Yves here. As a dumbphone user, I’ve not had to think much about them, save how eager the officialdom has been in promoting their use. So cautionary notes like this seem awfully late in coming. Have any readers hear of cases of malware-type uses of QR codes? How did they occur?
By Scott Ruoti, Assistant Professor of Computer Science, University of Tennessee. Originally published at The Conversation
Among the many changes brought about by the pandemic is the widespread use of QR codes, graphical representations of digital data that can be printed and later scanned by a smartphone or other device.
QR codes have a wide range of uses that help people avoid contact with objects and close interactions with other people, including for sharing restaurant menus, email list sign-ups, car and home sales information, and checking in and out of medical and professional appointments.
QR codes are a close cousin of the bar codes on product packaging that cashiers scan with infrared scanners to let the checkout computer know what products are being purchased.
Bar codes store information along one axis, horizontally. QR codes store information in both vertical and horizontal axes, which allows them to hold significantly more data. That extra amount of data is what makes QR codes so versatile.
Anatomy of a QR code
While it is easy for people to read Arabic numerals, it is hard for a computer. Bar codes encode alphanumeric data as a series of black and white lines of various widths. At the store, bar codes record the set of numbers that specify a product’s ID. Critically, data stored in bar codes is redundant. Even if part of the bar code is destroyed or obscured, it is still possible for a device to read the product ID.
QR codes are designed to be scanned using a camera, such as those found on your smartphone. QR code scanning is built into many camera apps for Android and iOS. QR codes are most often used to store web links; however, they can store arbitrary data, such as text or images.
When you scan a QR code, the QR reader in your phone’s camera deciphers the code, and the resulting information triggers an action on your phone. If the QR code holds a URL, your phone will present you with the URL. Tap it, and your phone’s default browser will open the webpage.
QR codes are composed of several parts: data, position markers, quiet zone and optional logos.
The data in a QR code is a series of dots in a square grid. Each dot represents a one and each blank a zero in binary code, and the patterns encode sets of numbers, letters or both, including URLs. At its smallest this grid is 21 rows by 21 columns, and at its largest it is 177 rows by 177 columns. In most cases, QR codes use black squares on a white background, making the dots easy to distinguish. However, this is not a strict requirement, and QR codes can use any color or shape for the dots and background.
Position markers are squares placed in a QR code’s top-left, top-right, and bottom-left corners. These markers let a smartphone camera or other device orient the QR code when scanning it. QR codes are surrounded by blank space, the quiet zone, to help the computer determine where the QR code begins and ends. QR codes can include an optional logo in the middle.
Like barcodes, QR codes are designed with data redundancy. Even if as much as 30% of the QR code is destroyed or difficult to read, the data can still be recovered. In fact, logos are not actually part of the QR code; they cover up some of the QR code’s data. However, due to the QR code’s redundancy, the data represented by these missing dots can be recovered by looking at the remaining visible dots.
Are QR codes dangerous?
QR codes are not inherently dangerous. They are simply a way to store data. However, just as it can be hazardous to click links in emails, visiting URLs stored in QR codes can also be risky in several ways.
The QR code’s URL can take you to a phishing website that tries to trick you into entering your username or password for another website. The URL could take you to a legitimate website and trick that website into doing something harmful, such as giving an attacker access to your account. While such an attack requires a flaw in the website you are visiting, such vulnerabilities are common on the internet. The URL can take you to a malicious website that tricks another website you are logged into on the same device to take an unauthorized action.
A malicious URL could open an application on your device and cause it to take some action. Maybe you’ve seen this behavior when you clicked a Zoom link, and the Zoom application opened and automatically joined a meeting. While such behavior is ordinarily benign, an attacker could use this to trick some apps into revealing your data.
It is critical that when you open a link in a QR code, you ensure that the URL is safe and comes from a trusted source. Just because the QR code has a logo you recognize doesn’t mean you should click on the URL it contains.
There is also a slight chance that the app used to scan the QR code could contain a vulnerability that allows malicious QR codes to take over your device. This attack would succeed by just scanning the QR code, even if you don’t click the link stored in it. To avoid this threat, you should use trusted apps provided by the device manufacturer to scan QR codes and avoid downloading custom QR code apps.
Another dumbphone user, although I did come up with a neat application for QR codes that didn’t quite work out.
I had put together an art display of space-themed and focused album covers for a Moon Day event in Dallas. Using a turntable that hooks up to a computer I had ripped a bunch of content to mp3. The intent was for the descriptions of each album to have QR codes via which the visitor could hear tracks from those albums while they were perusing the display. The museum couldn’t get the server part to work right so they weren’t used, but I thought it an entirely appropriate application for the then new technology.
Of course scammers are going to scam. Welcome to the new world, same as the old world. And as the economy gets worse and people get desperate there will be ever more attempts by folks to help themselves to other people’s stuff. Trust no one.
There’s that word “trust” again. “You won’t know who to trust.” ~ Gregor Ivanovich, Sneakers 1992
Trust nobody.
– Odysseus to the Cyclops
An article written by and for my grandma, I guess. Good job.
TLDR: “QR codes are not inherently dangerous.”
Compared with actually registering a look alike domain name, which requires registration with a credit card or bank account, and the cost and work, QR codes provide a lower barrier of entry to scammers, do they not?
Also, mobile browsers do not make it easy to check a domain name. At any rate, a lot of restaurants have pdfs hosted on random domains that are not their own, so the user is downloading something from God knows where, and can’t the pdf file extension be faked?
TLDR: “QR codes are not inherently dangerous.”
Reply ↓
But also “don’t mindlessly click in urls opened by QR codes”.
Another danger is that scammers can cover real QR codes posted by business owners for mobile payment with their own fake ones, simply by printing their code on a sticker. If not paying attention, you will be sending money directly to them instead of the business owner.
I’m sure veteran internet users here can easily spot fake web addresses. But a fake QR code? Seems not that easy.
A half-decent scanner will show the data it scanned and then ask what app to handle it with. The same rules apply as for any suspicious urls.
But, yeah. I only use my phone to scan QR codes I have printed myself. To test them.
The attack I am imagining is the attacker goes to a restaurant and covers up the QR codes with stickers of their own QR code to their own website which has a copy of the restaurant’s menu but loads malware in the background. It would not be hard to do and I am sure someone somewhere has done it.
I heard that scammers were placing malware QR stickers on the Citi-bike and scooter stalls around the city. I never use the things or the QR codes if possible. They are more and more commonplace here on menus and they are all over flyers, stickers, and posters etc. from professionally made ones to the ones someone printed at home.
These days many of us interact more with machines than we do with human beings. In order to reduce the risks inherent with human-machine interactions we ought to increase our human-human interactions while reducing our human-machine interactions. At a restaurant simply ask for a menu rather than scanning those ubiquitous QR codes. Fight back against all these dehumanizing tendencies. And pay with cash for Pete’s sake!!!
You know what I think? I think that QR codes are ugly as family blog!
And I still haven’t figured out how to make those family blogging things work with my smartphone. Yes, I admit it. I use a smartphone.
According to Apple, the iOS Camera app automatically decodes and presents any bar codes it sees in the rear camera.
For Android users, the Barcode Scanner app by the ZXing Team has been around since Android 1.1. It’s free, open-source, ad-free, tame, stable (no updates for 3.5 years because none needed), works well, and might already be preloaded on your device by the manufacturer or Google. Simply start the app, point the rear camera at a code, examine the decoded result on the display, then copy to clipboard/contacts/calendar, or visit or search on the web.
I instinctively knew the instant these things started showing up that they were not to be trusted (i.e., “dangerous”) — not for technological reasons cited by others here, but because of the privacy (sic) policies of the websites they link to. How many people actually read those policies, many of which are dozens of pages long, much less understand the legalese and deliberate obfuscation? Perfect example:
Just before Christmas, I was at Joann Fabrics (loathe the place, but it’s the only fabric store within 75 mi of my upstate NY town). The woman at checkout asked if I had a coupon; I did not. No problem, she said, she has a store coupon I can use. So confident was she of my gratitude, she scanned a QR code hanging next to the register and asked me to hold out my phone. Thinking, “No effing way,” I politely declined. She appeared shocked and asked whether I wouldn’t like 25% off my total order. Now, I knew from previous encounters that the discount applies only to certain items, which in this case wouldn’t have amounted to savings of even 75 cents. However, it was the bigger objection that I explained to her. “Oh no,” she tried to reassure me, “Jo-Ann’s doesn’t share customer information.” Very unlikely, I replied, that a large company like Jo-Ann’s doesn’t share personal data, at the very least with “trusted partners.” She had the temerity to insist that they didn’t have any partners, as they’re an independent, privately owned company (to which I burst out laughing), but hey, I was free to believe whatever I wanted, and if I didn’t want 25%off, it wasn’t hurting anyone but me. I let her finish ringing me up, and as soon as I got home, turned on the computer and went to the company’s website for their privacy policy.
Fairly short at only seven pages, it was nonetheless even worse than I’d imagined. I forget the particulars at this point, but vaguely recall it stated outright that they license information, and that their partners do likewise. They also collect information from smartphones within range of the store’s Wi-Fi (as do many others, but it took seeing it in writing to etch into my brain to make sure the Wi-Fi on my phone is turned off before I leave the house). I printed out a copy and set it aside, should there be an occasion to present it either to that check-out person or her manager.
Well, I got the opportunity a month or so later. As I was waiting in line, I watched as the same woman asked customers ahead of me if they had a coupon, and to a one, they held out their phones without question to be scanned. When it was my turn, I again declined the coupon and rather than waiting for her spiel, I handed her the printout and in my best sweet polite voice told her she was giving customers false and misleading information; that since I couldn’t believe she would do such a thing intentionally, I assumed the company hadn’t informed employees, so I’d helpfully printed out the seven-page document just for her. She uttered a curt “thank you” and finished checking me out with an icy stare, not another word. A couple of weeks ago, I had to go back, and there she was again, scanning phones, without objection. I politely said no thank you to the coupon, and when she pressed, I cut her off and said, “We’ve already had this conversation.” Total silence. And she had to have known that nothing she’d rung up was coupon-eligible, anyway.
How many other companies are tricking customers into giving away their personal information for free (or mere pennies)? And with QR codes, how much more are they getting besides a phone number and email address? IMO, this makes them dangerous, period.
Thank you for taking the time to research and share this info with us, it is appreciated!
TL:DR
Scanning a QR code is as risky as clicking an unknown link.
I should have known that but had blanked it out of my mind. Thanks for article.
In Australia there was a mandate by the state governments to ‘check in’ before accessing certain locations, shops, services. The federal government consistently attempts to wash its hands of all covid related impositions by saying it is the responsibility of the State government, not the Federal.
By the way, If you look up ‘mandate’ in Blacks Law dictionary it can be seen a mandate is not law but is merely an offer to contract, requiring consent of both parties.
Anyway, the State government in New South Wales ( the most populous State which includes Sydney the capital) used its government services app ‘Service NSW’ to process and store and secure all the ‘check in’ data obtained, for every time someone visits a supermarket, gym, cinema, local council, or wherever the mandate applied. News broke a few months ago, January I recall, that a massive quantity of this check in data had been published on a new south wales government website. Names, home addresses, contact numbers, et cetera. And some of the data was classified or secret. For example, military or police private storehouses and private personnel locations. Of course the data breach was all brushed aside with no consequences or repercussions.
And one other story in Australia I read on this subject. Someone had been replacing ‘check in’ QR codes in public locations with their own QR code that directed the user to information about the pandemic, and treating covid, directly contradicting the manufactured government narrative.
The consequences for the individual were far less serious than I expected. The party appeared before a court, received a smalll fine. And one of the directions from the magistrate being, to my amusement; ‘you are not to carry QR codes around with you’
Here’s a link on the data breach
That’s a serious problem. On the other hand, back when we were taking SARS2 suitably seriously, the check-ins were a big help to contact tracers (notably more so than some of the smartphone-based solutions used around the world, including the CovidSafe app in Australia) and making their important work that much easier, whether check-in was done on smartphone from a QR code link, or using the manual paper-and-pen guestbook-style sign in that many/most businesses here (in Melb at least, where I am) provided as an alternative to the QR codes.
(actually as an interesting aside, it’s easy to forget that in early 2020 the QR check-in system – again, in Melbourne at least – was a hodgepodge of private providers, often running on separate platforms. I think google provided one. This lasted for a few months before the Vic gov got serious and created their own system to replace this scattershot check-in system, which must have been pretty counterproductive, and, NSW breach notwithstanding, who knows what happened to that data. By contrast, I think SA’s check-in system went through the state government from the start.)
QR codes just like unknown links are inputs to software programs and like all inputs they need to be sanitized. Are SQLs inherently bad? Nope, but from time to time we still hear of SQL Injection attacks.
We are never going to have enough power sucking data centers.