Parthenope, University of Naples
In the age of technology, QR codes have become a common tool for businesses and individuals to share information quickly and easily. These codes, which can be scanned with a smartphone or other device, contain a variety of data such as URLs, contact information and even travel information. While QR codes offer convenience and efficiency, they also raise important questions about confidentiality and privacy.
In this article, we will analyze the confidentiality problem connected to QR Codes usage to check validity of a service and how encryption can help to solve it.
QR Codes are commonly used as a convenient mean to distribute subscriptions to services such as public transports and airplanes’ tickets. The main problem we wanted to solve was: “How can I be sure that this code is legit and was not fraudulently reproduced ?”. We used Unico Campania as a case study to see how an attacker could produce future codes of a subscription once he happens to get one.
First QR Code:
<aside> <img src="/icons/ticket_red.svg" alt="/icons/ticket_red.svg" width="40px" /> 30GIORNI TIC 2022-09-20T09:50 2022-10-20T23:59 6GHE6WJS3V 64 2 0 0877fd39aeb754c5540c92ccacabad5f64a6f7575126ebf925c1edf124 2022-10-03T11:51:22+02:00
</aside>
Second QR Code after few days:
<aside> <img src="/icons/ticket_red.svg" alt="/icons/ticket_red.svg" width="40px" /> 30GIORNI TIC 2022-09-20T09:50 2022-10-20T23:59 6GHE6WJS3V 64 2 0 0877fd39aeb754c5540c92ccacabad5f64a6f7575126ebf925c1edf124 2022-10-07T16:57:07+02:00
</aside>
As you can see, the two codes are basically identical. The only difference is the timestamp of the moment in which the code was generated. Once the attacker get their hands on a code once, possibly by taking a picture near the ticket barrier at the train station, he can easily reproduce QR Codes for the duration of the whole subscription.
Since that’s not ideal for the company that sells the subscriptions, we worked on a solution for that specific problem.