Wednesday 13th October 2021

BLOG: The Dangers of QR Codes

A QR code (Quick Response code) is a type of barcode that can be read easily by a digital device and which stores information as a series of pixels in a square-shaped grid. QR codes are frequently used to track information about products in a supply chain and because many smartphones have built-in QR readers they are often used in marketing and advertising campaigns. They have also played a huge role during the pandemic to trace coronavirus exposures and track and reduce the spread of the virus.

QR codes were developed in 1994 by Japanese company Denso Wave, a Toyota subsidiary. They developed a type of barcode that could encode kanji, kana, and alphanumeric characters because they needed a more accurate way to track vehicles and parts during the manufacturing process. To achieve this, In 2020, Denso Wave continued to improve on its initial creation. Their new QR codes include traceability, brand protection, and anti-forgery measures. There are many new uses for the QR code and the company Denso Wave made their QR code publicly available and anyone is able to make and use QR codes

The data stored in a QR code can include website URLs, phone numbers, or up to 4,000 characters of text. QR codes can also be used to link directly to download an app on the App Store or Google Play, they can also validate online accounts and verify log in details, access Wi-Fi by storing encryption details such as SSID, password, and encryption type, send and receive payment information.

Threat actors and cybercriminals can implant malevolent URLs containing custom malware into a QR code which could then exfiltrate data from a compatible device when scanned. It is also possible to embed a malicious URL into a QR code that directs to a phishing site, where unsuspecting users could disclose personal or financial information. While many people are aware that QR codes can direct to a link, there is less awareness of the other actions that QR codes can initiate on devices. Aside from opening a website, these actions can include adding contacts or composing emails. This element of surprise can make QR code security threats especially problematic.

A typical cyberattack using QR codes involve planting malicious QR codes in public, sometimes covering up legitimate QR codes. Unsuspecting users who scan the code are taken to a malicious web page which could host an exploit kit, leading to device compromise or a spoofed login page to steal user credentials. Some websites do drive-by downloads, so simply visiting the site can initiate a malicious software download.

Mobile devices tend to be less secure than computers or laptops and generally require more cybersecurity monitoring. Since QR codes are used on mobile devices, this increases the potential risks. QR code-generating software does not collect personally identifiable information. QR codes collect (and is visible to the code’s creators) location, the number of times the code has been scanned and at what times, plus the operating system of the device which scanned the code (i.e., iPhone or Android).

The QR codes themselves can’t be hacked the security risks associated with QR codes derive from the destination of QR codes rather than the codes themselves. Hackers can create malicious QR codes which send users to fake websites that capture their personal data such as login credentials or even track their geolocation on their phones.

QR code-generating software does not collect personally identifiable information. The data it does collect and is visible to the code’s creators includes location, the number of times the code has been scanned and at what times, plus the operating system of the device which scanned the code (e.g., iOS or Android).

Since the coronavirus pandemic, we have seen a surge in the use of QR codes. An international consumer survey found that the pandemic has led to a 57% increase in the usage of QR codes. Of the respondents, 77% stated that they had used QR codes prior to the pandemic, if less frequently than at present. Visitors to UK hospitality venues have often been invited to scan a QR code when arriving using the NHS Covid-19 tracing app to help trace and stop the spread of the virus. If someone tests positive for Covid-19 at that venue, other visitors to the location are alerted by an app, because of the data accumulated from QR code scans. Other industries use QR Codes such as product packaging, vehicle manufacturing for tracking parts, postal services and more.

A common QR code danger is clickjacking. Clickjacking is when cybercriminals use multiple transparent or opaque layers to trick users into clicking on a button or link on another page when they were intending to click on the top-level page. Another ploy created by cybercriminals and threat actors is small advance payment scams. Some businesses or services use QR codes as a form of payment, cybercriminals can replace these codes with their own QR codes and receive money into their own accounts. In 2020, cybercriminals running QR code scams stole approximately 90 million Yuan (£13.5 million/$18.5 million) from innocent individuals. QR codes can be used for phishing links and easily masqueraded as QR codes.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.