How Secure is a QR Code? - Feb 2017
It would be easy to assume because of how basic a QR Code is, that few security concerns exist. There are however some areas in which QR Codes can pose a risk to your security and safety.
QR Codes are small harmless patterns printed onto a surface (billboard, poster etc) and their intent is only to help you get data from a printed medium to a digital medium. They cannot easily be read with the naked eye so they are particularly difficult to manipulate after publications.
You would also expect that given their use is mostly to provide the user with a small snippets of information conveniently, that nobody would be interested in altering them or making them malicious?
Well there are a couple of reasons and things to keep in mind.
The first and probably main reason would be phishing. Phishing isn't just limited to e-mails, viruses or Trojans. In fact due to the appearance of QR Codes, they can be an easy way to target unsuspecting users.
Picture this, you see a poster from your bank with an advert for a great new service they are offering, you trust your bank. The offer is for a limited time only so you jump at the chance to get more info. The banks include a QR Code which promises to take you straight to where you can take advantage of the offer. You scan the code and you're taken to a website as promised, only what you don't realise is that you've been taken to a replica website that's identical in appearance to the banks intended destination only not actually hosted by your bank. You proceed to sign up entering all your account details only to find the following day someone has gained access to your account because of the info you entered in that website. So how is this possible?
It's not as complicated as you may think. The reason this sort of thing can occur is because QR Codes are only meant to be machine readable. This means that a human looking at the code is unable to determine its content, or more importantly identify if it's been manipulated post production. All a scammer would need to do is create a QR Codes of the same dimensions as the one in the poster, that contains a link to the fake website they setup in advance, and cover the original QR Code in the posted with the new altered one. Maybe not everyone will fall for it, but many unsuspecting bargain hunters would scan the fake code rather than the one in the original poster. Their trust for their bank may make them less likely to question anything.
To pull this off, a scammer would need to do some preparation. They would need to understand the exact dimensions of the code and at the same time have equipment that would allow you to create and print the fake QR Code to those dimensions.
There is a way to do this with only a Pen and a lot of luck and incredible skill. Let’s assume there's a standard black and white QR Code on a poster, it would be technically possible to colour some of the white squares black. When I say possible, actually drawing black squares is easy, but drawing them in the correct place while ensuring the code is still scannable and will take a user to your website rather than the advertisers is an incredibly difficult task. it's unlikely this approach would be successful but there are certainly instances where it could be done. Things like altering the control data within the code could help someone achieve this.
Most risks with QR Codes stem from QR Codes not being readable to humans. They are pretty secure in their content however it's the ability to easily cover them up and not being able to easily identify a code as the original where the problems arise. A good examples of where things can go wrong is here,QR Code News - Heinz Sends Users To Porn Site, where the URL that the QR Code links to has been re-purposed after the promotion ends. The original QR Codes still exist but the destination address is no longer owned by the person who created the QR Code.
The examples given for phishing where the code is altered or the URL re-purposed for financial gain is only one potential consequence. There's a few other things to consider that may be a bit more serious. A Code that promises to presented the user with a specific image could be replaced to present a disturbing image as some sort of prank or to get a message across. A Code that was intended to give you directions could be replaced to take you somewhere else that is less safe, maybe even with someone waiting to greet you there. Contact details within a code could be changed so as to cause users to call a premium rate number. If 2 companies were competitors in the same market, Company A could hijack posters or other advertisements that contains QR Codes for Company B by replacing the QR Codes with their own.
These approaches all become considerably more difficult on a larger scale when attempted for example on a 30ft billboard.
In summary, while these threats are very real, they are unlikely to occur given their difficulty and ability to only effect people in the immediate area. QR Codes are becoming more common so these approaches will begin to get more focus from would be criminals. We may even start to see more intuitive ways of deceiving people via QR Codes.
Keep Reading: 7. What Are The Different Sections In A QR Code?
Or Jump To: