The State Bar Association of North Dakota Spring 2013 Gavel Magazine | Page 14

LAWYER ETHICS & TECHNOLOGY
tion of the codes.iv Once generated, the codes can be displayed electronically, for example as boarding passes used by some airlines.v Or the code can be published in a magazine like this one or printed on a sticker that can be attached to nearly any physical object. By now you might say, “This started out interesting, but why do I care?” You care Justice Daniel Crothers because smartphones and tablets nearly always North Dakota Supreme Court store information the owner does not want to become public. For those affiliated with the legal profession, that information can contain Quick Response Codes— confidential client information, personal and Risks Hidden in Plain Sight business financial information, physical locaQuick Response or QR codes are everywhere. Magazines, newspapers, advertisements tion of the device and even names, addresses or telephone numbers which, if disclosed, could and even television sports programming often compromise personal security. contain these boxes with squiggly designs. Yet Indiscriminately opening QR codes exposes few people know what they are called and many the user’s device to electronic tampering or do not know what they do. worse. One author described the dangers as The name QR Code® is the registered tradefollows: mark of Denso Wave, Inc., which allows wideThe first step in mounting a QR exploit is i The codes themselves are twospread free use. to distribute the code itself, to get it in front dimensional barcodes readable by electronic of potential victims. This could happen by devices with cameras, usually smartphones and embedding the QR code in an email - maktablet computers. One online source explains: ing it an elaborate phishing exploit - or by The QR code can store up to 4,296 alphadistributing plausible-looking physical docunumeric or 7,089 numeric characters, and ments with QR code on them, for example depending on the level of error correction flyers at a trade show, or even stickers applied chosen, up to 30 percent of smudged data to genuine advertisement billboards. on the tag can be restored. QR codes were Once the QR code is distributed, then the created by a Toyota subsidiary in Japan in the attacker has a multitude of scam options to mid-1990s to track parts on assembly lines.ii choose from. At a basic level, the code could While looking similar, QR codes can have simply redirect users to fake websites for very different functions, including linking to phishing purposes - such as a fake online URLs or web addresses, containing text, comstore or payment site. This exploits smartmunicating a location, automating the creation phones’ small screens, and the fact that the and sending of email and much more. For user may be in a rush, to obscure the difexample, this QR Codes opens the www.sband. ference between the fake and real site in the org website: hope of capturing more user details. Clicking on the following More sophisticated exploits involve Code displays text saying hackers using the QR code to direct users to “WARNING! You just websites that will ‘jailbreak’ their mobile de scanned a QR Code and vice – that is, allow root access to the device’s you had no idea where that operating system, and install malware. This scan would take you or what the scan might do is essentially a drive-by download attack on to your device. Next time, be more careful what the device, enabling additional software or you are scanning!!”: apps such as keyloggers and GPS trackers to QR codes can be generated on websites at no be installed without the user’s knowledge or iii Users also ca