The Dangers of QR Codes

By Dr. Ruchi Singhal

A Quick Response Code, or a QR Code is “a machine-readable code consisting of an array of black and white squares, typically used for storing URLs or other information for reading by the camera on a smartphone.” It’s pretty straightforward. Advertisers use them because it’s an easy way to bring a level of interactivity to what’s traditionally static marketing.The code gets printed and distributed and impressions from print advertising (which were once an impossible metric to track) are now easy to follow via a unique URL hidden behind the QR Code and  Google Analytics.

QR Codes are capable of great good. Sadly there are people out there that use their power for evil. QR Codes might seem harmless but they’re not, at least, not entirely. The danger comes from not knowing what hides behind them. The QR Code could potentially hide dangerous malware that would be served up to your phone once scanned. Or you could be directed to a phishing site that aims to steal your personal information.

The threat is that the QR Code could have a malicious URL embedded in it that takes you to site malware — short for malicious software — that can be, unbeknownst to you, installed on your mobile device. Malware can comprise your device’s software and share sensitive information with cybercriminals.

Some of the ways that malware poses a threat to you include:

  • Making your calendar, contacts, and even credit card information available to criminals
  • Stealing your Facebook, Google, and other passwords and posting without your knowledge or permission
  • Tracking your location for criminal purposes
  • Infecting your device with malware that can disable it

The security and privacy threats QR Codes pose are real. Fortunately, documented cases of abuse are low, as QR Codes are just beginning to catch on with consumers. As interest in them grows, QR Codes could become a favorite for cybercriminals bent on exploiting unsuspecting users.

This all sounds dire, for sure, but you use your computer every day where the virus threat is probably a hundred-fold greater. It doesn’t stop you from going online, nor should the risks of scanning QR Codes stop you either.

QR code can contain the following risks:

Contact details: A QR code is similar to a virtual business card or VCD file that includes all your contact details such as phone number, email address and mailing information. This information is automatically stored in the device’s contact list when scanned. If the data is malicious, it could trigger an exploit on the device or place a rogue entry in your phone for your favorite airline or credit card.

Phone: Scanning a QR code automatically loads or starts a phone call to a predefined number. With all the recent robocall and SIM-jacking attacks, this is another method for a threat actor to access your phone and identity. You are basically calling someone you do not know and handing over your caller ID information.

SMS: Scanning a QR code initiates a text message with a predetermined contact by name, email address or phone number. The only thing the user needs to do is hit send, and you could potentially reveal yourself to a threat actor for SMS spam attacks or trigger the beginning of a SIM-jacking attack. A little social engineering is all it takes to convince the user to hit the send button

Text: Scanning a QR code reveals a small amount of text in the code. While this seems low risk, QR codes are not human-readable and unless you scan one, you have no idea that the contents are actually just a text message.

Email: Scanning a QR code stores a complete email message with the subject line and recipient. All that is required is to hit send, and this could be the beginning of any form of phishing or spear-phishing attack. The threat actor knows your email address because you validated it by hitting send to an unknown destination.

Location coordinates: Scanning a QR code automatically sends your location coordinates to a geolocation-enabled application. If you are concerned about your data and location privacy, why would you ever do this?

If you are ever out and about and see a QR code on a wall, building, computer screen or even a business card, do not scan it. A threat actor can easily paste their malicious QR code on top of a real one and create their own copies, and based on appearance, you have no idea if the contents are safe or malicious. To that end, I never scan QR codes, and neither should you.

Dr. RUCHI SINGHAL

Associate Professor

JIMS Kalkaji

Written by

2 thoughts on “The Dangers of QR Codes

  1. Thanks for action the moment to discuss this, I feel strongly around it and love learning many on this topic.I have site around this best poker rakeback If potential, as you gain expertise, would you notice change your blog with much information? It is highly helpful for me.

  2. Youre so cool! I dont suppose Ive read anything like this before. So nice to find somebody with some original thoughts on this subject. realy thank you for starting this up. this website is something that is needed on the web, someone with a little originality. useful job for bringing something new to the internet!

Leave a Reply

Your email address will not be published. Required fields are marked *