Are QR codes bad?

QR code

QR codes are having a bit of a moment, and it seems not a week goes by without a new one becoming part of everyday routines. While standing at the self-checkout recently, scanning my groceries, I noticed something that hadn’t been there before. Prominently displayed on the EFTPOS terminal was a QR code and the prompt “Use this QR to Pay”. So impulsively I scanned it with the camera on my iPhone. To my surprise, FaceID popped up. As I was wearing a mask, it didn’t recognise me (an Apple update has fixed this problem), so I entered my passcode then, hey presto, ApplePay launched and payment was immediate.

While loading my shopping into the car, I started to reflect on how blithely I scanned that QR code, despite having no idea what was going to happen. Of course, as it was an EFTPOS terminal, I was confident it would be safe, but what if it wasn’t? This QR code had the ability to instantly launch ApplePay, and if it can do that, what else could these codes do? 

Uses for QR codes

Our most common experiences with QR codes have been for things like check-in apps, setting up two-factor authentication, logging in to a streaming service, or for loyalty programs. Although they have been around for almost 30 years, QR codes are only just beginning to be widely used, spurred on by the need for contact tracing during COVID pandemic.

QR codes are now rapidly converting traditional business interactions, such as doing your grocery shopping or ordering a meal, into fast, convenient, and contactless digital ones. At my local pub, for instance, we no longer have to queue or wait to order meals. We just scan the QR code taped to the table and, voila, the menu instantly opens on our smartphones. We can pay for meals and drinks separately, and they always arrive super-promptly. We don’t have to get the attention of wait staff, remember everyone’s drink order at the bar, or figure out how to split the bill.

Contrary to what you may have heard, when you scan a regular QR code it doesn’t capture any of your personal data. Which is reassuring, because QR codes are everywhere.

Advertisers, governments, businesses, and any organisation or individual with a message to communicate can place their QR codes in public spaces where they can be scanned easily by potential customers, directing them to websites where they can purchase or find information almost instantly. It’s a much faster and more effective way of capturing attention than providing a website address or phone number that needs to be remembered or written down.

But QR codes aren’t all good news.

QR code scams

By now, most will be familiar with the dangers of internet browsing and have at some stage received persistent and annoying email or SMS messages that contain a link to a dangerous website. Well, QR codes are a new delivery method for these types of bad actors.

In Russia, for example, a phishing scam used randomly placed QR codes to automatically send a text message from the smartphone scanning it. Seems harmless, except it wasn’t any ordinary text message. It went to a premium number that billed a $6 charge to the smartphone owner.

In another example, parking meters on the streets of Austin Texas were compromised by malicious QR Codes. These meters used QR codes that, when scanned, launched a web page that allowed you to pay for your parking space with your smartphone. Things went bad when a label with a malicious QR code was stuck over the meter’s existing QR code. The malicious code took the user to a website that mimicked the official meter payment system, netting the scammers a nice windfall. The con was only uncovered once motorists started receiving fines for not paying the parking fees. 

It is clear that, for some crooks and scammers, it can be very easy to take advantage of people’s trust in a frequently used and seemingly secure method of payment.

Malicious QR codes

Apart from phishing scams, a QR code can contain malicious data in the form of a website address that can execute some nasty code. The destination it directs you to could run JavaScript that exploits software vulnerabilities on the device you are using. Since a device typically provides information to the website or the application associated with the data, like when you scan a code to check-in and it opens the government app, a lot more information than you think can be unwittingly passed directly from your device.

Malicious QR codes read by a permissive reader can put a computer or smartphone’s user’s security and privacy at risk. Known as “attagging”, short for “attack tagging” these QR codes are simple to generate (there are plenty of websites that can do this for you) and easy to disguise. On a smartphone, the permissions of the reader app, not the permissions of the user’s web browser, may be used to execute malicious code. It’s then possible for it to enable the microphone, camera and GPS on your device, then stream and store those feeds to a remote server. 

The feeds can can be analysed for sensitive data such as passwords, files, contacts and transactions, and email, SMS or IM messages sent as part of a botnet. They can corrupt privacy settings, steal your identity, and even contain malicious logic themselves such as JavaScript or a virus. All these actions can occur in the background while the user sees only the app opening a seemingly harmless web page.

What can you do?

We started this article with the question “Are QR codes bad?”, and in the same way that spam text or email messages can contain malicious links, QR codes sure can be. For the security of your personal information and the safety of your device, you should adopt the same cautious approach to QR codes as you probably already take to suspicious messages. If it doesn’t look legitimate or you don’t know or trust the source, don’t scan it.