I recently discovered that some QR codes can be hacked. QR codes can be static or dynamic. Static codes go directly to the organisation which created them but dynamic codes go via a third party which means that the originator can alter them if needed. It is at the third party that they can be hacked. I don’t know of any way to distinguish between the two types by looking at them. Please beware! Never use a QR code link to provide personal details.
My hackable code came from an internet provider I think to be reputable. When I thought I was giving my debit card details for monthly payments to the provider I was actually connected to a dating site in Scandinavia. Only my excellent bank (Teachers Mutual) saved from loss of money.
It is a timely warning to those out there happy snapping any QR code they encounter. Those smart phone users deserve what happens, if they stumble cluelessly on a malicious one.
Not a problem for me. I take the image and see what’s in it? Sure. For interest.
Let it deliver its payload? Never.
We see so many warnings not to click on links in emails or SMS messages, well at least with those you can have a look at the URLs to see if they look suspicious.
Try working out what the hell is happening in the content of a QR code.
Creating a QR code is something nearly anyone with a smart device can do.
Enough said.
To note there are security tools or apps available for mobile devices. How effectively they protect against malicious QR codes? Various resources including.
P.S.
Possibly needs an update for 2024? @BrendanMays
Important to note that a QR code is not limited to expressing a URL for a web site.
QR codes (in URL scheme format) are also used for
sending an email
sending an SMS
associating with a new WiFi access point
loading a new TOTP or HOTP shared secret for two-factor authentication
QR codes in full generality just carry an arbitrary text string, hence can also be e.g. a serial number (or other similar unique number) or e.g. an arbitrary JSON object (such as a vaccination certificate, suitably encoded if desired) or e.g. a business card in vCard format or e.g. drivers licence info.
Limited only by your imagination.
I would propose that it is more dangerous to share a QR code (JRandom has no idea what information is being revealed) than it is to scan a QR code. The risk from the latter depends on the software e.g. whether it asks for informed consent before “executing” the QR code.
I would suggest that the typical code snapper couldn’t care less about minutely examining the content of the QR image before giving their ‘informed consent’. Assuming the scan settings are even set to confirm before taking whatever action the QR code payload contains.
Anyone with a computer and some QR generating software and printer can make any sort of malicious payload and stick it up somewhere.
The happy snappers will be drawn to photograph it like seagulls to chips down at the beach.
I can only speak for the iPhone but, as far as I am aware, there is no setting to disable the requirement for confirmation. The confirmation is however somewhat limited. It shows you just the domain that it will visit (not the full path) and it provides no protection against link shortening / redirect. So in the example recently posted in another topic, it shows me a box saying chng.it and invites me to touch the box.
Any operating system that, from a QR code, sent an email or SMS without confirmation would be utterly negligent. (What will generally happen is that the email or SMS will be composed from the QR code but not sent. You still have to touch Send, or similar, in order to send it - whatever you would normally do in order to send.)
I don’t discount the possibility that users will still be careless - with either web sites or email/SMS.
Don’t even need the software necessarily. Some printers will print barcodes (including 2D "bar"codes) as built-in functionality.
I have Android devices. They have required QR apps to be dowloaded and installed. The latest may come with the scanning apps built-in, but not mine.
There are numerous settings for the various payload types around whether or not to automatically take the action, or take the action with confirmation, or take no action and simply display what the payload is.
When first installed, most of these settings were set to take the action with no confirmation.
As to an OS being negligent if it allowed something to happen without confirmation. The OS has nothing to do with it. This is an application issue.
On iOS, you do not need to install any app. QR code recognition and handling comes built-in. (There is however a setting to disable the recognition of QR codes - which may be useful if you want to eliminate any risk whatsoever of being hacked by a QR code. The default is that QR codes are recognised, and hence processed at the accidental touch of the screen.)
Yes, the application comes bundled with the iOS phone environment. But it is not part of the OS. Which is basically an Apple customised version of Unix. As opposed to the Android environment which has a Google customized version of Linux, which is a clone of Unix.
I would imagine that Android phones would have a QR scanning app built in these days too.
