Are QR codes safe?

Smartphone scanning a QR code
(Image credit: Shutterstock)

Quick response (QR) codes have been remarkably commonplace in society. Many legitimate businesses and organizations use them to quickly display a URL. QR codes have risen to prominence in monitoring the spread of coronavirus, as they often appear on the entrances to premises to track the movement of people.

As they become more common in day-to-day life, the question remains are QR codes safe? We address the safety and security behind QR codes below.

What are QR codes?

Japanese company Denso Wave, a Toyota subsidiary, invented QR codes in 1994 to add accuracy to the tracking of vehicles and parts during the manufacturing process.

While barcodes are only readable from left to right, QR codes are readable in two directions, top to bottom and right to left. This means they can store more data and up to 4,000 characters of text.

Much like the two-dimensional barcodes on most retail goods, QR codes can point people to a website. In other words, they can be a URL in the form of an image. You’ll see QR codes everywhere: on business cards, a billboard, or a flyer. They are also great for marketing campaigns, as they provide a bridge between the online and offline worlds.

It has become easier to interact with QR codes since the advent of the smartphone. Simply point your phone’s camera at the QR code, and it will scan the code and notify the user of a link they can tap that then opens a website on a mobile browser. This helps eliminate possible typos by sending people directly to the relevant web address.

It is really simple to create a QR code, and many online resources can help anyone convert a URL into a QR code.

How do QR codes work?

The QR code blocks are binary codes that a computer can read and process the data within. The device recognizes the QR code based on the three large squares outside the image called positioning detection markers. This tells the reader that everything within these squares is readable code and tells the device the code’s correct orientation.

Another square called an alignment marker helps straighten out QR Codes drawn on a curved surface. The larger the square, the more information it holds and the more alignment markers it needs.

Connecting the three positioning detection markers is a timing pattern. These alternating black-and-white modules help configure the data grid. These alternating modules form lines that help the scanner determine the size of the data matrix.

The QR code also contains version information. These are markers that specify the version used, the most common are versions one through seven.

More dots around the three positioning detection markers are format information that tells the scanner about the error tolerance and the data mask pattern and makes it easier to scan the code.

Most important are the data and error correction keys, which is where all the data is stored. The error correction blocks allow up to 30% of the data to be damaged without losing its ability to direct a scanner to the correct URL.

Lastly, is the quiet zone. This white space around the QR code helps a scanner distinguish the QR Code from its surroundings.

Can someone hack a QR code?

The QR code inventors did not think their system would be used for anything outside of tracking car parts in a manufacturing process. So there was no consideration given to possible security implications at the time.

There are no security flaws within a QR code per se. Rather, it is the destination encoded within a QR code that may have issues. So, a URL encoded within a QR code cannot do anything by itself, hackers could breach the destination address to redirect to malware or steal data. This is not that different from an email or text message scam.

Humans cannot readily read a QR code, so there is no way to look at one and ensure it is safe. Unfortunately, this means hackers can alter QR codes to point to a malicious website quite easily.

It is generally less well-known that QR codes can be fashioned to carry out actions on a user’s device, such as composing emails or adding contacts to a device.

Hackers can place malicious QR codes in public, sometimes over genuine QR codes, to fool unsuspecting people into scanning a code that points to a malware-filled website.

Another way QR codes can be compromised is something called QRLjacking. According to OWASP, this is a social engineering attack where an application relies on a “Login with QR code” feature as a secure way to login into accounts. In other words, a victim is tricked into scanning the attacker’s QR code, resulting in session hijacking.

Dynamic QR codes present a special risk. A dynamic QR code differs from a normal one, as they have a short URL embedded in the code that forwards the user to the destination URL. The destination URL can be altered after creating the QR code, but the short URL remains the same. They can also send different data to different devices.

How to spot a malicious QR code

How can someone who’s scanning a QR code know if it is going to a legitimate website? One problem here is a mobile phone’s default scanning app normally performs no security checks. Its only job is to decode the QR code and show you a link to click on.

There are secure QR code scanning apps from companies like Kaspersky or Sophos that check if the code links to something trustworthy. If the software finds the link directs to a cyber threat, such as a phishing scam or a premium text message scam, it will alert you.

How to avoid QR code scams

There are ways you can keep safe when using or scanning QR codes. Here are a few tips:

  • Check for tampering: If scanning a QR code in a public place, check that the original code hasn’t been replaced with a sticker that can lead to dangerous online content.
  • Verify the URL and the company: Before scanning a QR code, verify the company is legitimate. Does it look professional? Does the QR code match the organization? If this all checks out, scan the code but check the destination to ensure everything looks above board.
  • Don’t give out personal information if directed to another website: It is never a good idea to enter any personal information, such as passwords or credit card details, on a website a QR code has directed you to. Many marketing campaigns will ask for your name and email address, but if something about the website doesn’t feel right, don’t give them any information.
  • Use security applications: As mentioned above, mobile security apps can help protect you from suspicious web links embedded in QR codes. If you can disable any functions that automatically open website addresses from QR codes, you should take advantage of this feature so you can see the URL before opening it.
Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.