Can a camera on a laptop photograph my QR code on a phone I am using to login on the laptop?


Status
Not open for further replies.

stevesr0

Member
Dec 4, 2019
15
0
For a computer to "read" a QR code on another device, I assume it must have a webcam or other "camera".

If such a computer has been compromised so that content from the webcam is sent via malware to another site, could my SQRL QR code be used by someone else to log into my sites as me?

I apologize if this has been discussed, but I didn't hear this in the recent 2 hr video nor in a (brief) search just now.

Thanks in advance,

Steve
 

PHolder

Well-known member
May 19, 2018
1,228
205
I don't really understand your question. There are different uses of QR codes in SQRL, but the most common is logging into a site, so I assume you're referring to that.

The QR code is not a credential. It's a "beacon" of sorts that indicates "log in here." It simply indicates the site's URL along with a unique code (called by SQRL a NUT.) The NUT has to be unique to prevent a replay attack. There is no advantage to someone else getting a copy of this, because an identity needs to be unlocked and used with that NUT at that URL. If you are trying to use your phone to log into a PC, and someone uses a SQRL client behind you (over your shoulder) then they would log themselves into your screen, giving you access to their account. This doesn't seem much of a risk beyond being some weird prank.

In reality you don't want to use QR Codes to log in with SQRL because this implies a 3rd party device (usually a phone.) (The three parties being the PC displaying the QR Code, the server that sent it and the phone that scans it.) This mode implies two different IP addresses, one for the phone and one for the PC, which means that the CPS mode of SQRL cannot be used, and that puts you at risk of spoofing or man in the middle attacks. In general you would only do this on a PC where the SQRL client was not locally available, or where you would not trust the PC with your SQRL identity or password. Examples of this would be a kiosk or library PC.
 
  • Like
Reactions: ramriot

AlanD

Well-known member
May 20, 2018
128
23
Rutland, UK
Another occasion when you might be using a computer to scan a QR code would be to transfer an existing identity from, say, a phone, to a PC. In such a case, the QR code alone is still of no use to any malware, as it also requires your password to unlock it.

However, if your computer has got malware on it which can intercept a scanned image, it might also include a keylogger, which could potentially also capture the password.

It has been previously defined that if you have malware on your device, SQRL, or any other login method, is at risk.
 

stevesr0

Member
Dec 4, 2019
15
0
Sorry for ignorance. I forgot that (effectively) the QR code transmits something different with each login. Thus, a static version of the QR code without the correct updating doesn't work (if I have that somewhat more correct now).

Thanks for clarifying.

stevesr0
 

shanedk

Well-known member
May 20, 2018
421
113
No one can log in as you without your unlocked SQRL identity. What you're talking about is similar to the "shoulder-surfing" attacked often discussed on the newsgroup.

The attack works like this:
  1. Computer displays QR code
  2. Someone scans it over your shoulder
  3. You scan it.
  4. They log in before you do.
  5. The page refreshes, and all appears well to you.
Note that they aren't logged in as you, but you are logged in as them. If you're worried about how that could possibly be an issue, we've discussed scenarios where people put in information to what they think is their account, including credit card numbers, and the hacker gets them.

It's not a big attack, but one to be concerned about. This is why it's crucial that clients warn the user when the authentication fails!
 

ramriot

Well-known member
May 24, 2018
133
15
No one can log in as you without your unlocked SQRL identity. What you're talking about is similar to the "shoulder-surfing" attacked often discussed on the newsgroup.

The attack works like this:
  1. Computer displays QR code
  2. Someone scans it over your shoulder
  3. You scan it.
  4. They log in before you do.
  5. The page refreshes, and all appears well to you.
Note that they aren't logged in as you, but you are logged in as them. If you're worried about how that could possibly be an issue, we've discussed scenarios where people put in information to what they think is their account, including credit card numbers, and the hacker gets them.

It's not a big attack, but one to be concerned about. This is why it's crucial that clients warn the user when the authentication fails!
I remember this too, there was some talk about mitigation by having the site & the client display the site specific public key as randomart visualisation ( http://users.ece.cmu.edu/~adrian/projects/validation/validation.pdf ) before proceeding with the second loop AUTH query. If I remember there was no consensus & soon after the focus was on same device & CPS while mostly deprecating QR code login as an edge case
 
Status
Not open for further replies.