InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
QR code have been around for about 16 years now, and yet in Switzerland, they have only been enjoying growing popularity for just a few years. QR code have many advantages – above all, they are practical and versatile. However, the more widespread they become, the more attractive this makes them to cyber criminals. But just how vulnerable are QR code? Find out here how they can be used and how they can be made (more) secure.
Quick Response code (“QR code”) as they are known allow complex information to be presented in a condensed, compact form. The predominantly black-and-white matrix can be found everywhere: on packaging, posters, billboards, in magazines, newspapers and, more recently, on payment slips, and it looks rather unremarkable. Nevertheless, this collection of small dots and squares is a stepping stone from the offline environment to the online world. Just by scanning it with a smartphone, known as “mobile tagging”, smartphone users suddenly find themselves on the worldwide web. From there, they can quickly and easily access the pages and content triggered by the QR code.
In principle, the system is similar to supermarket barcodes. The main difference is that the QR code has a two-dimensional structure, which means that much more memory is available. As well as this, they are very stable – in other words, they can be read even if the code is slightly damaged. And last but not least, almost every smartphone is now able to read a QR code and generate it with a free application. In a nutshell, they are simple, versatile and readily available to everyone.
As is often the case, the Asians pioneered QR code. Toyota originally designed the grid of pixels to automatically recognise parts and assemblies. The system is particularly widespread in China, where, among other things, it is used as a payment system – often for substantial sums of money.
The QR code is not quite as widespread here in Switzerland as in other countries, but we need to be vigilant about security when using them. QR code are being used in other sectors like industry and event ticketing, but particularly in the financial sector. In a recent press release, SIX the operator of the infrastructure for the Swiss financial centre, even announced that QR invoices will gradually replace the current payment slips. The so-called “Swiss QR code” will include all the information that could previously be read on the invoice. You can find more information on QR invoicing on the “einfach-zahlen.ch” (payments simplified) website.
Clearly, cyber criminals are also showing greater interest in QR code. For example, it became public as early as 2011 that Iranian government hackers had captured a US spy drone using this method.
One thing above all should not be forgotten, especially when it comes to private use: code are usually scanned with a smartphone. In contrast to computer use, mobile users are often less aware of the cyber risks associated with their mobile devices – and that is just perfect for cyber criminals. Security measures on smartphones are also less common, so they have less protection.
To avoid giving the wrong message right from the start, we should say that, in theory, QR code can be “hacked”, but not actually in practice, because hacking would imply that the action that has been triggered would have been modified by being manipulated. Therefore, in the case of a QR code, the arrangement of the square modules would need to be changed in such a way that the link leads to the new, malicious source. That's probably too clunky even for cyber criminals, don't you think?
However, just because QR code cannot be hacked, it does not necessarily mean that they are secure, because, depending on their use and configuration, it is easy for cyber criminals to substitute another QR code. Examples of this include posters with an imprint (easy to stick over the top), voucher and competition codes on flyers, business cards, manipulated PDFs and payment slips, or even phishing e-mails with integrated code (competitions, event registrations, electronic business cards, etc.).
The root of the problem is that with a QR code, it is not possible to check whether the content corresponds to the “content” that is anticipated, so both the user and the reading programmes have to just trust the code. Of course, the same applies to the QR invoices mentioned earlier.
As an example: when you click on a link (e.g. in an e-mail), the URL displayed and the active hyperlink show you where you are being directed to. In the case of a QR code, you are not able to judge where the link leads to. (Note: Some smartphones/apps now display the link, but many do not). Of course, code can also be created that redirect you to harmful content such as websites that download malware or ones with illegal content. Furthermore, if tools like “bit.ly” are used to shorten URLs, you don't stand any chance at all. Usually, with this attack method, a Trojan is automatically embedded in the system when JavaScript is executed and it is activated there.
In another attack scenario, APTs can use cross-site scripting to exploit vulnerabilities on a real website to deploy a malicious QR code. This makes it possible to link to a page that, for instance, steals your account details (credit card details, e-mail address, etc.).
Maybe you have also heard of the term QRLJacking. This attack method uses OWASP (Open Web Application Security Project) as an attack vector and is deployed when the QR code is used as a one-time password and displayed on the screen.
These days, no system is really secure. QR code are no exception and within the security community, they are contentious. Nevertheless, when they are used correctly, they are one of the (more) secure methods. Why else would banks worldwide rely on them, for example with two-factor-authentication? By following these tips, you can continue to use QR code with confidence.
As you can see, QR code carry some hidden risks that could be exploited by cyber criminals. As a result, security experts are making constant appeals for regular security updates. So, as is so often true, here we say – trust is good, control is better. The next time you use QR code, remember our tips to make sure you stay on the "safe" side.
Then subscribe to our blog updates! You will receive the latest blog articles by our cyber security experts straight to your e-mail inbox every week. Click here to subscribe!
Incidentally, in addition to the phishing poster mentioned above, you will find other free downloads such as whitepapers, posters, checklists, etc. on our website. Click here for all of the downloads!