.:: PENTEST ::. QRLEAKS

Video above: Micro Version demo of usage.

What is QRLEAKS?

QRLEAKS is a set of scripts and tools -there's no need to reinvent the wheel- to make file transfers using Quick Response codes ( http://en.wikipedia.org/wiki/QR_Code ). It offers a very simple way for QR encoding files and transfer them to devices that have video recording capabilities, for example, mobile phones. The software that make this utility possible:
QR encoding tool: http://www.psytec.co.jp (JAPAN)
Blowfish* encryption tool: http://www.di-mgt.com.au (AUSTRALIA)
*Blowfish was designed by Mr. Schneier (USA)
MD5/BASE64 tool: http://www.fourmilab.ch (SWITZERLAND)
Base64 en/decoding scripts: http://www.jensign.com (CANADA)
Rest of scripts to put all together: Pentest Consultores (SPAIN)

What makes QRLEAKS interesting?

QR codes have limited capacity. This is if very useful to transfer vcards, links, etc, but not enough to transfer common documents or files. To solve this design limitation, QRLEAKS, breaks files into small chunks of data, QR encodes them separately and shows them in a movie style. So QRLEAKS allows to transfer standard files that can be decoded offline.

What is the performance in data transfer?

It depends on many variables: screen resolution, QR code size and area -symbol version and module size-, Error Correction Level, data type -numeric, alphanumeric, binary-, performance of the video recording device -resolution and frames/second- , encryption or clear text, data split method -base64, binary-, light noise -darkness, daylight,...-, etc. Anyway, in our tests -office environment, laptop to transfer and smart phone to receive- we have been able to "upload" binary files at 5 QR codes/second rate, that is, we can transfer a 6 page PDF of 37 Kb in 10 seconds. We estimate that if someone improves the technique by modifying the codification to better fit the screen, applying streaming techniques and of course with a decent development, then it would be possible to reach 50-100 kb/second.

How can the market take profit?

Users are now able to download standard files -not just links and vcards..- from any display enabled device.

What about the impact on corporate security?

From now, it would be even more difficult to keep control of corporate data leaks. You can control or disable most of the I/O devices of the user's computer -Internet, external storage, sound card,...- but end users still need a monitor... So as long the user is able to execute a program -like QRLEAKS- and he is allowed to have a mobile phone at work, he would be able to steal information stored in the computer. Probably this is not a good way to transfer Gigabytes of data, but it works for small documents. More over, even in the case where the user has network access, extracting data in that way would be much harder to be detected, because there will be no network footprint. We do not know if DLP -Data Loss Prevention- solutions will be able to solve that.

Video above: Video to frames conversion

Video above: Decoding the frames

Standard version: qrleaks.zip (128 Kb)
Micro version: download.zip (1 Kb)
Readme: Readme_qrleaks.txt
Decoder & Quality test scripts: decode_and_quality_test.zip (81 Kb)

The Standard version has BLOWFISH encryption and MD5 hashing enabled. It also includes the Micro version.

Notice: QRLEAKS is a demo tool so don't expect any future updates.To test it download the file "qrleaks.zip" in the link above, unzip, and run the "runme - NOCAPICOM.bat" file. The "runme.bat" requires CAPICOM. It doesn't install anything and thus it's fully portable. Currently it should work only on Windows x86 platforms. We have tested it only in Windows 7.

Warning: the "Micro Version" lacks of encryption and scripts have been stripped down and do not have error checking, nor descriptive messages, etc. Also, the download may not work if you have a proxy and it requires CAPICOM installed. Watch the video to learn how to use it.

Known limitations:

File transfers via QRLEAKS are by default "one-way". This makes very difficult to check that the full data has been received. Right now we are researching control channels to feed back to the tool information about the reception state -lost chunks of data, channel quality, etc- The nature of the tool requires creative solutions to this problem. We are working on it.
QRLEAKS is software. Software, to run, must be "loaded" into the computer. And yes, we know that this could be the main problem to solve for "bad" guys... This is not a hacking tutorial, so we are not going to write a cookbook about how to transfer an external program to the target computer, anyway, it should be of the admins interest to analyze their specific case. There are many possible scenarios, attacks, and solutions. Here are some of them:

1.- The target only has an output device -standard screen-. Without input options, the game is over, as we can't transfer QRLEAKS to the PC.
2.- The target has touch screen. It depends on how the target has been hardened. ¿Does the target have virtual keyboard available...?
3.- The target has screen and standard keyboard you can unplug but where you can't plug anything else than a keyboard; then you can try to build a keyboard emulator with that:
http://www.sparkfun.com/products/8562
A Spanish guy did it in the past:
http://code.google.com/p/cimbulo/source/browse/#svn%2Ftrunk%2Fscripts%2Ftxt2hid
4.- The target has screen + keyboard + networking. In that case there are a lot of options. It depends on the kind of networking that you have in the target:
4a- Just able to access internal network. Try to download QRLEAKS from an internal computer...
4b- You are able to access the Internet but you are not able to download files... If you are able to "see" a web page, then you can download data. Maybe not an ".exe" or ".zip" file, but you can access the code in plain text and then copy and paste it to your computer. Have a look to the code of the Micro Version of QRLEAKS, what downloads, how it works...

There are hundreds of other scenarios, and there are many, many ways of loading data into the computer. You have OCR, you have Wifi, bluetooth, sound card, you have web cam, you have DNS "txt" fields. And if you have ethernet,... you can play a lot. Maybe you must deal with hardened targets... in that case, the execution of QRLEAKS can be a bit more difficult, it's a matter of understanding what is the hardening policy...which is really out of the topic of this project.

So QRLEAKS assumes you know how to load it in the target computer and that it can be executed.

Why the "QRLEAKS" name?

It is obvious that many people can exploit this technique as a new way of extracting any kind of information from computers. That makes us thinking on Wikileaks, Openleaks and similar organizations...and that's the reason of that name.

Responsibility disclaimer:

Pentest Consultores takes no responsibility on the misuse of the software published in that page. All the information is only for educational purposes. Please, follow the laws of your country.

Video above: Quality test