QR Code? is not more dangerous!

Robert Zemeckis offered Tom Hanks, in his film Forrest Gump, the following line: "Life is like a box of chocolates. You never know what you're gonna get". This is also true for the use of the QR Code?. What is more like a QR Code? than any other QR Code?. What is hiding behind these little black and white squares?

Prestigious security consulting firms, the online or print press and many other distribution channels alert us to the dangerousness when using QR Codes?;

• Journal du Net, November 2020 "QR codes: a sneaky threat to mobile security"
• Forbes, October 2020 "QR Codes Are More Risky Than You Think"
• Le Monde Informatique, September 2020 "QR codes, privacy and security concerns"
• ...

Why such assertions ???

The QR Code? is no more dangerous than any link or other tempting button on an email, website, call or text messaging. It is only a quick and efficient access to obtain or transmit information. The QR Code? saves us above all the tedious typing of internet links, contact files, WiFi connections… on the tiny keyboard of our smartphones.

So how can a QR Code? be more “dangerous”?

It is not!

We are rightly told to always check Internet URLs (repudiate URLs that do not start with https: // or that do not have a small padlock in front of the address is a good first step). For emails received, always check the originating address to avoid any phishing (fake emails that redirect to malicious sites in order to obtain personal information: login / password, other personal information, etc.). The app. editors of applications and operating systems, Android, IOS, etc., send out very frequent invitations to update our mobile devices to better protect us. Thus, checking and upgrading mobile devices (or computers or workstations) are the first actions to be implemented urgently for the security of our devices (integrity and availability) and our privacy (confidentiality). Therefore, whether it is touch actions or after scanning a QR Code?, there is no difference in terms of risk. With one detail… In recent years, reading QR Codes? has become possible through the use of integrated “camera” applications on smartphones, it is no longer possible to consult the content of a QR Code? before trigger the action. What a pity ! All third-party applications offer this simple and effective feature by default. The editors favored the speed of execution to the detriment of security. The scan & go without thinking. It would be great from the apps editors to review their roadmap to offer us this functionality new. Ahead of potential future updates from our favorite editors, I highly recommend installing and using a third-party application for reading QR Codes?. There are a multitude of them which, by default, reveal the content of the codes before any action.

Adding more security...

For additional security, which is by no means unique to the use of QR Codes?, it is essential to educate companies and individuals.

• For companies, a mobile fleet must be protected according to the same security criteria as the overall IT fleet. VPN, anti-malware and, for smartphones, tablets or other devices, rigorous management by adopting "unified endpoints management". These application suites allow IS managers and companies as a whole to manage updates, rights to install authorized applications, configurations, certificates, encryption, backup, overwriting of data in the event of loss or theft ... This, for all the mobility they own, but also by forcing adherence to the same security principles for all employees who use their own mobile equipment (BYOD).
• For individuals, it is important not to set up your latest mobile acquisition lightly. Passwords, online backup setup, continuous updates and again, don't think it happens to others. Always check the origin of emails and also check internet links. It's not that hard, just a good habit to get into. From then on, scan anything that will make you happy! QR Codes? are your friends, they will make your everyday life easier. In China, India and elsewhere, they are part of everyday life. Juniper Research estimates that payment via QR Code? will be multiplied by 3 in the next few years. In China, these payments would reach 5.5 trillion dollars only through the platforms WeChat and Aliplay.

We are asked to be careful with everything, but what about QR Code? advertisers?

The user is ultimately the main victim of malicious acts. It is important that the responsibility is clearly defined. The particular attentions requested to all users who scan a QR Code? must be the particular attentions taken into consideration by the brands or shop owners who display these codes. You should know that the one and only way to hack a QR Code? is to stick a fake QR Code? on the original. Yes !

So, for example, on the restaurant window, a QR Code? invites us to place an order: Click & Collect. At night, a smart little joker puts a QR Code? on the original. This new QR Code? redirects to the menu of a fake restaurant website which looks the same as the original website. You place an order, pay online with your visa card, Paypal or whatever other payment way offered on the fake site. Then, after three hours, no order was delivered to you. Welcome to the hackers world! Bon appétit !

Whose fault is it ? To hackers of course, but isn't it the managers' responsibility to check the consistency and veracity of what they post or display? Never affix Click & Collect ads directly on a window and prefer to indent them. Before each start of service, check that the table easels do indeed contain the original QR Code? ... All these small checks must, like the stock status, be part of the daily checklist ...

Reinventing the QR Code?

Another method to considerably slow down these malicious acts. Opt for graphic QR Codes?, colorful and different. These QR Codes? can integrate up to a brand's visual identity and much more. Thus, it will be very discouraging for a hacker to duplicate such code identically. At a glance, it is easy to know whether the QR Code? is an original or not. It is a safe bet that in the years to come, brands and advertisers will turn to such aesthetic solutions and much, much more secure. We could witness a revolutionary new area of QR Codes? use and only scan identity and sophisticated codes. No longer leaving room for basic black and white codes. A new area also where all “official” QR Codes? would be listed in a unique anonymized database, just like the bar codes of the products we buy every day. These graphic QR Codes? already exist. A very sophisticated graphics engine allows multiple creation (mass provisioning) while keeping the same graphic spirit. Nothing like all online QR code? generators that only allow meager logo or image integrations. With very basic formats that any budding hacker could replicate and hijack for these misdeeds.

Examples of mass provisioning of a graphic QR Code? (IneoScan credit)

All these codes are different and keep the same graphic spirit. Security is based on the initial design (the master). Only this master has to be protected to avoid any compromise and all becomes simpler. There is no such thing at zero risk, you have to constantly mitigate and push it back.

Another additional security step, a secure QR Code? integrates encrypted content. Thus, for an common user, from a smartphone, the code contains, for example, advertising, redirection to a site ... For the company managing the code a by using a specific reader integrating the notion of private certificates and public (PKI), the same code will give access to additional confidential information, access to a database ... The medical sector, identity and access management ... are sectors that are closely interested to this “new” model and see in it a definite economic interest since printing a QR Code? is all much less expensive than a Smartcard or a RFID badge.

Is the QR Code? dead?

Since its arrival, we haven't stopped wanting to bury it. All things considered, it is easy to say that NO, it is not dead and it is not for tomorrow. Just to remind that the QR Code? was invented in 1994 by the Japanese Masahiro Hara, engineer for the Denso-wave company. It was initially used in the logistics chains of spare parts for Toyota factories. The QR Code? has the particularity of being able to contain a lot of information (more than 4000 alphanumerical characters) compared to its distant cousin the bar code. In 1999, it was released to the public under a free license. In 2000, it achieved ISO/IEC 18004 standardization. It was not until the appearance of the first smartphones that it took off in this world we all know.

The QR Code? and me

For many years, more than 10 at least, the QR Code? has fascinated me. Obsession perhaps! I remember finding it so ugly at first. I saw in him unparalleled utility. I set out to understand its norm, its constraints and its limitless possibilities. I dwelled for a long time on its error correction modes which allowed me to redesign to make them attractive and add additional features.

I then started to create some QR Codes? Art for prestigious brands such as Air France, LVMH, BNP Paribas and many more. (visit the gallery : VIRTUAL QR EXHIBITION )

As an information systems security consultant (CISSP), I'm (also) interested in keeping him alive in this vulnerable world to hackers lacking inspiration because he's worth it. Do not be afraid!!!

Thanks for reading.

JM Roblin