The hidden security risks of QR codes

In this current contactless society that we have built as a result of the coronavirus pandemic, QR codes have become part of our habitual. We have had to learn to scan QR codes on Android and iOS to be able to make payments, search for information, etc. And, generally, we do it calmly because we consider it a safe mechanism. At least safer than others. But, even if this is true, we cannot lose sight of the fact that there are certain hidden security risks of the QR codes.

As we said before, a good percentage of the restaurants we go to today allow us to pay through this kind of codes or, directly, view the menu in this way. Some of its owners even maintain that they will continue to provide this system even when the pandemic has disappeared. But this almost definitive adoption that is guessed for the future of QR codes, also requires more informed users about the risks that this implies. So we didn’t want to stop doing this review.

Security risks QR codes 2Security risks QR codes 2

The history and future of QR codes

First of all, we have to know that QR codes have been around since 1994. This technology was first developed by a Toyota subsidiary company, with the aim of tracking inventory, just like 1D type barcodes. Of course, QRs are something like an evolution of these, considering that they can contain up to 100 times more information. But, as always, the greater the utility, the more risks are also assumed.

In practice, we find that up to complete Windows execution commands can be embedded in a QR code. If we use them from the smartphone, we can initiate phone calls, send text messages and even activate the actions of any application. Apple Pay has even confirmed that, soon, we will be able to make payments all over the world by reading store data from a QR code.

But what about the hidden security risks of QR codes?

Already last year, the hacking specialist Null Byte published a video in which he showed some of the ways in which hackers could embed malicious payloads within a QR code. If you are interested in discovering some of the more technical means that hackers can use to exploit QR codes, then you should take a look at that video, which we leave you below:

One of the first conclusions we can reach then, is that the fluid nature of QR codes makes it easier to catch users off guard, without even having to resort to sophisticated elements. For someone with enough knowledge, replacing the original QR code with a malicious one on a restaurant table is a relatively simple job, which does not require much effort.

In that case, a hacker could direct users to a website by asking them to log in with Facebook or Gmail. Not only that, many other phishing and clickjacking scams, not necessarily technically very advanced, are possible if someone had access to change the QR code.

In any case, most of the risks present in QR codes result from not being sure of the origin of the QR code itself. It is not about the insecurity of the system itself, but about how easy it is to replace correct information with false information. And how difficult it will be for the user to realize and prevent it.

Security risks QR codes 3Security risks QR codes 3

And what can we do?

At this point, of course, many readers will probably wonder what they can do to avoid being deceived or tricked. One of the most efficient ways to stay tuned is to enable QR code review. That particular setting allows us to do a thorough inspection of the decoded text before running any code or opening specific applications. And that will save you more of a headache.

On the other hand, companies using QR codes can protect customers by using a custom designed QR code generator. Thanks to this personalized design that establishes a link between the firm and the client, both employees and consumers will experience manipulations and replacements.

In fact, there are many exemplary cases such as that of the Green Truck Cafe restaurant, which uses a QR code with its logo to help prevent manipulation. Thanks to QRCode Monkey, any brand can easily create a custom design. And although that does not prevent us 100%, it is a method to complicate things for hackers. After all, that’s what it’s all about, having tools to uncover counterfeits.

Share it with your friends!