HACKING QR CODES:  WHAT YOU NEED TO KNOW

qrcode.jpg

Quick response (QR) technology isn’t new, but it has exploded in popularity in recent years as businesses try to offer more flexibility and convenience to customers.  A QR code looks and acts like a barcode, but usually contains much more information.  QR codes are a convenient way to access websites and save information on a mobile device.  With a QR code, you can save all kinds of data in a readable and relatively secure way.  You can open links and add contact cards, so users only have to scan your QR code to browse a website or save your contact information on their devices.  QR codes have been integrated with multifactor authentication applications, such as Duo Security and PingID, which allow users to generate QR codes to connect to mobile apps.  QR codes are popping up everywhere due to its versatility, yet the rapid adoption of this technology expands the attack surface for endpoints and mobile devices across the board.  
 

We know hackers and cybercriminals will attempt to exploit any new technology.  So how secure are QR codes?  The FBI has already warned about the potential misuse of QR codes.  While QR codes are growing in popularity with businesses and tech companies, the security risk involving QR codes is growing as well.

 

Here's what you need to know about the dangers of QR codes:

 

Spoofed QR Codes

Malicious QR codes are difficult to spot because their contents are obscure to humans and only understood by the devices scanning them.  Because QR codes can open links automatically, hackers can use a spoofed QR code to redirect users to fake websites.  And QR codes can do more than display a website.  A malicious QR code can also be used to initiate an action that sends or costs money, install software in the background without the user’s permission, send texts and emails, pinpoint your location, hijack your smartphone, and quietly install malware.

mobilesurfer.jpg

Phishing

Unfortunately, malicious QR codes are often used for phishing scams.  QR codes used for phishing take advantage of smaller mobile screen sizes to hide the full URL destination and make the phishing website more legitimate looking.

 

QRL Hijacking

A QR login (QRL) is a QR code based authentication method where you scan a QR code instead of typing in your username and password.  Again, the tradeoff for the added ease and convenience of logging in is that an insecure implementation, such as not regenerating QR codes each time a user logs in, creates vulnerabilities.  With the QRL hijacking technique, cybercriminals are able to initialize a QR session, clone the QR code, and redirect users to a phishing website, where they can gain access.

QR Code Injection

Advanced threat actors can inject malicious code into a legitimate and trusted QR code. Attackers can encode malicious payloads in QR codes, so when users scan the QR code it will also execute the malware.  Common exploits such as cross-site scripting (XSS), local file inclusion (LFI), command injection, buffer overflows, directory traversal, and SQL injection will also work with QR codes.

Therefore, there are many possible dangers with scanning QR codes.  Cybersecurity awareness, training, and best practices should include QR codes now as well.  You should always be aware of personal information shared on web pages opened with QR codes and check URL destinations carefully.  This way, the benefits of this popular technology will continue to outweigh the potential risk for businesses and consumers.

May 24, 2022