[surfsvammel]

Why would a QR be more safe from containing malware than another medium like USB drive?

Is it just that the amount of data it holds is more constrained?

[mikequinlan]

The USB protocol gives the drive access to all (physical) memory on the machine. QR codes only encode text (usually a URL but it can be any text).

[gruez]

>The USB protocol gives the drive access to all (physical) memory on the machine

Source? Unless you're using something like usb 4 (ie. thunderbolt) usb devices don't have DMA access.

[vlovich123]

Even thunderbolt wouldn’t have arbitrary dma access unless your machine is lacking iommu

[dumbo-octopus]

What about direct DMA access to the memory?

[vlovich123]

IOMMU typically controls access so that the peripheral only has access to memory the OS allows it to have.

[appendix-rock]

No it doesn’t.

[bigiain]

Yes. But using USB devices has a practically infinitely greater attack surface that parsing data embedded in a QR Code. It's not like yo have to read QR Codes and go "echo $QRData | sudo bash"

"BadUSB is a computer security attack using USB devices that are programmed with malicious software.[2] For example, USB flash drives can contain a programmable Intel 8051 microcontroller, which can be reprogrammed, turning a USB flash drive into a malicious device.[3] This attack works by programming the fake USB flash drive to emulate a keyboard. Once it is plugged into a computer, it is automatically recognized and allowed to interact with the computer. It can than then initiate a series of keystrokes which open a command window and issue commands to download malware. " -- https://en.wikipedia.org/wiki/BadUSB