paint-brush
The Hidden Security Risks of QR Codes by@natalieklein
964 reads
964 reads

The Hidden Security Risks of QR Codes

by Natalie KleinNovember 5th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Many restaurants are now letting customers scan QR codes at the table to access digital menus. Windows run commands can be embedded within QR codes (and other forms of 2D barcodes) On the phone, QR codes can start phone calls, send text messages, or trigger an app's actions. It is trivial for a bad actor to replace a QR code at a restaurant table with a malicious code. The frictionless nature of QR codes make it easy to catch users off guard even without sophisticated exploits.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - The Hidden Security Risks of QR Codes
Natalie Klein HackerNoon profile picture

In our current contactless society, QR codes are having a day in the sun. Many restaurants are now letting customers scan QR codes at the table to access digital menus. Some restaurant owners say digital menus may be around long past the current pandemic. But as QR codes are gaining wider adoption, it's important to understand the security risks. 

QR codes have been around since 1994; the technology was first developed by a Toyota subsidiary and used for inventory tracking, much like 1D barcodes. QR codes can hold around 100x more information than 1D barcodes, making QR codes more useful but presenting a security risk. 

Windows run commands can be embedded within QR codes (and other forms of 2D barcodes). On the phone, QR codes can start phone calls, send text messages, or trigger an app's actions. Apple Pay may even begin to let users use a QR code to send payments shortly

Last year Null Byte made a video showing some of the ways hackers could embed malicious payloads with QR codes. That video is worth watching if you're interested in some of the more technical means hackers can use to exploit QR codes: 

Keep in mind the frictionless nature of QR codes make it easy to catch users off guard even without sophisticated exploits. It is trivial for a bad actor to replace a QR code at a restaurant table with a malicious code.

Using free QR Code software, a hacker could direct users to a website asking them to sign in with Facebook or Gmail. To an ad interstitial, or to download malware. And many other non-technically advanced phishing and clickjacking scams are possible if someone had access to change the QR code.

I'd be remiss if I didn't note that QR codes are not inherently insecure. In fact, Deutsche Bank uses QR codes as a form of single-use transaction authentication number. Most of the risks present from QR codes result from being unsure of the origin of the QR code. 

One of the best ways for consumers to protect themselves is to enable QR code review. This setting allows for an inspection of the decoded text before executing any code or opening any targeted apps.

Businesses using QR codes can protect customers by using a QR code generator that allows custom design. With custom design, employees can ensure QR codes are not tampered with or replaced.

The restaurant Green Truck Cafe uses a QR code with their logo to help prevent tampering. Using sites like QRCode Monkey, a business can easily create a custom design. While it's still possible, some ne'er-do-well could use the same tool and generate a QR code that would pass inspection, the hackers' job is more challenging.

Also published on: https://www.internetnewsflash.com/qr-codes-are-more-useful-than-ever-but-present-security-risks/