QR codes make it easy to reach web-based resources without struggling with the tiny keyboard of your smartphone. But do you really know what you’re going to get when you scan one?
The QR Code
Quick response (QR) codes are suddenly everywhere again. Invented in 1994 by an award-winning team at Denso Wave, a subsidiary of Toyota, the QR code has found its way into almost every industry. They’re like a barcode on steroids. They might look like drunken chess boards, but the higgedly piggedly black and white squares hold much more information than the stripes of a barcode. And QR codes can trigger one of a selection of actions inside the scanning device—usually a smartphone.
QR codes are found on product packaging, bus stops, and billboards. They’re on printed promotional material like tickets, flyers, and bar mats. You can see them on company vehicles, in-store promotions, and pop-up stands at exhibitions. Want to find out more about the product, event, or whatever is being promoted? Scan the code with your smartphone.
You can find QR codes hidden away inside servers and other hardware. If the visiting technician needs to refer to the manual but doesn’t have a copy to hand, they can scan the QR code and access the manual online.
If you use the LinkedIn mobile app, tap the cluster of squares in the search bar, then tap “My Code.” You’ll see your own personal QR code. It takes people straight to your LinkedIn profile. Increasingly, people are adding these to their CVs. You can even see QR codes in cemeteries.
The COVID-19 pandemic has helped fuel the QR code renaissance. The glory of QR codes is you don’t need to touch anything apart from your own smartphone to use them. It is a quick and easy contactless system—and everybody is already carrying a suitable scanner. And that makes it the perfect mechanism to access—or collect—information in a pandemic.
That’s why the advent of COVID-19 has seen the QR code take a central position in many businesses that routinely deal with the public. Restaurants, for example, are using QR codes to display the menu on diners’ smartphones. No need to handle a printed menu that has been doing the rounds in the restaurant since who knows when.
In the United Kingdom, the National Health Service’s Track and Trace application is based on QR codes. Venues display a custom poster with a location-specific QR code on it. Visitors scan the code, and the app records where you were and when. If someone reports symptoms of COVID-19, the NHS servers can crunch the data and work out who else has come into contact with that person.
The Problem with QR Codes
The most common use of a consumer-facing QR code is to launch a webpage on your smartphone. But they can do a lot more than that. QR codes can invoke different actions on a smartphone according to the information contained within the QR code.
Before you click on a weblink you probably visually check it for inconsistencies. It makes sense to verify the webpage it is going to take you has a sensible and plausible name. Is it really going to take you to the site it says it will, or to a copy-cat site that will steal your login credentials? With a QR code, you can’t tell. To the naked eye, they are completely impenetrable—their contents cannot be read by humans. Scanning a QR code is a leap of faith.
Our smartphones are an avatar of our real-world identity. They hold all sorts of personal data that is invaluable to the threat actors as well as access to apps like online banking, PayPal, and cryptocurrency wallets. A compromised smartphone is every bit as bad as a compromised computer.
Smartphones blur the lines between people’s private digital lives and their corporate or workplace digital lives. Some people who are issued with a company smartphone also have a private smartphone. For the majority, it’s easier and cheaper to have a single smartphone—their company smartphone—and use it for business and personal use.
People tend to be less security conscious in their personal web use than they do for corporate use. But if their smartphone becomes compromised, it jeopardizes the corporate network because connection details to VPNs and other accounts can be harvested by the malware. Business emails can also be siphoned from the device.
Of course, workers without a business smartphone will have a private smartphone, and are likely to connect that to the corporate Wi-Fi. Private smartphones are less likely to be protected by a VPN or endpoint protection suites.
Whether it is a company smartphone or a personal device, a compromised smartphone is a risk if it connects to the corporate network.
And smartphones can be compromised at the place of business. It’s becoming more common to include a QR code on a CV or résumé. It might take you to the applicant’s personal blog, or to their LinkedIn profile, or it might be malicious. Sending in a fake CV with a QR code on it is a low-key way to compromise a smartphone, with a paper-based attack.
What Can a QR Code Do?
QR codes can trigger a number of different actions within a smartphone.
- Launching a website. If it is malicious, it might be a copy-cat credential harvesting site, or it might infect your smartphone with a Trojan horse. The malware will then connect to the threat actors’ servers. Data may be transferred from your smartphone to the servers, or other malware can be downloaded to your smartphone.
- Add a malicious entry to your contacts. A specially crafted contact entry containing malicious information can trigger exploits on your smartphone.
- Add and connect you to a Wi-Fi network, which might be a malicious or a compromised network.
- Make a payment. Often on the pretext that it is a means to donate to a charity, malicious QR codes can take payments and allow the threat actors to capture your personal and account details.
- Make a voice call. If that call is to the threat actors, they now have your number and caller ID information. They may try to socially engineer other information out of you.
- Create an SMS text message. The QR code can create a text message addressed to the threat actors (or anyone they choose). This leaves you open to text-based phishing attacks, known as smishing attacks.
- Compose an email with pre-filled recipients and subjects, leaving you open to email phishing attacks.
- Sign up to follow social media accounts. Posts to the social media account will contain links that victims will tap, downloading malware to their handset.
QR codes can also create entries in your calendar, or obtain your location from your smartphone’s GPS, but these are less likely to result in a compromise.
Think First, Scan later
With QR codes, context is paramount. Where is the code? Who is the owner or provider of the code? If it is on a homemade flyer stapled to a telegraph pole, you can’t vouch for its veracity. You have no provenance for that code. If the QR is on a professionally printed poster in the reception area of a doctor’s surgery or a hospital, you can have greater confidence that the code is genuine.
But even so, check that another QR code hasn’t been printed on a paper label and stuck over the genuine code. You can’t tell by looking at it if the QR code is benign or malicious, but you can look for signs of tampering or modification. If it looks like it has been meddled with, don’t scan it.
Go through the settings in your QR code scanning app, and set it to display web addresses before launching the website or, in fact, conducting any other action. It’s a pity you need to introduce a human review in the use of QR codes, which are designed for a “scan and done” pain-free workflow, but combatting cybercrime requires constant diligence.