Why and how to be careful when scanning and using QR codes

QR (“Quick Response”) codes, those little usually square patterns that we can scan with our phone cameras, can be a great way for organizations to send people (like customers or employees) to a specific place on the internet, the app store or a specific document. You can see such codes in many places, like billboards, ads, restaurants (usually for digital menus) in various printed material (to get more information), etc.

But there are downsides and opportunities for abuse.

Pros and cons of QR codes

A great benefit of QR codes is that they can take you (the consumer of some sort of information) exactly to the page that has more information, or the app that you are currently reading about. It can hide something like a long web page address (that humans could not remember) and present instead an image that when scanned, will take you directly there.

QR codes are easy to create and come in various “designs”. Most phones enable reading of QR codes by default by using the camera app without any special app download. On the iPhone, going to Settings > Camera > Scan QR Codes (on/off) is how to control this functionality. Once a code is created, the creator has a simple way to take those that scan the code directly to the page they intended to (rather than trying to explain how to get there or the app they should download, all of which could lead to mistakes).

The biggest issue with QR codes is that the person scanning the code does not know exactly where the code will take them. The code will in most cases lead to a legitimate page or app. But what if it takes you to a look-alike page, that has similar branding to what you expect, but it is not a “real” site? What if that page then asks for your username and password, and you provide it, thinking that you are signing into a legitimate site?

Example: why would this be unsafe?

Here are a few examples of how QR codes could be abused. Let’s assume you are on a college campus and the admissions office gave you a bunch of printed material with QR codes that take you to specific pages with more information. Now let’s assume that someone with bad intents created printed material that they left in random places on the campus. The material has all the right “branding”, and it looks like it came from the college. But the QR code sends you to a page that has not been sanctioned by the college.

• It could take you to a college “look-alike” page that tells you to sign in using your college credentials to get the information you requested. That username and password could then be stored and used later to further attack your account or attack college information systems.
• It could take you to the app store to download an app, that would require logon and lead to account compromise and send you on the way to have your identity stolen.
• The QR code “target” could be a web page that automatically attempts to run some code on your phone. If your phone is not up to date, the page could attempt to exploit a known security vulnerability that might lead to threat actors having partial or full control of your device. This is not impossible (whether you use an iPhone or an Android phone). I provided examples of such vulnerabilities in my previous article called Why you should keep updating your phone software. It is possible that the phone would run malicious software, install something and you would never know. Many phones could resist such tampering, but if your phone is out of date, it could allow it!

You should understand that those scenarios do not happen only to “famous people”. Attackers who are after personal information can cast a very “wide net” and simply wait and see who gets caught. It can be a very low effort activity for the attacker. They can just set the bait and wait.

How to increase the level of safety when scanning QR codes.

Here are some best practices you can follow to make scanning of QR codes safer for you and your phone:

• Make sure that your phone software is up to date! This is absolutely the best way to protect yourself from known security vulnerabilities. I’d go as far as to say that if your phone software is out of support, I would suggest not using it at all. For most of us, phones contain way too much information to risk it. Not sure if your phone software is still supported? See this for Apple iOS and this for Android. Even few months out of support can be detrimental if a serious security vulnerability was found since!
• Limit scanning the QR codes that are not on “official” documents given or sent to you directly by the organization that you are interacting with. Scanning random QR codes is similar to picking up a random USB stick from the parking lot and plugging it into your computer to see what’s on it (don’t do this??). Official printed matter should be safe. But if you are not sure where the page with the QR code came from…
• After scanning the QR code, verify that you have landed on the legitimate web page that you would expect. If you were provided a QR code by a specific college (for example), verify that you find yourself on the page of the actual college, before taping on any links or filling out any forms. The web page address should be visible in your mobile browser if the code leads you to a web page and you should always verify it.
• Scrutinize the web page you found yourself on; check that the “branding” is correct. If the QR code was supposed to be from Microsoft (example), are you really on the Microsoft web site?
• It might be safer to find the page the QR code took you to directly using internet search, and then use the page, especially if the page requires a sign-in to continue. You do not want to provide your username and password to a site that will misuse that information. If the QR code says to scan to go to college dining options, searching for “college (name) dining” in a web search should take you there too.
• If the QR code took you to an App store, you should make sure it is a legitimate App store. You should (unless you know exactly what you are doing) never agree to installing unofficial (sometimes called “side-loaded”) apps. If the app asks you to install a certificate (to continue the installation), a management profile or VPN – you should be VERY CAREFUL. If you are installing an app from an “alternative” app store, also be very careful!

Summary

While QR codes can be a great help and convenience, they can also be abused, and you should follow the best practices I mentioned above to help protect your device and information. The largest danger of QR code abuse is in places where they are used heavily but illegitimate ones are easy to insert into, such as college campuses, conferences, concerts etc.

Stay safe!