debug mode on their Android devices (requires a bunch of gyrations and scary dialogs). Many users are absolutely clueless about security, and will follow instructions in pursuit of !!Free Stuff!!. It's amazing.
Putting a QR code that takes your phone to some unpredictable site on the internet is a really, really bad idea. Even if you think your mobile platform is secure today, there will be zero-day exploits in the future, and malware authors will use this vector.
> Oh man, you have no idea what the state of security is, or how persistent attackers are.
It is only my day job...
You also forgot to explain why, if you had a link which auto-infects a mobile device, that you wouldn't just post the link on Twitter/Reddit/HK/etc rather than infect PCs and then "trick" users into going to the link.
If you're going to spend the time and money it takes to create PC malware, you're going to want specific value from that infection in and of itself. Meaning information theft, botnet member, spam proxy, etc, by using this BSOD route you're likely to expose your PC implant and lose the value there.
> Putting a QR code that takes your phone to some unpredictable site on the internet is a really, really bad idea.
So is clicking a link on Hacker News, but I bet you've done it dozens of times in the last hour.
> Even if you think your mobile platform is secure today, there will be zero-day exploits in the future, and malware authors will use this vector.
And by "this vector" you mean a link, on the internet? Again explain why this is a bigger threat than email/Reddit/Hacker News/Twitter/etc. Or heck explain why AD redirects aren't a threat?
What stops malware from doing this already? If your PC is compromised, what stops it, today, from popping up a message that says, "hey, open this url on your phone to [fix your registry|enter this contest|get free porn|pay our ransom|whatever]"?
No new attack vector was created by adding QR codes to BSODs. Most people aren't going to scan the QR code anyway, for the same reason they didn't search for the error codes: they done know what to do with the info. They will restart the machine and eventually call a friend/relative/tech support for help.
Can't you just create QR code that goes to a site that tells you "Your PC broke, to fix it install this software" or something... Then just rely on less experienced users thinking the faked BSOD is real.
Security issues with QR codes, while they exist, should be considered flaws in the QR reader. Doing anything with a QR code by default apart from displaying its content (not the content behind the URL that might be in the QR code, the actual QR code content) should be considered a security risk. And if visiting URLs = ownage for your device, you've got bigger problems.
If little bits of plain text are too insecure for us to handle, we may as well give up on the whole web, never mind QR codes.