The question of QR code security

The varied global impacts of the Covid-19 pandemic need little introduction. A crisis that has swept the world off its feet and onto new grounds, dubbed ‘the new normal’, social, economic and political status quos have continuously shifted and adapted in the past 18 months to take on new forms.

Where we once shook hands, we now bump elbows; holidays have been replaced with staycations; and global digital transformation strategies are said to have accelerated by seven years since the virus first emerged. It can sometimes be hard to remember what life was like pre-pandemic, but the everyday routine has changed dramatically.

Scanning and signing into public places is an everyday ‘new normal’ habit that has rapidly taken hold. Whether it is by old-school means of filling out a paper form or giving name and contact details to a member of staff, or by faster means powered by smartphones and mobile connectivity, more and more of our movements are being officially logged. Here, the role of the QR code has become decidedly more influential.

Originally adopted in 1994 to assist large scale manufacturing processes, these barcodes on steroids had become commonplace in society, used to tap into a café and pub Wi-Fi network, or verify a ticket to a concert. Since the emergence of Covid-19, however, the QR (meaning quick response) code has become a part of critical digital infrastructure.

Where touchless experiences and the tracking and tracing of people have become paramount to international health and safety, the QR code has stepped into the limelight as a convenient solution capable of ticking both boxes. Albeit something of a glorified barcode, they have become vitally important in paving something resembling of a path out of strict of national lockdowns. In the UK, for example, the QR code is at the very heart of the NHS Covid-19 track and trace mobile app.

Unfortunately, they aren’t used to well-intentioned ends universally. With opportunity has come adversity, and attackers are now exploiting the increased uptake of QR codes.

An iron-clad case for digital health passports

Stuart Bernard, vice-president of digital solutions EMEA at Iron Mountain, provides his case for digital health passports. Read here

QR codes could have catastrophic effects

These codes can invoke various actions on a smartphone device. Here lies the threat. While a QR code may appear as though it is designed to help us sign in to a Wi-Fi network or be part of an innocent marketing campaign, the intent of it may be entirely different, with threat actors architecting and deploying malicious codes in a variety of ways.

They can be used to direct the user to a malicious URL for the purpose of phishing; force a call, thereby exposing the end user’s phone number to a scammer or a potentially expensive call centre; send a payment within seconds; obtain a user’s location; or draft an email or text and populate the recipient and subject lines.

Additionally, they may introduce a compromised network on a device’s preferred network list and include a credential that enables the device to automatically connect to that network. Once connected, an attacker could launch further ‘Man-in-the-Middle’ attacks.

Given the variety and seriousness of these potential threats, some key statistics released by MobileIron in September 2020 provide cause for alarm. In conducting a consumer sentiment study to understand how QR codes are being used during the pandemic, the firm found that 83% of people had scanned a QR code and 67% believed they were making life easier in a touchless world. At the same time, however, 71% of respondents said they could not “distinguish between a legitimate and malicious QR code”.

Through a lack of awareness of the inherent risks, threat actors have something of an open goal to leverage QR codes for malicious means, capitalising on a distinct lack of awareness.

Kaspersky researcher provides protection tips for tainted QR codes

With the risk of quick response (QR) codes being hijacked by threat actors emerging, Kaspersky principal security researcher David Emm gave his tips on how to evade attacks. Read here

Security hygiene and mitigating the risks

So, what’s the solution? It might sound simple, but ensuring greater security consciousness and constant diligence of the potential threats surrounding QR codes is the first step in preventing the success of such attacks.

Before scanning a code, question it meticulously: Where has it been placed? Does it look legitimate? Can you verify it with the owner of the code?

While the legitimacy of some codes can be identified more easily than others (one printed on an in-house doctor’s leaflet is more likely to be legitimate than one stuck to a streetlamp), it is always worth taking as many precautions as possible to avoid falling into any malicious trap.

Knowledge goes a long way. In QR code scanning apps, there will often be an option which will display a web address before launching a website or conducting another action. Further, treat links with extreme caution, these often used to disguise malicious URLs – preview them safely by simply adding a ‘+’ symbol to the end of the URL.

For companies, it is vital that these best practices are embedded into overall security hygiene methods. While it has become commonplace for corporations to provide phishing training in relation to emails and text messages, I have not yet seen such practices adopted for QR codes – something which needs to change in the current climate.

Likewise, if your organisation has not yet considered or adopted multi-factor authentication, the time to do so is now. Passwords are no longer adequate in protecting access to cloud-based business applications, with QR codes being a novel way in which threat actors can breach such outdated protocols.

With remote, digital and flexible working models having become the norm, never has it been more important to err on the side of caution in relation to smartphone-centric security. By shifting to a layered, agile security model, companies can better protect against a growing threat landscape, eliminating the opportunity for stolen credentials to be exploited.

Written by Zach Fleming, principal cyber security consultant at Integrity360

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at