When scanning a QR Code or NFC tag with a mobile device, you should always be aware of the possibility of XSS, DoS and Social Engineering attacks. A simple redirect for example could be used to forward you to a fake version of Facebook or other social media site's login page, or to a malicious wifi network. In addition NFC tags in particular are often used to launch apps or adjust settings on your device (such as turning on wifi or mobile data).

  In addition you should always be aware of how much information is passed from your mobile device to every page you visit. Mobile device User Agent Headers are typically much more specific than those of laptop or desktop PCs. This information can be gathered and stored, along with your IP address, and used to further identify a user.

  If you look closely you should be able to find your device's model number or name, the version of the operating system your device uses, the device IP, and in some cases the vendorID, which identifies the carrier without even having to do a reverse look up on your IP. This information can be archived to create a profile of the typical visitor to your site, or analyze what type of devices and cell providers are most often visiting, or could be used to confirm a device is succeptable to a particular exploit or attack. Using the User Agent String in this way isn't a new idea by any means, but it is still as effective as ever. For more info on qrcode vulnerabilities, you can contact the creator of this page at: info@qrcodepromos.net

Hits since start of last Defcon: 36350

Hits this Defcon: 25847

Your User Agent Header looks like this: CCBot/2.0 (http://commoncrawl.org/faq/) from 0.12

Note: if you are visiting from a PC and not a mobile device, this information will not contain information such as the device model, however it can be just as useful.

  This it the fourth year in a row now that I've been putting these QR Codes up at Defcon. If you've scanned one before and are still scanning them at this point, you may want to rethink the risk you run by doing so.

  I decided to add a table this year, below you can see the IP address, date, and user agent header of everybody who has visited this page since defcon started.

  I've also put up a few NFC Tags this year. Look for the stickers that say "Bump me or scan me!". NFC is becoming increasingly popular and is arguably more dangerous than QR codes. NFC Stickers can be written to using nothing but an NFC equipped smartphone and an app similar to TagWriter provided the sticker is not locked. I have not locked these stickers, and am curious to see what Defcon attendees decide to write to them, so feel free to hack away!



Geolocation API getCurrentPosition example

Click on the marker for position information.