I don’t scan QR codes, and neither should you, especially if you care about cybersecurity.
A QR code is a two-dimensional barcode that is readable by a smartphone with a camera or a mobile device with a similar type of visual scanning technology. It allows the encoded image to contain over 4,000 characters in a condensed, machine-readable format and was designed as a rapid method to consume static content based on a specific task. Once a program generates a static QR code (as opposed to a dynamic QR code that can change fields like a URL), that code cannot be modified to perform another function.
Surprisingly, that is not the source of cybersecurity risk, even for dynamic QR codes. The risk is in the content itself that has been generated and potentially displayed for an unsuspecting user to scan. Once they do, it can be the prelude to an attack.
To dive a little deeper, a QR code can contain the following risks:
Contact details: A QR code is similar to a virtual business card or VCD file that includes all your contact details such as phone number, email address and mailing information. This information is automatically stored in the device’s contact list when scanned. If the data is malicious, it could trigger an exploit on the device or place a rogue entry in your phone for your favorite airline or credit card.
Phone: Scanning a QR code automatically loads or starts a phone call to a predefined number. With all the recent robocall and SIM-jacking attacks, this is another method for a threat actor to access your phone and identity. You are basically calling someone you do not know and handing over your caller ID information.
SMS: Scanning a QR code initiates a text message with a predetermined contact by name, email address or phone number. The only thing the user needs to do is hit send, and you could potentially reveal yourself to a threat actor for SMS spam attacks or trigger the beginning of a SIM-jacking attack. A little social engineering is all it takes to convince the user to hit the send button
Text: Scanning a QR code reveals a small amount of text in the code. While this seems low risk, QR codes are not human-readable and unless you scan one, you have no idea that the contents are actually just a text message.
Email: Scanning a QR code stores a complete email message with the subject line and recipient. All that is required is to hit send, and this could be the beginning of any form of phishing or spear-phishing attack. The threat actor knows your email address because you validated it by hitting send to an unknown destination.
Location coordinates: Scanning a QR code automatically sends your location coordinates to a geolocation-enabled application. If you are concerned about your data and location privacy, why would you ever do this?
Website or URL: Scanning a QR code can automatically launch and redirect you to a website. The contents could contain malware, an exploit or other undesirable content.
Calendar event: Scanning a QR code automatically adds an event to the device’s calendar, with the option of a reminder. Outside of a vulnerability in the local calendar application, the contents may be unwanted in a business or personal calendar, and deleting a recurring meeting is an annoyance if it was improperly entered.
Social media profile: Scanning this type of QR code initiates a “follow” for a specific profile on sites such as Instagram or Twitter, using the scanner’s personal profile. Depending on the social media platform, the account being followed may have access to your personal information and be aware that you are following them.
Wi-Fi network: This QR code stores Wi-Fi credentials for automatic network connection and authentication. If you consider all the threats of open Wi-Fi networks and even closed networks that use WPA2, the introduction of an unknown or insecure network to your preferred list is just a bad idea.
App store: Scanning links to a page directly on an app store can make an application simple to download. While this is convenient, the listing could be malicious (especially on Android devices) or could be a spoofed page using an embedded URL to trick you into loading an unsanctioned malicious application. Your best bet is to always navigate to an application yourself and not rely on a hotlink.
Finally, let’s address dynamic QR codes. These codes are generated once, but the data stored on them can be edited at any later date. They can include password protection and embedded analytics so creators can track how they are used. Dynamic QR codes can even add simple logic such as device-based redirection to have different behaviors for Apple iOS devices versus Google or Android. For example, based on the device, they can be redirected to the appropriate app store or music library. That alone allows a threat actor to target device and application exploits to specific assets to ensure a higher rate of success.
If you are ever out and about and see a QR code on a wall, building, computer screen or even a business card, do not scan it. A threat actor can easily paste their malicious QR code on top of a real one and create their own copies, and based on appearance, you have no idea if the contents are safe or malicious. To that end, I never scan QR codes, and neither should you.