A QR code (Quick Response code) is a type of the matrix barcode invented in 1994 by the Japanese automotive company Denso Wave.
A barcode is a machine-readable optical label that contains information about the item to which it is attached. In practice, QR codes often contain data for a locator, identifier, or tracker that points to a website or application. A QR code uses four standardized encoding modes (numeric, alphanumeric, byte/binary, and kanji) to store data efficiently; extensions may also be used.
The data stored in a QR code can include website URLs, phone numbers, or up to 4,000 characters of text. QR codes can also be used to:
- Link directly to download an app.
- Start a phone call.
- Initiate a text message.
- Authenticate online accounts and verify log-in details.
- Access Wi-Fi by storing encryption details such as SSID, password, and encryption type.
- Send and receive payment information.
- And much more – a company in the UK called QR Memories even creates QR codes for use on gravestones, allowing people to scan the code to read more about that deceased person’s life (if they have an obituary or news story relating to them online).
Are QR Codes Safe?
Attackers can embed malicious URLs containing custom malware into a QR code which could then exfiltrate data from a mobile device when scanned. It is also possible to embed a malicious URL into a QR code that directs to a phishing site, where unsuspecting users could disclose personal or financial information.
Large corporations aren’t immune to this trend. QR codes on Heinz ketchup bottles have redirected people to porn websites, with the company blaming a lapsed domain as the reason for this faux pas.
A typical attack involves placing malicious QR codes in public, sometimes covering up legitimate QR codes. Unsuspecting users who scan the code are taken to a malicious web page which could host an exploit kit, leading to device compromise or a spoofed login page to steal user credentials.
If you ever see a QR code on a wall, building, computer screen, or even a business card, do not scan it. A threat actor can easily paste their malicious QR code on top of a real one and create their own copies and based on appearance, you have no idea if the contents are safe or malicious.