Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2022, Vol. 62 Issue (5): 825-831    DOI: 10.16511/j.cnki.qhdxxb.2021.22.044
  专题:漏洞分析与风险评估 本期目录 | 过刊浏览 | 高级检索 |
基于无痕嵌入的二维码不可见劫持攻击
宋宇波1,2, 杨光3,4, 陈立全1,2, 胡爱群2,4
1. 东南大学 网络空间安全学院, 江苏省计算机网络技术重点实验室, 南京 211189;
2. 紫金山实验室, 南京 211189;
3. 上海交通大学 网络空间安全学院, 上海 200240;
4. 东南大学 信息科学与工程学院, 南京 211189
Invisible QR-in-QR hijacking attacks
SONG Yubo1,2, YANG Guang3,4, CHEN Liquan1,2, HU Aiqun2,4
1. Jiangsu Key Laboratory of Computer Networking Technology, School of Cyber Science and Engineering, Southeast University, Nanjing 211189, China;
2. Purple Mountain Laboratories, Nanjing 211189, China;
3. School of Cyber Science and Engineering, Shanghai Jiao Tong University, Shanghai 200240, China;
4. School of Information Science and Engineering, Southeast University, Nanjing 211189, China
全文: PDF(3240 KB)   HTML
输出: BibTeX | EndNote (RIS)      
摘要 二维码嵌入攻击是一种劫持攻击手段。扫码软件依赖于定位图案与静区以确定二维码所在位置。由于定位图案与静区的视觉特征显著,现有的攻击手法无法应用于实际攻击场景。该文提出并验证了一种基于无痕嵌入的二维码不可见劫持攻击方案。通过对恶意二维码定位图案的修改,可以隐藏恶意二维码,从而对指定软件实施针对性的攻击;通过对静区的隐藏,可以使嵌入位置难以被发现。测试结果表明:该方案可以在隐藏视觉特征的情况下实施有效的攻击,并可以实现对微信与支付宝的选择性攻击。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
宋宇波
杨光
陈立全
胡爱群
关键词 二维码嵌入攻击定位图案静区视觉特征    
Abstract:Quick response (QR)-in-QR attacks are a type of QR code hijacking. The scanner needs to first identify the finder patterns to determine the location of the QR code and the QR code needs to be surrounded by a quiet zone to help determine the location. Existing techniques cannot be used for actual attack scenarios due to the complex visual characteristics of the finder patterns and quiet zones. This paper presents an invisible QR-in-QR hijacking attack based on finder pattern modification and hidden quiet zones. The finder patterns of the malicious QR code can be modified to hide the malicious QR code for a targeted attack on the specified software. The quiet zones can be hidden to hide the position of the malicious QR code. Tests show that the invisible QR-in-QR hijacking attack method can implement effective attacks while hiding visual characteristics and can selectively attack WeChat and Alipay.
Key wordsquick response (QR) code    QR-in-QR attack    finder patterns    quiet zone    visual characteristics
收稿日期: 2021-08-30      出版日期: 2022-04-26
基金资助:国家重点研发计划项目(2020YFE0200600)
作者简介: 宋宇波(1977—),男,副教授。E-mail:songyubo@seu.edu.cn
引用本文:   
宋宇波, 杨光, 陈立全, 胡爱群. 基于无痕嵌入的二维码不可见劫持攻击[J]. 清华大学学报(自然科学版), 2022, 62(5): 825-831.
SONG Yubo, YANG Guang, CHEN Liquan, HU Aiqun. Invisible QR-in-QR hijacking attacks. Journal of Tsinghua University(Science and Technology), 2022, 62(5): 825-831.
链接本文:  
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2021.22.044  或          http://jst.tsinghuajournals.com/CN/Y2022/V62/I5/825
  
  
  
  
  
  
  
  
[1] FOCARDI R, LUCCIO F L, WAHSHEH H A M. Security threats and solutions for two-dimensional barcodes:A comparative study[M]//DAIMI K. Computer and network security essentials. Cham, Switzerland:Springer, 2018:207-219.
[2] FOCARDI R, LUCCIO F L, WAHSHEH H A M. Usable security for QR code[J]. Journal of Information Security and Applications, 2019, 48:102369.
[3] KHARRAZ A, KIRDA E, ROBERTSON W, et al. Optical delusions:A study of malicious QR codes in the wild[C]//2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. Atlanta, USA, 2014:192-203.
[4] ZHOU A F, SU G Y, ZHU S L, et al. Invisible QR code hijacking using smart LED[J]. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 2019, 3(3):126.
[5] YUAN T L, WANG Y L, XU K, et al. Two-layer QR codes[J]. IEEE Transactions on Image Processing, 2019, 28(9):4413-4428.
[6] DABROWSKI A, KROMBHOLZ K, ULLRICH J, et al. QR inception:Barcode-in-barcode attacks[C]//Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices. New York, USA, 2014:3-10.
[7] CHOU G J, WANG R Z. The nested QR code[J]. IEEE Signal Processing Letters, 2020, 27:1230-1234.
[8] TIWARI S. An introduction to QR code technology[C]//2016 International Conference on Information Technology (ICIT). Bhubaneswar, India, 2016:39-44.
[9] 蔡博仑. 微信二维码引擎OpenCV开源! 3行代码让你拥有微信扫码能力[EB/OL]. (2021-01-31)[2021-06-15]. https://mp.weixin.qq.com/s/pphBiEX099ZkDV0hWwnbhw. CAI B L. WeChat QR code engine OpenCV open source! 3 Lines of codes let you have the ability to scan the code[EB/OL]. (2021-01-31)[2021-06-15]. https://mp.weixin.qq.com/s/pphBiEX099ZkDV0hWwnbhw. (in Chinese)
[10] TRPOVSKI Z. Geometric modifications of QR code[C]//2017 South Eastern European Design Automation, Computer Engineering, Computer Networks and Social Media Conference (SEEDA-CECNSM). Kastoria, Greece, 2017:1-6.
[11] YAO H P, SHIN D W. Towards preventing QR code based attacks on Android phone using security warnings[C]//Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. New York, USA, 2013:341-346.
[12] 2D Technology Group. Barcode security suite[EB/OL]. (2008)[2021-07-23]. https://www.2dtg.com/node/74.
[13] YAKSHTES V, SHISHKIN A. Mathematical method of 2D barcode authentication and protection for embedded processing:US8297510B1[P]. 2012-10-30.
[14] CHATTERJEE S K, SAHA S, KHALID Z, et al. Space effective and encrypted QR code with sender authorized security levels[C]//2018 IEEE 8th Annual Computing and Communication Workshop and Conference (CCWC). Las Vegas, USA, 2018:439-443.
No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn