.:Computer Defense:.

So, as I said yesterday, I'm a big fan of Microsoft Tags. There have been many times when I've been out and about and I've seen an ad or poster that I've wanted more details on, snapping a picture of a small barcode is much easier than jotting down the details. However, as I played with creating my own barcodes last night I thought about the security implications of them.

Let's imagine it's a year from now and tags are wildly popular. They are on every concert poster on every light post on the street. They are on billboards, bus schedules and in stores (put a barcode on your box so shoppers can pull up additional product info). Everyone is snapping pics and storing information. It's fast, it's easy and it's convenient.

Now I come along, Mr. Malicious... I visit the Microsoft Tag website and create tags pointing to malicious sites. The site detects if you have a Blackberry, iPhone or Windows Mobile and serves up custom browser exploits. I print out hundreds of these tags and start going into stores and pasting them to products, or walking down the street and covering up the tags on the posters with the malicious tags.

There's no confirmation of the site you're visiting, no testing (that I'm aware of) to ensure the link in the tag isn't malicious. Where's the defense against this?

What if they contain a malicious vcard file that harvests your contacts, or turns your phone into a sms spamming device?

I realize that Microsoft Tag is still a beta product, but I'm wondering what thoughts Microsoft has had around tag security, if any. Before I become to attached, it would be nice to know that when the subway gets Tag support, I won't be killing my phone by snapping the tag to get updated route schedules.