QR (quick response) codes are two-dimensional barcodes that can encode various kinds of data. A growing number of fields of application are using QR codes because of their high information density and durability. Since their creation to track automotive parts in manufacturing facilities, QR codes have become more prevalent in cities and mobile devices.
The most common use case in advertising is encoding URLs or contact information, geo-locations, and text to make them instantly available to the user. Billboard advertisements with QR codes can be found in most urban spaces to deliver information to potential future customers, obviating the need to type in the URL manually to visit a webpage. The supermarket, Tesco, used QR codes to boost online shopping and penetrate the South Korean market. A shampoo company launched another innovative and cost-efficient marketing campaign by cutting QR codes into hairstyles. People with these haircuts acted as moving advertisements for shampoo since their “hair tattoos” were redirected to the company’s website after scanning.
In addition to processing mobile payments, QR codes offer the chance to buy a good or a service by simply scanning one. This type of payment is referred to as “one-click.” After scanning the relevant QR code, the user is directed to the company’s website or an intermediary payment agent.
Despite the many benefits they provide, QR codes have serious security risks. Attackers can encrypt harmful links that take users to phishing websites, for example. Such malicious QR codes can be printed on tiny stickers and swapped out for good ones on advertisements displayed on billboards.
QR codes as attack vectors
Since the information in the QR code is completely obfuscated, it is possible to trick and attack users via phishing, pharming, and other social engineering attacks by putting up fake QR codes. It is also possible to attack users by manipulating and exploiting existing QR code readers that users use via command injection or buffer overflows.
1. Attacking automated processes
Attacks on automated processes often assume that the encoded information in QR codes is sanitized. However, it is known that QR codes can easily be manipulated to change encoded information, potentially producing attacks on backend software. Without QR code input sanitation, it is possible to produce attacks such as SQL injection, command injection, and fraud.
- Automated attacks: Most software developers do not treat the encoded information as potentially insecure input because QR codes are a standardized method of encoding information. The information encoded in the QR code could be changed by changing various components of the code. Attacks on the reader software and the backend are theoretically feasible depending on the programs that process the encoded information, whether in logistics, public transportation, or a fully automated assembly line. An adversary could use this for the following non-exhaustive list of attacks without proper sanitation. Since input sanitation was not used in these examples, similar attacks using RFID chips and SQL injections are very effective.
- SQL injection: Many automated systems use relational databases to store and process the encoded data. The encoded data can be modified by appending a semicolon and a SQL query, such as drop table <tablename>, to the backend database (provided the DBMS allows for multiple queries in a single line). This would cause a denial-of-service attack by deleting the table specified in the command. Performing system commands (for instance, by using the stored procedure xp cmdshell on Microsoft SQL Server) or altering data, such as prices or passwords, within the database are examples of more focused attacks.
- Command injection: The operating system’s security may suffer if the encoded data is used as a command line parameter without being sanitized. Examples of such consequences include installing rootkits, inv invoking denial-of-service attacks, or establishing a shell connection to a remote computer under the attacker’s control.
- Fraud: Changes to the automated system can be used to commit fraud by leading it to believe that it is processing the more expensive product “B” when, in fact, it is processing the cheaper product “A.”
2. Phishing (QPhishing)
The primary security concern with QR codes is phishing. Another name for it is QRishing. To access a website, a smartphone camera typically scans QR codes. Nowadays, a QR code is frequently included in website advertisements along with the URL so that users can quickly scan the QR code to access the website. Hackers or con artists attempt to alter the QR code that was added to the poster. They can also produce fake posters in a similar style and post them in public areas. When unaware customers scan these phony QR codes to access the websites, they are instead taken to phishing websites.
In mobile devices, checking the full address in the browsers is hard. Due to limited space, browsers do not display the full URL, and most people never check the full address, which makes them more vulnerable. Their credentials are compromised when they use this phishing page to log in. In the same way, attackers can use QR codes to point to malicious websites to distribute malware via drive-by download attacks. Drive-by-download attacks are attacks in which a website forcefully downloads the software on your device when you visit the website.
3. Fraud
In advertisements, QR codes are frequently used to point the target audience to exclusive deals or more details on particular products. An adversary could sell the requested product without ever fulfilling the contract if the QR code could be used to trick the user into going to a fake website. By clicking the link, the victim implicitly endorses the advertising company.
4. Attacking reader software
If the encoded data is not sanitized, various reader software implementations on computers or mobile devices may be vulnerable to command injection attacks or conventional buffer overflows. An attacker may be able to access the entire smartphone, including the victim’s email or SMS messages or contact information.
5. Social engineering attacks
Building on these attacks, more specific attacks like spear phishing or other variants of social engineering is enabled, depending on the attacker’s goal. Leaving a poster of a QR code on a company’s parking lot (instead of the traditional attack with a USB drive) and offering a discount in a nearby restaurant is a new attack vector that is likely to be successful.
Best practices to secure QR codes
- QR codes are challenging because it is impossible to separate the good from the bad by simply looking at the code. Consider installing a mobile app that previews each code before opening a webpage (such as Inigma) reader because the vulnerability is essentially built into the design. In this manner, if the QR code is flawed, you will have the option to decline.
- Scan a code to access a login form; always keep in mind that this could be a trap set by thieves to obtain personal information. Genuine QR codes never request sensitive information.
- Display information on what the code does on signage for users. If not, the user won’t be able to determine whether the code should point to a URL, phone number, or SMS.
- Write the URL close to the code. In this manner, the user can recognize they aren’t on the right website if the code is hijacked.
- Make HTTPS part of the URL. Prepare users to look for HTTPS before interacting with you.
- Try to use a short domain name. If your users can see the entire domain in their phone’s URL bar, it will not only make the QR code smaller but also boost their confidence.
- Avoid requesting that users pull out their credit cards on a busy street. Utilize a mobile payment method that debits the user’s credit card or charges their phone bill.
- You need to know the location of any QR Codes you place in open spaces. A code may be in danger if it is posted on a billboard, a storefront, or another location where the public can see it. But when “normal” traffic passes through your code, you’ll know it’s working properly. Check to make sure the code is still present and hasn’t been altered if the flow of traffic suddenly stops.
- Branded, distinctive QR codes with unique colors or other design elements are much more likely to attract attention, so you should still use them. Additionally, it will make people aware that they are dealing with a genuine link to your brand rather than a fake code. A highly designed and colorful code will be much more difficult for a hacker to simulate than a plain one.
The end users, like the customers, must look at a QR code carefully if they see one on a banner ad in a public space. Hackers frequently place their bogus QR code above a real QR code on a legitimate poster. Try to determine whether it is real or not. Checking is possible by touching the poster. Don’t use it if it doesn’t appear to be printed on the poster. Do not ever scan that QR code if you are unsure.
Always be wary of the website you access through a QR code. On these pages, never divulge any personal information. If the QR code comes from a reliable source, only do this. Always manually type the URL into the browser’s address bar to log into any website.