How to Protect Yourself From Malicious QR Codes

cover image

The QR (quick response) code has become one of the most popular ways to share information in offline environments. Despite being originally invented back in 1994 for tracking vehicle parts at assembly lines in Japan, the technology only became widely popular in 2017 when major smartphone manufacturers like Apple and Samsung integrated QR code scanning capability into their camera apps. Since then, the QR code has gained increasing popularity and is now used in many aspects of our lives. They are shown on print ads to replace lengthy URLs, used for financial transactions by mobile payment apps, printed on tickets, merchandise, and delivery tags to replace conventional barcodes, and are now used as digital IDs for COVID-19 contact tracing.

In fact, many of us only became familiar with QR codes after the COVID-19 pandemic began. Started out in East Asia and now adopted by many countries around the world, mobile apps are providing one-time QR code IDs for identity verification and contact tracing upon entrance to indoor facilities, such as restaurants, cafes, and gyms. As we begin to take the technology for granted, let us take a closer look at how it works and how reliable it is. 


The Benefits of the QR Code

Compared to conventional barcodes, which can only be read by barcode scanners, the greatest advantage of the QR code is that it is much easier to read. Ordinary built-in cameras of smartphones and tablets can read these codes accurately with little processing time needed. Additionally, the QR code can store significantly more information compared to conventional barcodes because it can be read both horizontally and vertically at the same time.

Since the QR code can store any data, it is very useful in a wide range of situations. However, as more and more people use them as digital IDs and payment tools, many are raising concerns about whether these codes are a secure method of exchanging information.


Are QR Codes Secure?

There are two sides to the answer. On the one hand, it is nearly impossible to launch an attack directly on the QR code itself. Hence, from the perspective of the sender (i.e. the person who generates the QR code), it is a comparably safe method of sharing information such as digital IDs and tickets, or even making payments. On the other hand, it can be very easy for threat actors to generate their own malicious QR codes to attack the recipient (i.e. the person who scans the QR code).


How Do Attackers Exploit QR Codes?

One common method is to embed a malicious URL containing malware into a QR code, so that when a victim uses their mobile device to scan the code, the malware would be downloaded and activated in their device. This method is very effective at either exfiltrating sensitive data or gaining remote access for espionage purposes.

Another method is to embed a phishing page into a QR code. After the victim scans the code, they would land on a seemingly legitimate page of a financial institution or government website asking them to fill in their personal information, account credentials, or payment information. QR code phishing has a very high success rate because all QR codes look the same to the human eye. A corrupted URL link usually looks suspicious; the domain might contain typos, switched-up letters, or be unrelated to what the site is about. However, a corrupted QR code looks exactly like any other code out there, giving users no clue on their legitimacy.

QR code exploits are mostly used to target mobile devices. This makes it even more difficult to mitigate them because smartphones and tablets usually have weaker security measures compared to computers. Additionally, people tend to use mobile devices on the go, hence tend to pay less attention and are less cautious.


How to Protect Yourself From Malicious QR Codes?

Only scan QR codes from trusted senders. The easiest way to protect yourself is to only scan QR codes from trusted and legitimate senders, such as governments, schools, legitimate businesses and organizations. Never scan a QR code from an unknown source.

Watch out for fake posters and flyers. Attackers can create fake printouts that look as if they are from legitimate sources. If a poster or flyer does not appear to be in the right place, do not scan the QR code on it. 

Be aware of modified QR codes. Sometimes, attackers would take an even easier approach by simply covering up the legitimate QR code with their corrupted QR code. Thereby, even if a poster is displayed on a legitimate advertising board or bulletin, double-check to make sure the QR code is not modified or covered by another code on top.

Double-check the URL. After opening the webpage embedded within the QR code, check the URL to make sure the page is in fact from the legitimate domain. Nevertheless, always be cautious before giving out any personal or financial information.


Time to Take Mobile Security Seriously

Even after knowing the risks involved with QR codes, when it comes to the actual situation, many would still ignore the advice above. This is understandable because we are not used to protecting our mobile devices from cyberattacks. Still, with the growing number of employees working from home, the boundary that separates work devices from personal devices becomes increasingly ambiguous. Many use their phones to access work files stored over the cloud. As a result, more and more hackers are targeting personal mobile devices in an attempt to gain access to corporate networks.

To protect the corporate IT network, given the growing number of entry points from web applications to mobile apps, Penta Security is constantly improving its web application firewall (WAF) WAPPLES to cope with the latest security threats. Its AI-based logical detection engine protects the entire attack surface, including API-based applications and mobile apps.


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security