QR codes are widely used in Singapore, to the point they have become ubiquitous. In an email to an event I am attending this week was a QR code for my registration, In the sushi store where I had lunch yesterday, I was asked to access the menu on my phone via a QR code. At a BNI meeting last week, a chapter member asked me to scan his QR code to go to his LinkedIn profile and connect. You’ll find these codes on product packaging, business cards, and can even be used to initiate payment. And during COVID, we used them to track where we had been.
QR codes are cheap, convenient methods to capture data – most often website addresses (URLs). The tradeoff for this convenience is that they also come with significant security risks that are often overlooked. The risk is they can act as trojans – codes that maliciously pretend to be one thing (a convenient way to get to a website address) but are actually – and surreptitiously – doing something else. Like a giant wooden horse pretending to be a parting gift that is actually a devious attack.
For simplicity, I am here going to separate QR codes into two types. In some cases, the codes are used by proprietary apps or code readers to capture data embedded or referenced in the code. If the developer has done a reasonable job, this is reasonably secure. That QR code I show to register for my event this week, and the location QR codes used with dedicated COVID apps are examples. While there is still some risk these codes are hijacked, the risk to me and my data is very low.
The second, typical use of QR codes is embedded URLs. This is to save the customer the hassle of entering a web address into their phone. And, by extension, the encoded URL can be a complex string of characters that many would find hard to type. So the URL could just as easily be my website, https://www.teq.nz, or something more complex like https://www.hackmydata.org/stealdata/RaNDomDataString. It is this type of QR code use that presents the most significant risk, which we discuss here.
The Inherent Risks of QR Codes
QR codes are, in their essence, simple tools. They are barcodes with more data. That data can be read quickly by smartphones or other scanning devices – but not by people. However, it is in this simplicity that the danger lies. Anyone can generate a QR code with any destination URL, and there is no way to determine where a QR code will take you just by looking at it. A QR code could direct you to a legitimate website, but it could just as easily lead to a fake site designed to steal your information or install malicious software on your device.
This potential for malicious use is not well understood by customers. Scammers can create fake QR codes that look real and mimic trustworthy brands, businesses, or people. They can place these QR codes anywhere: on signs on the street, in buses and taxis; on parking meters; on notices on noticeboards; in emails and text messages; even in newspapers and magazines, social media, and websites. A physical QR code can also be hijacked by overlaying a sticker with a different code location.
The very nature of QR codes means that customers have no visibility as to the destination URL until they scan it. My iPhone camera app will give me the QR code’s website address which I then tap to proceed. With traditional website links, I can see the domain name and judge its legitimacy before clicking. I can float my cursor over the link to get additional information. A QR code, however, requires trust in the source. Trust that that the code on the noticeboard or screen is legitimate. Unfortunately, this trust is often misplaced. The bad guys can exploit this near-blind trust by placing malicious QR codes in high-traffic areas, on posters, or even replacing legitimate QR codes with harmful ones.
The Role of QR Code Readers
The responsibility to secure QR codes falls largely on the apps that read and translate these codes. Yes, some QR code readers provide a preview of the URL or other data before directing you to it. Some can even check the destination against a database of known malicious sites. However, even this is not foolproof. Fake or compromised QR code readers can further exacerbate the problem, leading your customers to believe they are safe when they are not.
This introduces a new threat vector: the potential for fake or compromised QR code scanning apps. In an effort to secure QR code usage, users might inadvertently download an app that appears legitimate but is actually designed to funnel their data to the bad guys. This is yet another layer of risk that complicates the seemingly simple act of scanning a QR code.
Convenience at a Cost
The rise of QR codes reflects a broader trend in technology where convenience is often prioritized over security. By default, we demand quick, easy solutions, and QR codes offer a way to access information, websites, and services instantly and easily. Too often, convenience comes at a cost. The lack of transparency and inherent risks associated with QR codes make them a prime target for exploitation.
Awareness of the potential risks, and deliberate consideration each time you scan a code are key ways to mitigate these risks. Be selective about the QR codes you scan, use a trusted QR code reader, and read the URL before proceeding – and actively consider whether the URL is appropriate.
I advocate going further. I won’t scan a QR code if it isn’t necessary (and even then, I am highly selective). I ask for a printed menu, a business card, or some other way to get the web address. We are often reminded not to click on links in emails and SMS messages from sources we don’t know. That is a good yardstick to use with QR codes as well.
There is no way to guarantee a QR code is legitimate, or a downloaded app on your smartphone is secure. There is no central agency that can impose standards on the market. Action requires each user, firm, and equipment supplier to cooperate, but even that will not prevent malicious use.
Scam Features
QR codes are not inherently dangerous. It is their use that demands a level of caution that is often ignored in favour of convenience. It is this convenience that the bad guys typically try to exploit.
An exploit can also be designed to appeal to other weaknesses, like urgency and thrift. ‘Scan now to save 20%’ or ‘Scan here before we run out’ and similar are designed to lower your defences, bypassing ordinary scepticism. Many other online scams operate on the same basis. The scammer’s goal is generally to steal data or for you to download malware, which gives them access to other apps and features on your phone, features like your microphone and camera.
Most of these scams are phishing scams, sending the target to a fake website (often masquerading as a legitimate site) to capture sensitive user data or to initiate a fake process like two-factor authentication.
A New Business Risk
If you use a QR code in your restaurant to direct customers to your menu and ordering screen, and the QR code is hijacked, what is your liability? Probably low (unless you knew about it), but the reputational impact is likely to be significant. If you discover someone has hacked the code address, what is your security response? You’ll need one. If you are in business, and use QR codes, you need to prepare for these risks.
Don’t use QR codes if you don’t need to. QR codes on websites and in emails are unnecessary – you have the ability to use an URL link instead. If you use a code to point customers to a menu or instructions, ensure you have printed menus and instructions available as well. If you put a code on packaging, provide the complete URL as well. Wherever you are directing a customer to an URL, offer another option for that customer to navigate to you as well.
These security issues are unlikely to curtail the widespread adoption of QR codes but we need to be aware that convenience often comes with hidden risks. Driving awareness will only provide minimal assistance, based on the results of every other type of online risk awareness program, but nonetheless, it is the only general option we have available.
September 2024 Update
There have been reports of people receiving an unexpected package, left on their doorstep. The package appears legit, from Amazon, Shoppee, or a similar well-known online store. The package is typically empty, or may have some packing materials, with a ‘packing note’ containing a QR code. If the QR code is scanned, the user is taken to a nefarious site that attacks the iPhone or Android device, aiming to grab sensitive data, or access bank apps. This attack relies on recipients believing the package was meant to contain something, and they go in search of their ‘gift.’