Blog post by Dave Mound
What is a QR code?
With the introduction of the Covid-19 contact tracing app in England and Wales, we're all probably seeing more QR codes than ever before. Until track and trace, many people perhaps just saw QR codes as those little square blocky graphics that appear alongside advertising hoardings or in magazines. QR - or Quick Response - codes first appeared in the Japanese automotive industry in 1994 but were quickly adopted as a way of taking information from printed materials, such as packaging or posters, and transferring it to your mobile device. Similar to a standard barcode, but far more powerful, the QR code is capable of handling much more data and all you need to scan them is a camera and a QR code reader app. Sometimes the codes are linked to specific apps, as is the case with the Covid-19 contact tracing app.
The normal workflow for scanning a QR code on a mobile device is as follows: you open the QR reader app, scan the code, the code is decoded by the app and then the data is presented to you. This could be a contact card that's already filled in, a visit to a web page via the browser, or even an app download. You may or may not be given the choice of previewing the URL of the website before the reader app opens it. Likewise, you may not be asked if you want to download the app you are being sent to. And that's a problem.
The dangers of QR codes
QR codes are not human readable, there is no way for you to see what information is contained in the code without scanning it (or painstakingly reverse engineering it). This means that attackers can hide malicious links within the code in the hopes that unsuspecting victims will scan it. They can further the likelihood of someone scanning the code by replacing QR codes on legitimate adverts. All it takes is to get a sticker printed and slap it over an existing QR code on the tube or at a bus shelter and job done. In this scenario, you could scan the QR, be sent to the malicious site and the attacker has won. Let's picture a full scenario:
The attacker copies the website sign up page for company X and hosts it under a similar looking name. They then print out QR codes pointing to their fake site and stick them over company X's actual advertisements. You, as an unsuspecting victim, scan the QR code and are sent to what appears to be a registration form for company X. You fill in a username/email and password and hit submit ...
Now, question time! That password you just used to sign up, do you use it anywhere else? If you do the attacker now has that, they could go and try that on multiple other sites until they find the sites that you also used it on.
What if they didn't just ask for a username and password and instead asked for further personal info? What about credit card info if you thought you were subscribing to a premium service or ordering goods? Can you see the problem?
Anytime you visit a site controlled by attackers you are opening up yourself to malware, data theft, credential harvesting and more. This is why we need to be careful about the sites we connect to.
Top tips to using QR codes securely
Now don't get me wrong, I'm not saying QR codes are all bad. Many restaurant and cafes, for example, are now using QR codes to enable customers to order and pay for goods to minimise interacting with people in response to Covid-19. So, if you do use them then make sure you take steps to personally protect yourself from scams and reduce the risks of becoming a victim to fraud.
✅ Always use a QR code reading app (sometimes called a scanning app) that will display the full URL of the site that the QR code links to. Make sure it's the full URL, too, and not just a small part of it.
✅ Check the URL of the site once the app has sent you there.
✅ Turn off any settings that automatically send you to the sites scanned. If your app doesn't allow this then get another app that does!
✅ Check for signs of tampering on the QR code, does it look like someone has stuck something over it? Does it look like a legitimate advertisement?
✅ Verify that the company and the URL match. So if you are expecting to go to the Cygenta website, for example, check that the URL shows up as cygenta.co.uk.
✅ Always expand shortened URLs and use an expander that will show all redirections before the final destination. Some expanders will only show the final step in a chain of redirections which could mean the malicious site is still hidden from you.
✅ Some QR code reading apps are actually security focused and will do a lot of the above security steps for you. Kaspersky's QR reader is one of those, it's available on iOS and Android and will check for malicious sites before visiting them.