InfoGuard Cyber Security and Cyber Defence Blog

QR code – a little square that poses an underrated cyber risk

Geschrieben von Michelle Gehri | 17 Jul 2020

QR code have been around for about 16 years now, and yet in Switzerland, they have only been enjoying growing popularity for just a few years. QR code have many advantages – above all, they are practical and versatile. However, the more widespread they become, the more attractive this makes them to cyber criminals. But just how vulnerable are QR code? Find out here how they can be used and how they can be made (more) secure.

Quick Response code (“QR code”) as they are known allow complex information to be presented in a condensed, compact form. The predominantly black-and-white matrix can be found everywhere: on packaging, posters, billboards, in magazines, newspapers and, more recently, on payment slips, and it looks rather unremarkable. Nevertheless, this collection of small dots and squares is a stepping stone from the offline environment to the online world. Just by scanning it with a smartphone, known as “mobile tagging”, smartphone users suddenly find themselves on the worldwide web. From there, they can quickly and easily access the pages and content triggered by the QR code.

In principle, the system is similar to supermarket barcodes. The main difference is that the QR code has a two-dimensional structure, which means that much more memory is available. As well as this, they are very stable – in other words, they can be read even if the code is slightly damaged. And last but not least, almost every smartphone is now able to read a QR code and generate it with a free application. In a nutshell, they are simple, versatile and readily available to everyone.

As is often the case, the Asians pioneered QR code. Toyota originally designed the grid of pixels to automatically recognise parts and assemblies. The system is particularly widespread in China, where, among other things, it is used as a payment system – often for substantial sums of money.

QR code – for us too, it is common practice

The QR code is not quite as widespread here in Switzerland as in other countries, but we need to be vigilant about security when using them. QR code are being used in other sectors like industry and event ticketing, but particularly in the financial sector. In a recent press release, SIX the operator of the infrastructure for the Swiss financial centre, even announced that QR invoices will gradually replace the current payment slips. The so-called “Swiss QR code” will include all the information that could previously be read on the invoice. You can find more information on QR invoicing on the “einfach-zahlen.ch” (payments simplified) website.

Clearly, cyber criminals are also showing greater interest in QR code. For example, it became public as early as 2011 that Iranian government hackers had captured a US spy drone using this method.

One thing above all should not be forgotten, especially when it comes to private use: code are usually scanned with a smartphone. In contrast to computer use, mobile users are often less aware of the cyber risks associated with their mobile devices – and that is just perfect for cyber criminals. Security measures on smartphones are also less common, so they have less protection.

Why QR code can't be hacked…

To avoid giving the wrong message right from the start, we should say that, in theory, QR code can be “hacked”, but not actually in practice, because hacking would imply that the action that has been triggered would have been modified by being manipulated. Therefore, in the case of a QR code, the arrangement of the square modules would need to be changed in such a way that the link leads to the new, malicious source. That's probably too clunky even for cyber criminals, don't you think?

…but they can be used maliciously

However, just because QR code cannot be hacked, it does not necessarily mean that they are secure, because, depending on their use and configuration, it is easy for cyber criminals to substitute another QR code. Examples of this include posters with an imprint (easy to stick over the top), voucher and competition codes on flyers, business cards, manipulated PDFs and payment slips, or even phishing e-mails with integrated code (competitions, event registrations, electronic business cards, etc.).

The attack methods for QR code

The root of the problem is that with a QR code, it is not possible to check whether the content corresponds to the “content” that is anticipated, so both the user and the reading programmes have to just trust the code. Of course, the same applies to the QR invoices mentioned earlier.

As an example: when you click on a link (e.g. in an e-mail), the URL displayed and the active hyperlink show you where you are being directed to. In the case of a QR code, you are not able to judge where the link leads to. (Note: Some smartphones/apps now display the link, but many do not). Of course, code can also be created that redirect you to harmful content such as websites that download malware or ones with illegal content. Furthermore, if tools like “bit.ly” are used to shorten URLs, you don't stand any chance at all. Usually, with this attack method, a Trojan is automatically embedded in the system when JavaScript is executed and it is activated there.

In another attack scenario, APTs can use cross-site scripting to exploit vulnerabilities on a real website to deploy a malicious QR code. This makes it possible to link to a page that, for instance, steals your account details (credit card details, e-mail address, etc.).

Maybe you have also heard of the term QRLJacking. This attack method uses OWASP (Open Web Application Security Project) as an attack vector and is deployed when the QR code is used as a one-time password and displayed on the screen.

How to use QR code securely

These days, no system is really secure. QR code are no exception and within the security community, they are contentious. Nevertheless, when they are used correctly, they are one of the (more) secure methods. Why else would banks worldwide rely on them, for example with two-factor-authentication? By following these tips, you can continue to use QR code with confidence.

  1. In the first place, the security awareness measures that have been so evangelised before are back in the spotlight. You should only scan code if the source is trustworthy. For e-mails, you should start by applying the usual tips to unmask phishing e-mails. How? Our phishing poster will show you some concrete examples. Click here to download the poster free of charge!
  2. If you are taken to a page with a form (or even forwarded via a website), always bear in mind that this might be a trap. This is how cyber criminals try to get hold of your personal information.

  3. You should choose scanning programmes that do not run the encoded content without asking or open the website. Far from all the scanner applications do this. For example, we recommend the “QR code & barcode scanner” from TeaCapps, with which you can also generate your own code. (Available at no charge in the App Store and on Google Play).

  4. Always use security applications on your mobile devices – just like you (should!) be doing on your computer. In other words, antivirus and anti-malware software should be the norm. These can help prevent drive-by download attacks and alert you if you are potentially redirected to a suspicious website. If you don't know how to set up these security applications, your internal IT support team will be happy to help you. As an immediate measure, you can deactivate the “open website automatically” function on your smartphone, if you have it.

  5. For payment slips from Swiss providers, you currently still have the choice of using the QR code or the conventional method. Swiss security standards are high, so if invoices come from “reputable” issuers (e.g. banks, or if payment is processed via TWINT), you can usually pay with peace of mind using the QR code. However, as with every recently introduced system, there are still dangers and potential vulnerabilities lying in wait, which is why the cyber risks are definitely higher, especially at the outset. You should also be careful with invoices from foreign, relatively unknown issuers.

As you can see, QR code carry some hidden risks that could be exploited by cyber criminals. As a result, security experts are making constant appeals for regular security updates. So, as is so often true, here we say – trust is good, control is better. The next time you use QR code, remember our tips to make sure you stay on the "safe" side.

Would you like more news, insights and tips from the world of cyber security?

Then subscribe to our blog updates! You will receive the latest blog articles by our cyber security experts straight to your e-mail inbox every week. Click here to subscribe!

Incidentally, in addition to the phishing poster mentioned above, you will find other free downloads such as whitepapers, posters, checklists, etc. on our website. Click here for all of the downloads!