I Don’t Scan QR Codes, And Neither Should You
I don’t scan QR codes, and neither should you, especially if you care about cyber-security and identity theft.
A QR code is a two-dimensional barcode that is readable by a smartphone with a camera or a mobile device with a similar type of visual scanning technology. It allows the encoded image to contain over 4,000 characters in a condensed, machine-readable format and was designed as a rapid method to consume static content based on a specific task. Once a program generates a static QR code (as opposed to a dynamic QR code that can change fields like a URL), that code cannot be modified to perform another function.
Think of a QR code as a computer program with up to 4000 characters of source code. It is not just an alternative way to present a website link, it is so much more than that. Think of it as a set of instructions to another computer that ultimately ends up with you visiting a website. Imagine if someone said, “trust me, install this on your computer, everything will be fine!”. That is what you are doing when you ‘scan and run’ a QR code.
Perhaps the QR code suggests it is just a ‘link to website’. A way of saving you typing in a particular long and cumbersome link. Perhaps a bit like those shortened links you find on YouTube and other similar websites. Well that is not what is happening with a QR code. It is quite feasible that you could scan a QR code, and something like a popup message says, click okay to proceed. You unsuspectingly think that is expected right. Well you would be wrong. You could very well end up at the website you expected to visit by scanning the QR code, but you might also have installed some kind of compromising software at the same time. So, unless you trust the publisher of the QR code implicitly, and can be 100% certain the QR code is doing exactly what the publisher says it is going to do, you should not click it. How many times have you been told not to open an email from dubious sources, or click on links in emails from dubious sources, well scanning a QR code is absolutely no different. In fact it can be much worse.
What about the QR code generator? Can you trust it? How do you know it has created a genuine QR code? Consider this scenario. You book a taxi to take you to a particular destination. The taxi driver says, I just need to drop something off on the way. You would have absolutely no idea if you were unwittingly involved in a illegal operation. A little extreme I know. So more realistically, you receive a letter from someone, who wanted to recommend a great website. Perhaps it was a recipe they had found, or perhaps an article they thought you might find interesting. The question is, how did they generate that QR code in the first place. They may have had good intentions, but unwittingly used, what appeared to be a genuine online QR code generator. However, whilst the QR code does actually create a link to a destination website, it also does some other stuff too. Who knows what! And that is the point. You really have no idea if it was trustworthy or not.
So, what is the problem with QR codes? Surprisingly, that is not the source of cybersecurity risk, even for dynamic QR codes. The risk is in the content itself that has been generated and potentially displayed for an unsuspecting user to scan. Once they do, it can be the prelude to an attack.
Morey Haber, CTO and CISO at BeyondTrust also has this to say about QR codes. To dive a little deeper, a QR code can contain the following risks:
Contact details: A QR code is similar to a virtual business card or VCD file that includes all your contact details such as phone number, email address and mailing information. This information is automatically stored in the device’s contact list when scanned. If the data is malicious, it could trigger an exploit on the device or place a rogue entry in your phone for your favorite airline or credit card.
Phone: Scanning a QR code automatically loads or starts a phone call to a predefined number. With all the recent robocall and SIM-jacking attacks, this is another method for a threat actor to access your phone and identity. You are basically calling someone you do not know and handing over your caller ID information.
SMS: Scanning a QR code initiates a text message with a predetermined contact by name, email address or phone number. The only thing the user needs to do is hit send, and you could potentially reveal yourself to a threat actor for SMS spam attacks or trigger the beginning of a SIM-jacking attack. A little social engineering is all it takes to convince the user to hit the send button
Text: Scanning a QR code reveals a small amount of text in the code. While this seems low risk, QR codes are not human-readable and unless you scan one, you have no idea that the contents are actually just a text message.
Email: Scanning a QR code stores a complete email message with the subject line and recipient. All that is required is to hit send, and this could be the beginning of any form of phishing or spear-phishing attack. The threat actor knows your email address because you validated it by hitting send to an unknown destination.
Location coordinates: Scanning a QR code automatically sends your location coordinates to a geolocation-enabled application. If you are concerned about your data and location privacy, why would you ever do this?
Website or URL: Scanning a QR code can automatically launch and redirect you to a website. The contents could contain malware, an exploit or other undesirable content.
Calendar event: Scanning a QR code automatically adds an event to the device’s calendar, with the option of a reminder. Outside of a vulnerability in the local calendar application, the contents may be unwanted in a business or personal calendar, and deleting a recurring meeting is an annoyance if it was improperly entered.
Social media profile: Scanning this type of QR code initiates a “follow” for a specific profile on sites such as Instagram or Twitter, using the scanner’s personal profile. Depending on the social media platform, the account being followed may have access to your personal information and be aware that you are following them.
Wi-Fi network: This QR code stores Wi-Fi credentials for automatic network connection and authentication. If you consider all the threats of open Wi-Fi networks and even closed networks that use WPA2, the introduction of an unknown or insecure network to your preferred list is just a bad idea.
App store: Scanning links to a page directly on an app store can make an application simple to download. While this is convenient, the listing could be malicious (especially on Android devices) or could be a spoofed page using an embedded URL to trick you into loading an unsanctioned malicious application. Your best bet is to always navigate to an application yourself and not rely on a hotlink.
Finally, let’s address dynamic QR codes. These codes are generated once, but the data stored on them can be edited at any later date. They can include password protection and embedded analytics so creators can track how they are used. Dynamic QR codes can even add simple logic such as device-based redirection to have different behaviors for Apple iOS devices versus Google or Android. For example, based on the device, they can be redirected to the appropriate app store or music library. That alone allows a threat actor to target device and application exploits to specific assets to ensure a higher rate of success.
If you are ever out and about and see a QR code on a wall, building, computer screen or even a business card, do not scan it. A threat actor can easily paste their malicious QR code on top of a real one and create their own copies, and based on appearance, you have no idea if the contents are safe or malicious. To that end, I never scan QR codes, and neither should you.