QR code risks

There are around 70 variations on 2D barcodes to date. This article focuses on the QR code used for ‘mobile tagging’ - the process of scanning 2D tags using a mobile device that is running software that can interpret and make use of the data within the tag - and the security implications associated with their use.

Quick-Response codes are useful as a method of object hyperlinking - the practice of linking static real-world objects to the internet - by containing a web address (URI) or contact information such as phone number, email address or social media details.

A mobile device with a camera and QR code software can ‘read’ the code by focusing in on the image, identifying position and alignment patterns in order to ascertain orientation, then decoding the content.

Some examples of the data that a QR code can contain:

  • An individual’s contact information, such as a vCard
  • A web address (URI)
  • Connection details for a WiFi access point
  • Calendar event, to add to your phone’s calendar
  • Google maps location
  • Geolocation - longitude and latitude
  • Asset data
  • Access control data, such as for an individual at an event
  • Object position within Augmented Reality
  • Meta-data used by specific software
  • Payment transactions
  • Discount coupon
  • Login data as part of a multi-factor login process
  • Loyalty program data
  • Information in plain text
  • Tombstones - bio of the occupant

The obvious problem with QR codes is that you do not know what it contains until after you’ve scanned it. The ultimate blind link if you will. If you trust the source then you could risk it, but a much better idea would be to install security software on your phone that can analyse the QR code payload before it is actioned.

The security software you use must be able to scan the payload for malicious content, whether it be in the form of a URL that will take you to a known malicious web site, or an exploit designed to perform an unauthorised action. The process of using QR codes to attack a smartphone is known as ‘attagging’, short for 'attack tagging'.

The following lists actions of known malicious QR codes:

  • Visit a malicious web site
  • Visit a web site that makes the owner money via referral or advertising income
  • Execute a XSS exploit
  • Execute a JavaScript exploit
  • Enable the microphone, camera or location tracking (GPS)
  • Accessing your contacts list, stored passwords or financial data
  • Sending SMS or making calls to premium rate numbers
  • Adding the handset to a botnet
  • Access your browser history
  • Read or write to local storage

Any QR code reader software should have a confirmation check with a mandatory user interaction. For example, a pop-up displaying the URL or intended action that the QR code contains shown to the user in plain text form with confirm or cancel buttons. It also pays to use common sense before scanning a QR code. Avoid codes on stickers stuck on street furniture or on posters or products rather than integrated into the packaging design.

If you have any suggestions or feedback for this article please email me.


Did you enjoy this article or find the information useful? Help keep Dave and his articles online by keeping him fed with coffee by clicking the link below. Cheers!

Buy Me A Coffee

Last updated: 17th February 2019

Click here for more articles