Are QR Codes Dangerous?

Jan 7, 2013

Perhaps you've seen the square, odd looking black-and-white codes that have gained significant popularity in the past couple of years. They're called "QR codes"–which is short for "Quick Response codes"–and they were first designed for use by the automotive industry in Japan. Generally speaking, they are not human readable. They are now common in magazine and newspaper advertisements, product brochures, in-store displays, and product packaging. More recently, they've started being used on business cards. They have no doubt become a fad, but can they be dangerous?

The general idea is that when you see a QR code, you're supposed to scan it with your smartphone and you'll immediately be taken to a website with more information on whatever product or service the QR code represents. For example, a QR code on a real estate agent's business card may take you to a website that highlights their current listings and contact details. Similarly, a QR code on a movie poster may take you to the official website where you can read more about the film and perhaps watch the trailer. Scan a code on product packaging or a brochure, and be immediately taken to the manufacturer's website for that product, complete with detailed specifications.

Most people that use email have been told of the dangers of clicking on links in messages. The dangers are quite real, and we've seen countless messages that imply they go to one place, but really go to someplace completely different or even malicious. For example, a message could pretend to be from your bank suggesting that there has been some suspicious activity on your account, and you need to verify your information with them. The text or maybe even image of the bank's logo shows that it goes to your bank, but really, it goes to some criminal's server likely located in a foreign country. Depending on the sophistication of the bad guy, clicking the link can permanently compromise your computer or your finances.

Essentially, scanning a QR code is much like clicking a link in an email. Unsurprisingly, scanning these codes is proving to be just as dangerous as clicking email links. Smartphones are, after all, small computers that are always connected to the internet. Visiting a potentially nefarious website with a smartphone is dangerous because many smartphones are running horribly out of date software with known but unpatched vulnerabilites. Once your phone is compromised, the attacker can do anything from spy on you or your activites, transfer your data, activate the phone's camera/microphone/GPS, send expensive text messages, subscribe your phone to receive expensive text messages, capture email and website usernames and passwords, and so on. By the time the chaos begins, it's game over. The scary part is, there may never be any indication that your phone was attacked.

The criminals involved in these sorts of attacks have reportedly resorted to printing QR code stickers and attaching them in public places. The malicious sticker may be attached over an existing code, added to a box, or maybe attached randomly. A QR code attached to a lamp post near a bus stop could be scanned quite a few times by the curious. While shopping for a television recently at our local membership-required warehouse, I watched as another shopper scanned the QR code sticker attached to the outside of the large cardboard box. The code in question was probably ok, but really, there's no guarantee.

My advice is to treat QR codes with the same caution and skepticism as links in email messages. Rather than using a QR code, manually enter the address and visit the company's website the old fashioned way. A bit less convenient, but definitely safer.

--

Chris Yuzik