[This is a Guest Diary by Jeremy Wensuc, an ISC intern as part of the SANS.edu BACS program]

Introduction

QR codes, those square-shaped digital puzzles found on everything from advertisements, packaging, and even restaurant menus, have made our lives more convenient. However, this blog post aims to shed light on the often-overlooked dangers of QR codes and provide insights into how malicious actors can exploit them. Understanding these risks is essential to ensure your digital safety in an age where QR codes are omnipresent.

What Are QR Codes

QR codes, short for Quick Response codes, are two-dimensional barcodes that store information, such as website links, contact details, or app download links in a graphical black-and-white pattern. It was first created in 1994 by a Japanese company called Denso Wave for tracking automotive parts during manufacturing. When scanned, the QR code can direct the user to a website, display text, or trigger other actions such as adding contact information, connecting to a Wi-Fi network, or initiating a payment.

How do QR codes work

QR codes work by encoding information in a two-dimensional pattern of black squares and white spaces. The information is typically encoded as a series of binary digits (0s and 1s), and the specific arrangement of these elements within the QR code structure determines the data it represents. Here is a breakdown of a QR code: 

Finder Patterns

• These are the three square patterns located at the corners of the QR code. They help the QR code reader locate and identify the code in an image. 

Timing Patterns

• These are horizontal and vertical lines of alternating black and white modules that help the QR code reader determine the size and orientation of the code. 

Alignment Patterns

• These are smaller square patterns strategically placed throughout the QR code. Alignment patterns assist the QR code reader in correcting distortions and tilts in the code, improving scanning accuracy. 

Quiet Zone

• The quiet zone is the empty margin around the QR code. It ensures that there is enough space between the QR code and any other elements (graphics, text, borders) to prevent interference with the scanning process. 

Version Information

• For QR codes of version 7 and above, a version information area is included, providing details about the QR code version, error correction level, and other parameters. 

Data and Error Correction Blocks

• The central part of the QR code contains data modules, which store the encoded information (such as text, URLs, or other data). This section is divided into data blocks, each of which includes both data and error correction codewords. The error correction allows the QR code to be scanned accurately, even if part of it is damaged or obscured. 

Format Information

• This section contains information about the QR code's format, including the error correction level and mask pattern used. It helps the QR code reader interpret and decode the data correctly. [1]

QR Code Attacks 

The use of QR codes has surged in recent years, with applications ranging from marketing campaigns to contactless payments. However, cybercriminals have recognized the potential of exploiting QR codes to their advantage. The risks associated with QR codes include:

Quishing

• Quishing, short for QR code phishing, involves creating fake QR codes that mimic legitimate ones. Cybercriminals then place these codes on, flyers, labels, posters, or any other public or space where unsuspecting people can scan them. A good example of this happened in Texas, where cybercriminals put fake QR code stickers on pay-to-park kiosks, tricking drivers into thinking they could use them to pay for parking. Once scanned, the QR code sent the drivers to a site where they could enter their credit card information, unknowingly providing their personal info to the cybercriminals. [2]

QRLjacking

• Quick Response Login (QRL) is a user-friendly authentication method that uses QR codes for logging into websites, applications, or any other digital services. QRLJacking, or Quick Response Code Login Jacking, is a type of attack where cybercriminals create a phishing site mimicking a login page to convince the victim to scan the QR code instead of the authentic one, leading to the compromise of sensitive information or unauthorized access to an account. A good example of this happened in August of 2023 when cybercriminals targeted the Steam gaming platform and attempted to steal the user's login information so the cybercriminals could impersonate them. [3]

Malware Distribution
Cybercriminals create QR codes that point to malicious websites that distribute malware through drive-by-download attacks. Which is an attack where the website will forcefully download software on your device when you visit the website. 

Scanner Apps
While most QR code scanner apps are legitimate and serve their intended purpose. There have been instances where Cybercriminals have created fake or compromised QR code scanner apps to distribute malware. A good example of this happened in December 2020 with the app Barcode Scanner. [4]

How to protect yourself

While QR codes are generally safe, there are some precautions you can take to protect yourself from potential risks associated with malicious QR codes.[5]

Use Your Smartphone's Built-in Scanner

• Consider using the built-in QR code scanning feature in your smartphone's camera app. Many modern smartphones have this functionality, reducing the need for third-party apps.

Use Reputable QR Code Scanner Apps

• Download QR code scanner apps only from official app stores, such as the Apple App Store or Google Play Store. Stick to well-known and reputable apps with positive reviews.

Update Apps Regularly

• Keep your QR code scanner app, as well as all other apps, up-to-date. Developers release updates to address security vulnerabilities and improve performance.

Verify the Source

• Be cautious when scanning QR codes from unknown or untrusted sources. Avoid codes received through posters, advertisements, unsolicited messages, emails, or from unfamiliar websites.

Check URLs

• Before scanning a QR code, manually check the destination URL or use a URL Preview Service to see the destination URL before visiting the website. If it seems suspicious or doesn't match the expected content, avoid scanning the code.

Security software

• Consider using security software on your device to provide an additional layer of protection against malware.

Conclusion

QR codes have become integral to our daily lives, but it's crucial to recognize that they come with hidden security risks. By taking the precautions outlined in this blog post, you can enjoy the convenience of QR codes while minimizing the dangers they may pose. In an era where QR codes are prevalent, staying informed and vigilant is key to protecting your digital safety.

[1] https://www.print2d.com/dt/services_consult_validation.shtml 
[2] https://www.govtech.com/security/beware-of-quishing-criminals-use-qr-codes-to-steal-data 
[3] https://voidzone.me/posts/a-phishing-attempt-on-steam-that-became-qrljacking/?21398 
[4] https://www.malwarebytes.com/blog/news/2021/02/barcode-scanner-app-on-google-play-infects-10-million-users-with-one-update 
[5] https://www.ic3.gov/Media/Y2022/PSA220118 
[6] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu