If you think this is the end, you are wrong. Attackers have gone ahead with exploitingvulnerabilities on mobile platform by misusing the various protocols and invoking service set commands on the mobile device. This approach is called a 'Telpic attack.' Telpic attack applies a similar technique, using a QR code as an attack vector. As described in Tech Experiments, "it is a malicious way of tricking an Android user into reading a QR code through a mobile camera redirecting it to malicious URL." This technique is not just limited to malicious URLs, but also executing USSD or the 'Unstructured Supplementary Service Data,' which is a vendor-specific command.
There are tons of service list commands, starting from displaying the IMEI number to executing a factory reset command. Google it and you will find plenty of service list commands for various platforms and various models.
These service list commands are executed by exploiting the vulnerability of the 'tel' protocol available on mobile platforms. You must have seen various mobile websites offering call button option, and when you click on one of those, you are redirected to the dialer of your phone. Here is where the tel protocol is used to call the number from the mobile phone's dialer.
If an attacker generates a QR code, embedding this protocol with a factory reset service command, imagine what havoc it may cause. As soon as the victim scans the QR code, the tel protocol will be invoked, followed by the service command to reset the mobile phone, and thus your entire settings and data from your device will be wiped in a matter of seconds. Detailed instruction about restoring deleted objects can be found in the mobile forensics course offered by the InfoSec institute.
These kinds of malicious codes can spread though scanning a QR code, a catchy URL, near-field communication (NFC) sharing, etc. When tested on Samsung Galaxy's Android platform 2.2 (Froyo), I was able to execute the service set command to display IMEI just by scanning the QR code. While on a Sony Xperia, with Android 4.0.4 (ICS), the service command did not get executed. While on an iPhone, the dialer didn't seem to execute the command automatically. The user has to click the send button before making any USSD requests. There are plenty of vulnerable devices; you just need to find one. Some mobile phones have received a patch to fix this bug. The most threatening USSD code is the factory reset code.
The next time you see a QR code in the wild, think twice before scanning. Do not let your curiosity cloud your judgment.
What is the antidote?
1. First of all you need to verify whether you are susceptible to the vulnerability. Open the following link on your mobile's default browser:
Sign up for MIS Asia eNewsletters.