Tech Insight : QR Codes … A Security Risk?

In this tech-insight, we take a look at what QR codes are used for, review some well-known security risks, and outline what action you can take to protect yourself from malicious QR codes.

Quick Response (QR) Codes

A QR code is a machine-readable (e.g., by smartphones), matrix barcode invented in 1994 by the Japanese Toyota subsidiary automotive company Denso Wave as a way to track vehicles and parts during the manufacturing process. A QR code stores information as a series of pixels in a square grid that can be read in two directions, top to bottom and right to left.

How They Work

The three large squares outside the QR code show that everything contained inside the square is a QR code. Patterns in QR codes represent binary codes that can be interpreted to reveal the data. The codes can be read using built-in QR scanners or QR apps on smartphones (via the camera), iPads, tablets, and other devices.

Uses

QR codes can store website URLs, phone numbers, or up to 4,000 characters of text. These codes have multiple uses including sales and marketing (e.g. sending information about a business or product), or as a menu (for example) to be sent to a user’s phone. QR codes are also used for linking directly to download an app (Apple App Store or Google Play), postal services tracking, education, authenticating online accounts and verifying login details, accessing Wi-Fi (storing encryption details) sending and receiving payment information. QR codes have also recently been used in coronavirus tracing (apps).

Are They Safe?

QR codes themselves can’t be hacked and QR codes do not collect personally identifiable information, but they do collect other data such as location, the number of times a code has been scanned (at what time), and what operating system (iPhone or Android) is being used. Although this is generally a safe technology, consumer watchdog ‘Which?’ says of QR codes “not all of them are safe.”

Risks

Research (e.g. observations by the Unit 42 threat intelligence team at Palo Alto Networks) indicates that the proliferation of QR codes, particularly during the pandemic (good for ‘no-contact’) has meant that cyber criminals are discussing and exploring ways to exploit them.

Some of the risks associated with QR codes include :

– QR codes can’t be read by humans, so they are unable to see any potential risks just by looking at the code.

– Hackers can create malicious QR codes which direct users to fake websites / phishing websites that capture their personal data.

– Attackers can embed malicious URLs (containing custom malware) into a QR code, which could steal data from a mobile device when scanned.

– Malicious QR codes can be used to add contacts or compose emails on a user’s device, thereby posing security threats.

– Threat actors could present a malicious QR code with the promise of free internet-access, which could actually link to an unsafe Wi-Fi network where hackers could eavesdrop, intercept data, and steal personable identifiable information.

– Malicious QR codes can be used to cover up/replace legitimate QR codes.

Protection

Ways that you can protect yourself from threats posed by the use of malicious QR codes include:

– Only download QR scanning apps from trusted sources e.g., Apple’s App Store or the Google Play Store, and make sure that the app you download is backed by plenty of positive reviews.

– Use a QR scanner that checks that scanned links are safe before submitting any information to you.

– Check to make sure that the QR code you’re about to scan is being presented to you by a reputable source.

– Don’t scan a QR code if you’re not sure where it will lead and preview the website and domain to be sure.

What Does This Mean For Your Business?

QR codes are a convenient, fast, and flexible way to present data but, criminals/cybercriminals are always looking for new ways to operate scams such as phishing, and QR codes represent a possible new scamming opportunity.

Businesses can make sure that their own QR codes haven’t been tampered with or replaced with malicious versions by regularly carrying out integrity checks on their sites and apps (e.g. by scanning the code to check if the link within the QR code is correct). Businesses should also educate staff about how QR codes can be used by cyber criminals, while as individuals we should always use QR scanning apps from reputable sources and be cautious about scanning QR codes in unfamiliar locations and situations. It is also sensible to avoid using public Wi-Fi networks for business generally (without a VPN), and to avoid any ‘free Internet’ offers where there’s a QR code.