Embed Size (px)
Citation preview
A Brief Comparison of NFC Smart Posters and
Quick Response Codes
Keith E. Mayes, Lazaros Kyrillidis, Konstantinos MarkantonakisISG Smart Card Centre, Royal Holloway, University of London,
Egham, Surrey, UK, TW20 0EX,(keith.mayes, lazaros.kyrillidis.2011, k.markantonakis, @rhul.ac.uk)
Song DongOrange Labs UK,
Chiswick, London, UK, W4 5XS([email protected])
1 Introduction
With the advances in mobile phone technology there is a lot of interestin being able to automatically access information or trigger a service bybringing the phone close to an object. One of the most obvious ideas is touse the phone camera to read and interpret a simple 1-Dimensional barcode,a capability which has subsequently been extended to deal with barcodescontaining more information e.g. 2-Dimensional barcodes such as QuickResponse codes (QR code) [1]. In parallel with the development of QRcodes there has been significant advances in Near Field Communication(NFC) [2] [3] [4] [5], which amongst other things allows a mobile phone tointeract with Radio Frequency ID (RFID) [6] tags that may be attached toobjects. The interaction is achieved simply by bringing the phone withina few cm of the NFC compatible RFID (which we will also refer to as anNFC tag in this paper). The availability of different technologies (opticaland Radio Frequency) with overlapping service capabilities can cause someconfusion for potential Service Providers (SP) and customers alike, and thewrong choice can affect system security, usability, cost and logistics. In thispaper we briefly consider the technologies and their capabilities, and attemptto clarify their strengths and weaknesses. We begin by introducing QR codesand NFC tags before making service comparisons and finally offering somesuggestions and conclusions.
1
2 QR Codes
The QR Code is a very common 2-D barcode in use today. This code wasdeveloped by Denso Wave and initially was used in the automotive industry,but has since expanded into many other areas. A QR code is square and itssize varies between 21x21 (version 1) up to 177x177 (version 40) modules(a module is a small black or white dot that represents the actual data).QR codes of 25x25 (version 2) are quite common as they are able to storea simple URL for access to a website. The primary parts of a QR Code arethe following:
1. The small squares located at three corners of the code (except the bot-tom right corner). These squares form the position-detection patternthat helps the reader identify the location and orientation of the code.
2. The data area which contains the actual data and any error-correctiondata.
3. The quiet zone, which surrounds the QR code and separates it fromits adjacent area, thus making it easier for the reader to locate theperimeter of the code and finally the data that the code contains.
The storage capacity of a QR code depends on its size and the level offorward error correction. Reed-Solomon [7] coding is used for this and de-pending on the level, it can correct between 7-30% of corrupted data [8].There are four levels of error protection referred to L, M, Q and H. Theresiliency is achieved by adding redundancy, so this reduces the space forthe payload data storage. Table 1 shows a comparison of data storage invarious QR code versions for the four levels of error protection.
QR Type Modules Protected data bits
L M Q H7% 15% 25% 30%
recovery recovery recovery recovery
Version 1 21x21 152 128 104 72
Version 2 25x25 272 224 176 128
Version 10 57x57 2192 1728 1232 976
Version 20 97x97 6888 5352 3880 3080
Version 30 137x137 13880 10984 7880 5960
Version 40 177x177 23648 18672 13328 10208
Table 1: QR Code Version Comparison
An example of a QR code is shown below - the URL points to the SmartCard Centre website!
2
Figure 1: QR Code with URL to Smart Card Centre Website
Clearly the QR code is not designed for storing large amounts of data re-gardless of the chosen error correction level. Furthermore, for simplicity ofreading by most devices in diverse environmental/lighting conditions it isthe smaller codes (version 10 or lower) that seem to be most often used inpractice. Regardless of the code size, any reader can extract the QR codedata and indeed anyone with a printer can create their own QR codes, whichis convenient, but leads to some security issues. Given these limitations andthe fact that reading a QR code with the phone camera is not so easy andinstant in some cases, has led to increased interest in NFC and RFID taggedobjects.
3 Near Field Communication and RFID TaggedObjects
An advertising and service access means that is enabled by NFC, is the NFCSmart Poster. A Smart Poster can be any useful surface such as a magazine,a newspaper, even a statue and of course a poster. The poster will hold oneor more NFC tags that will interact with any reader that comes into theproximity. For interest, a picture of a typical RFID tag is show in Figure2 although the RFID would normally not be visible to the customer whowould simply tap the phone against some obvious indicated area on theposter.
The tag has no battery and is energised by an electromagnetic field generatedby the mobile phone. The same field is used to achieve radio frequencycommunications between the tag and the phone.
A tag typically stores data in a standardised manner called the NFC DataExchange Format (NDEF) and each NDEF message contains a number ofrecords that identify the type of stored data. For example, the data may bea URL pointing to a website, an SMS or telephone number or just simple
3
Figure 2: Example RFID Tag
text. When a user moves an NFC phone close to a smart poster, the phonereads the contents of the tag and executes an action e.g. opens a browserpointing to the URL or displays the text. The NFC interface communicateswith four basic tag categories that are quite different in design, althoughadhering to the NDEF format provides application layer compatibility. Inprinciple an NFC tag could store a significant amount of data, perhaps1Mbyte, however cost limitations may dictate more modest devices for smartposters such as a 2kbit tag. An important feature is that NFC permitstwo-way communication protocols and the use of tags with cryptographicsecurity protection.
Having introduced the basics of QR codes and NFC tags we will now attemptto make some comparisons in the followings section.
4 QR Codes vs. NFC Tags
An exhaustive comparison of QR Codes and NFC tags is beyond the scope ofthis paper, so we will restrict our considerations to the case of a poster thatis meant to direct the user to a particular website for data and service access.To make a comparison we need some relevant criteria. Much of the businessinterest around smart posters relates to spontaneity. If a user is interestedby the poster and can take a simple and immediate action to access and/orpurchase the related offer then he is more likely to do so than if he has totake some later and more complex action. Therefore spontaneity/ease-of-useis an important criterium, but so to is accessibility. If you offer a commercialservice then you are likely to want as many people as possible to be able toaccess it and not just those with proprietary or niche mobile devices. Lastbut not least, you may need security if you are to protect your customersand your business from fake and malicious tags and/or QR codes.
4
4.1 Accessibility
We consider accessibility first as without it the user cannot invoke the func-tionality and so there would then be little point in discussing other require-ments.
In order for a user to read and use a QR code, he needs a camera-enabledphone and an application that will handle the incoming information from theQR code. Most phones are equipped with a camera (even the medium andlow end types) although a poor quality device may struggle with the higherversion QR codes especially if they need to be read at a distance closerthan the camera can achieve good focus. Whilst it is possible for someolder phones to download applications it is not such an easy and commonpractice compared to smart phones so the reader application may presentsome barrier to use. Nevertheless, QR codes are quite commonplace and arewidely used in mobile applications, especially in Japan.
By contrast, in order for a user to interact with an NFC poster, he mustbe in possession of a phone that has NFC capability. After a slow startto deployment, estimates from Deloitte [9] suggest that 200 million NFCphones, tablets etc. will be in circulation in 2012, growing to 300 million in2013. Currently the functionality is mainly with the high-end (yet desirableand fast selling) smartphones and it will still take some years to migrate theexisting customer base to NFC devices. There are certainly many servicesand trials that are using NFC tags and compatible phones, but the phonecapability has limited their impact up to now.
4.2 Spontaneity/Ease-of-Use
If you tap (bring momentarily within few cm range) an NFC smart postertag with your phone it can launch your browser to the required URL. Thisis 10 out of 10 for spontaneity and ease of use. By contrast, to read a QRcode, the user has to manually launch the QR code reading application thatuses the phone camera. The user then moves the phone until the QR codeis the requisite size and correct angle within the phone display and avoidinglighting glare or shadow that may prevent reading the pattern reliably.
The NFC smart poster requires the user to get to almost touching distance,whereas the QR code could be some distance away such as on a large bill-board, providing of course that the lighting is sufficient and the code patterncan be captured by the phone camera. Being a wireless technology, the NFCrange could be further reduced by the use of attenuating barriers such asglass frames, or from close proximity to metal objects.
In general, reading a QR code is more awkward because the user has to
5
place the camera and target correctly, while with the NFC reader he justhas to tap or get into close proximity of the poster. This ability of NFC isexpected to extend service to people that cannot easily use a camera, suchas the elderly or disabled.
From the Service Provider (SP) viewpoint, ease-of-use may extend to cre-ating the tags in the first place and then any subsequent management ac-tivities. Creating a QR code is very simple and anyone equipped with acomputer, a printer and some sheets of stickers can easily churn out thecodes. However, the code is fixed/static and the information cannot bemodified after production and so replacement is the only mean to effect achange.
An SP needs to obtain NFC tags and then personalise them prior to deploy-ment, or possibly buy them pre-personalised from the tag vendor. In lowvolumes personalisation is not too onerous and requires a PC plus reader(s),however for high volume requirements, specialist equipment may be requiredto maintain adequate throughput. An advantage of the NFC tag is that itmay be possible to update the contents e.g. if customers should be directedto a different URL. There are also added service options in that the tagcould keep its own usage statistics for later extraction by the SP.
4.3 Cost
A good thing about QR codes is that they are virtually free. There is noIP licence charge and there are freeware applications that make the creationof a code a very easy task. By contrast, RFID tags are not free, althoughthey are low cost. Prices fluctuate all the time and there is a huge variationwith order volumes, but a reasonably capable tag might be about one Eurowhereas the simpler ones may be tens of Euro cents. Personalisation willalso add to the tag cost.
4.4 Security
A QR code is basically a pattern that is designed to be easily read by amachine with a camera interface. Anyone can see the code (and if patientextract the data by eye) obtain the information and if desired make a simplecopy of the code. So there is no security protocol and in the worst case wemight not be able to prove authenticity of the code, or protect the integrity ofthe data or its confidentiality. In this scenario the attacker can just generatecodes of his choice, substitute them for the SP’s and instead of being directedto the SP’s website the unsuspecting user is taken to a fraudulent site. Forexample, a QR code may contain a URL that points to a website that when
6
accessed by the user downloads malicious code (e.g. a Trojan horse) onthe user’s phone or tries to exploit browser vulnerabilities. An example ofsuch attack can be found in the case of the Trojan-SMS.AndroidOS.Jifake.f[10]: a user scans a malicious QR code; the URL is valid, however, it doesnot contain the aforementioned application and the user is redirected toanother website where a ”trojan-ised” (malicious) version of the original fileis downloaded. Once the application is downloaded and installed, it startssending SMS text messages to premium numbers, causing financial problemsfor the unsuspecting user.
The security situation with QR codes is not entirely hopeless as there aresome things you can do with the ”public” data. Basically you can add aMessage Authentication Code (MAC) to show that the data is unmodifiedand was generated by a legitimate source. You might also encrypt the dataso that the true contents are only known to the SP. Unfortunately, neitherof these measures prevent copying of legitimate tags, but more importantlythe fraudulent tags and associated website will not use these measures at alland so a default QR code reader will just take you to the attackers site. Aprotection method within default QR code readers is the requirement for theuser to confirm the action of going to a website. However, providing the sitename sounds plausible, most users would just click OK, so the confirmationstep probably has more impact on usability than security.
NFC tags have the capability to provide a secure solution, proving the au-thenticity of the tag, the integrity of the data and maintaining its confi-dentiality. They can do this because they contain a chip which can bemade to be attack resistant and supports bidirectional communication withthe phone and underpinned by cryptographic algorithms. However, justbecause the capability exists does not automatically mean that it is be-ing used. The choices of tags and protocols that end up on posters areoften compromised by cost considerations and if an SP deploys a cheapopen-memory tag it is potentially worse than a QR code! Anyone can readthe contents of an open-memory tag and so it suffers like the QR code,but furthermore, anyone can rewrite the contents. In this case the attack-ers job is easy as he does not need to buy and install replacement tags,but just goes around reprogramming the legitimate tags with rogue URLs.In one published example the attacker website included malicious softwareand if the user allowed the browser to connect, the software was down-loaded and installed on the phone. Such software might try to steal usercredentials or perhaps just crash the phone for ”fun”. This type of at-tack can be quite effective if the attacker crafts the URL in such a waythat the user cannot detect the danger. An example [11] is the following:the user thinks that the URL points to http: // www. innocentsite. com ,but instead the attacker created the URL in such a way that directs tohttp: // www. maliciousite. com .
7
An SP would be advised against open-memory tags and there are write-once products aimed at preventing re-write by attackers. This does not stopthe attacker from replacing the legitimate tag with his own or tricking theuser to tap a different part of the poster where the attacker’s tag has beenadded. Basically the problem is that if your general tag reading applicationhas to cope with all manner of tags it may well accept tags that have littleor no security credentials; which could be sourced by attackers. If you canensure that secured tags will be read by a rigorous reader application thenit is important to ensure that appropriate secured tags are used otherwiseattackers will simply use the wide range of attacks developed for attackingRFID protocols. MIFARE Classic [12] is a good example of a widely usedRFID device that is based on a completely broken cryptographic algorithm,which would not protect against reading/writing of contents. Attackersmight also seek to eavesdrop legitimate RFID transactions and a properlydesigned protocol is required.
Attackers can be quite innovative and create attacks based on unexpectedusage scenarios. An interesting attack [13] describes how the NFC protocolimplemented on Nokia phones can be used to send a malicious applicationto another phone. The two phones can be paired and exchange objectsthough the initiation of the Bluetooth interface. If one of these phones isplaced behind a smart poster (with the additional use of a PC that has aBluetooth interface), it can send a malicious application to the other phone(that touches the smart poster or is in proximity to it). The user of the latterphone needs to give permission only once and then the malicious software isinstalled and the victim’s phone is under the control of the attacker.
5 Concluding Remarks
It seems likely that QR codes and NFC tags will co-exist for some time tocome, and it is difficult to reach a clear-cut conclusion on which technol-ogy is best and most likely to dominate in future. If we wish to optimisespontaneity and ease-of-use then NFC would be the winner over QR codes,however if we require accessibility for most mobile customers then the posi-tions would be reversed, at least for the immediate future. If cost is the mainconcern then QR codes take the lead as they are virtually ”free”, whereasNFC tags need to be purchased and personalised before deployment. Whatis clear is that there is enormous and growing interest in offering servicesvia QR code and/or NFC tag reading by mobile devices. It is also clearthat growth in these services is motivating attacker activity and there arenumerous published attacks against both technologies, which threaten to un-dermine SP and user confidence. The security problems could be resolvedin the NFC case as we have bi-directional communications, the potential
8
for attack resistant tags and strong cryptographic protocols for protectingaccess, confidentiality and integrity. The same is not true in the QR codecase as we have public information (that can even be decoded by eye) andunidirectional communications. You might be able to add an applicationlayer MAC on the data and possibly some encryption (less likely), but notmuch more can be done. For any of the security measures (whether QR codeor tag) to have effect, the mobile reader application must enforce the checksand protocols, which adds complexity, for example because of key manage-ment and algorithm requirements, and then of course concerns about phonemalware. The economic, logistic and management aspects should also notbe forgotten as they will tend to compromise the design and implementationof the system solutions, moving them further from information security bestpractice. In particular it should not automatically be assumed that an NFCtagged poster is more secure than a QR coded poster, as an inappropriatechoice of tag, such as a low-cost rewritable memory, can even make it lesssecure. The NFC tag has the potential advantage to be a managed deviceso an authorised party could for example revise the stored URL. The tagcould also collect data (perhaps a log of phone transactions), which whensubsequently read by the SP could be of value.
As a final conclusion, we can say that the future of both technologies isstill interesting. Despite some security concerns, both QR Codes and NFCenabled posters provide increased convenience to the average user. The ba-sic concept of binding a physical item, with digital information and serviceaccess, provides a plethora of new possibilities for both users and business.Already we see QR codes on packages, bus stops, coupons, etc. and the be-ginning of NFC smart poster deployment. NFC in general is a very promis-ing technology and once the necessary critical mass of NFC phones exists,it is extremely likely that they will be used for more and more everydayactivities, as in supermarkets, cinemas, etc. The future of both technolo-gies looks promising and fascinating, albeit rather worrying from a securityperspective.
9
References
[1] International Organization for Standardization. ISO/IEC 18004 Infor-mation Technology - Automatic Identification and data capture tech-niques - QR Code 2005 bar code symbology specification.
[2] NFC Data Exchange Format (NDEF), Technical Specification, NFCForum, NDEF 1.0, NFCForum-TS-NDEF 1.0, 24/07/2006.
[3] NFC Record Type Definition (RTD), Technical Specification, NFC Fo-rum, RTD 1.0, NFCForum-TS-RTD 1.0, 24/07/2006.
[4] Smart Poster Record Type Definition, Technical Specification, NFCForum, SPR 1.1, NFCForum-SmartPoster RTD 1.0, 24/07/2006.
[5] URI Record Type Definition, Technical Specification, NFC Forum,RTD-URI 1.0, NFCForum-TS- RTD URI 1.0, 24/07/2006.
[6] Klaus Finkenzeller. RFID Handbook: Fundamentals and Applicationsin Contactless Smart Cards, Radio Frequency Identification and Near-Field Communication. Wiley, third edition, 2010.
[7] Irving Reed and Gustan Solomon. Polynomial codes over certain finitefields. In SIAM Journal on Applied Mathematics, pages 8:300–304,1960.
[8] Hiroko Kato, Keng T. Tan, and Douglas Chai. Barcodes for MobileDevices. Cambridge University Press, 2010.
[9] Deloitte. NFC and mobile devices: payments and more! Technicalreport, 17 January 2012.
[10] Kaspersky Labs. Malicious QR Codes Pushing Android Mal-ware http://www.securelist.com/en/blog/208193145/Malicious_
QR_Codes_Pushing_Android_Malware, 30 September 2011. Last vis-ited/seen active on 10/07/2012.
[11] Collin Mulliner. Vulnerability Analysis and Attacks on NFC-enabledMobile Phones. In 2009 International Conference on Availability, Re-liability and Security,. IEEE, 2009.
[12] Gerhard de Koning Gans, Jaap-Henk Hoepman, and Flavio D. Gar-cia. A practical attack on the MIFARE classic. Technical report, In-stitute for Computing and Information Sciences, Radboud UniversityNijmegen, 2008.
[13] Roel Verdult and Francois Kooman. Practical attacks on NFC enabledcell phones. In 2011 Third International Workshop on Near Field Com-munication. IEEE, 2011.
10
