Is SafeEntry Really Safe?
It isn’t surprising to see cybercrime rise during a pandemic or unprecedented crisis as such. And it’s a shame to see hackers take advantage of certain pervasive usage of technologies while others are using it to save lives.
A commendable effort to contact-trace the spread of coronavirus in Singapore is SafeEntry, our national digital check-in system that records personal particulars including full name, national identification number, and mobile number of individuals visiting touch points around the island such as shopping malls, cabs, restaurants, parks, various facilities as well as a growing list of venues.
In a nutshell, SafeEntry encompasses a unique QR code at entry and exit points for individuals to check in and check out, used for contact tracing.
Regarding the usage of QR codes to collect personal data, I have security-related reservations, and here are my top five concerns.
Security Concerns
1. Most people don’t check for the authenticity of the page source linked from the QR code.
Some don’t know that QR codes could be malicious.
It is easy to create a look-alike phishing page and to generate a QR code.
2. High attack surface area.
These QR codes are placed literally everywhere, with almost 200k scattered around our small city. That increases the attack surface and exposure greatly, and there’s no way for all 200k touch points to be monitored and checked upon. There’s also a tendency for people to lower their guards with the increasing popularity of such an implementation, especially during a rush or in packed queues.
If I were a malicious actor who replaces a QR code on the backseat of a cab, it’s going to be untraceable. Or I would just create new QR posters and stick them around different touch points.
3. Plenty of techniques to conceal malicious tactics.
i. Using deceptive domains (Homograph, Typosquatting, Puny code, etc), or even long subdomain names.
For example, safeentry.g0v.sg, or safeentry.gov.sg.shoppingmall.malware.com, a long URL which is often partially hidden on mobile browsers because of the narrow display width.
ii. Or try https://safeentry.gov.sg:443@medium.com/@geochen and see where we land.
iii. What about URL hops, along with shortener?
QR → bit.ly/safeentry4444 → malware.net/evil.php → safeentry.gov.sgIt’s transparent to users, and whatever malicious code that runs in between wouldn’t be noticed. The shortener can be edited and cleaned up after evil is committed.
iv. Or using an open redirect vulnerability, if available, to redirect users using the legitimate domain.
v. How many of us actually know the full legitimate URL anyways? Consider these:
safentry.org
safeentry.com
bedokmall.safeentry.gov.sg
SAFEENTRY.G0V.SG
safe.entry.sgFor all we know, bedokmall.safeentry.gov.sg could be a resulting subdomain takeover, which isn’t an uncommon misconfiguration. Knowing the legitimate subdomain offhand could be helpful.
4. Techniques to evade detection.
To stretch the previous examples further, the attacker could add an extra URL hop to only redirect 1% of users to a phishing page, or redirect based on IP addresses to evade vulnerability/threat scanners, or target specific user groups based on IP ranges, devices, operating systems (for associated unpatched component), time, etc.
If a legitimate QR code was replaced, it might be noticed from backend because of the decline in check-ins from that touch point. The attacker could perform a man-in-the-middle by forwarding a copy of the intercepted traffic to the legitimate site, over rotating proxies, to avoid raising suspicion.
5. Many QR scanners open links directly.
My iPhone’s native scanner does that. We can’t expect the vast majority to use a secure QR code scanner.
What that means is that people might be accessing links blindly, allowing themselves to be vulnerable to drive-by-download malware or various hosted exploit kits.
Even without submitting personal data to phishing sites, accessing the malicious page itself would have given up metadata of one’s device, and exposing one to any potential cookie stealing, crypto mining, CSRF attacks (if attack is targeted) and so on.
Other social engineering tactics could include directing users to download “government” mobile apps that would ultimately compromise the mobile device, and risk lateral spread.
Can we make QR safe?
There are various things that consumers, app owners, and browsers or phone manufactures can do. Allow me to elaborate on the former two.
What app owners can do
Push for the usage of a designated native SafeEntry app where safeguarding measures are inbuilt while preserving convenience or user-friendliness.
Educating the general public when advocating the usage of QR codes. There is a paragraph-long advisory on the official SafeEntry page which basically advises users to check for the SafeEntry logo on the QR/poster, as well as on the page loaded from QR code. That, in my opinion, is misleading, because it provides a false sense of security. i.e. phishing sites look deceptively similar to official sites, bearing the same interface and logos.
What end-users can do
Users could also use various threat defence/monitoring tools or apps. Mobile apps relating to network security protection for instance.
DNS filtering might help as well, though it’s trickier to change DNS provider on mobile network as compared to wifi.
Using a secure QR code reader might be another avenue to ensure phishing or malicious sites do not get loaded. Kaspersky’s QR Scanner for instance.
And hopefully general awareness like this (with a hint of skepticism and paranoia) would make SafeEntry safer.
