Why you shouldn’t scan them recklessly.
During a televised sporting event, a company spent a lot of money to run an advertisement that was nothing more than a QR code (like the one displayed above).
Apparently, against all common sense and with no regard for security, millions of people used it.
Why? What did it mean? What are you supposed to do with QR codes, and how do they relate to security?
They’re pretty cool.
But they can also be weaponized, and you’d never know.
QR codes
QR codes are text encoded in a machine-readable format so scanners and smartphones can easily decode them. They’re most often used to encode webpage URLs. Since there’s no easy way to ensure they point to a non-malicious webpage, be skeptical and use them with caution.
QR: Quick Response
A QR (for Quick Response) code is nothing more than text encoded in a machine-readable way.Here’s the previous paragraph encoded as a QR code.
Here’s the Gettysburg Address encoded as a QR code.
And at the top of the page is a QR code for the URL https://askleo.com.
Using a QR code
QR codes are intended to be scanned by apps on smartphones and other devices.
Depending on your phone, you may need to install a dedicated QR code scanning app, or it may already be built into your phone’s camera software.
Here’s the QR code at the top of the page, as “seen” by the camera in my Pixel smartphone.
I’ve circled the text decoded by my camera. The camera previews the beginning of the decoded text if it can sense that it’s looking at a QR code.
If I were to tap on the text circled in red above, it would open the web browser on my phone and take me to that URL.
And that’s the general idea. While there are other uses, the primary intent is that you point your phone’s camera at a QR code, let it decode what it sees, and then go to the URL encoded within.
But there’s a risk.
Why millions of people were wrong to scan
You can’t tell what a QR code contains before you scan it. Many scanning apps only display the first part of what they find, so the preview above could be incomplete. Some apps don’t preview at all and load the page immediately.
Blindly scanning and using a QR code is like clicking on a link you can’t see. You have no idea where it will take you.
You have no idea whether it’s legit or dangerous.
Hackers and scammers know this.
Now, the QR code displayed in that TV ad is very likely legitimate,1 as are those I’ve shown above.
But you just don’t know.
Using QR codes safely
Be skeptical. Like any URL you click on, make sure you trust the source.
If you don’t — if you’re not sure — then don’t. Get to the information it purports to represent in some other, safer way.
Creating QR codes
Many browsers now have controls that create a QR code for the URL currently displayed in your browser.
In addition, there are several QR code generators available on the web and in various applications.
Do this
Scan this QR code.
to subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Although it did crash the servers at the target website because of the overwhelming volume.
It seems to me that the proper course is to install a QR Code-Reading App that displays the content of the QR Code — the whole QR Code — ALL of it — and then explicitly asks whether it should load the webpage (or otherwise “execute” the text).
On an side matter, I have a question: You put the Gettysburg Address in a QR Code! So, just how much text is a QR Code able to hold?!?
A LOT. The code size expands as needed. In practice, it can be as much as you want, as long as the camera to decode it has enough resolution to see it clearly (and the holder of the camera has a steady enough hand).
Leo, you wrote:
“…The [QR] code size expands as needed. In practice, it can be as much as you want…”
Oh. So — at least in theory — you could embed the entire Bible into a QR Code?!?
LOL!!! 🙂
And, Yeesh!
In theory. 🙂
Can you suggest a trusted QR reader. My phone doesn’t have one bundled in.
The one I’ve used on occasion is https://play.google.com/store/apps/details?id=com.kaspersky.qrscanner — now, because of the current political climate I need to acknowledge that that’s by Kaspersky, which causes some people pause. I’d love to see recommendations from others here as well.
I have used zxing (zebra crossing) that can decode almost any bar codes in the past.
I am currently using QrEasy
With the Kaspersky controversy, you might want to recommend a different App.
My phone also did not have a built in QR scanner, so I installed “Trend Micro QRScanner”. The nice thing about this scanner is that it tries to verify the URL before asking if you want to navigate there (you can configure it to automatically navigate to URLs that it has determined are safe). There are plenty of legit sites that show up as “unverified”, but then you just have to use your judgement as to whether to continue.
First, let me say that this week’s articles are a welcome diversion from all the backup articles – not that backups are bad.
One way of looking at QR codes and the software in your phone is that a QR code tells your phone to do something. That something may be bad. Remember how the original HTML evolved from a graphical rendition language to a full blown programming language that can do anything to your device? This is likely to happen with QR codes. Already QR codes (and the associated software) can send emails, dial phone numbers, detect and report your location, download apps, etc.
Be careful of those QR codes, especially if you see one on a sheet of paper (like a one page restaurant menu or a hand-out at your local retail store). A malicious person can easily make copies of the paper, remove the QR code if it had one, add their own QR code, and put the new copies on the counter. Also, be cautious if the QR code is attached with adhesive. The real QR code might be underneath (if there was one) and a malicious QR code could be stuck on top of it.
Is there a (free) QR program that you recommend to download on your desktop computer to help us generate copy as we develop that? I’d appreciate it. I tried generating some QR codes a while back and it showed funny pictures in the QR which I thought was weird so I just didn’t complete the project. Thanks Leo. I love your newsletters and you’re doing a great job (especially for us beginner non-geeky types). Denice
See Leo’s post of 17 March.
If you don’t trust Russian software, there are several free QR code generators available. You can find them with a search engine by searching “QR code generator”.
Security expert and cryptographer Bruce Schneier has documented several QR code-based scams :
https://www.schneier.com/blog/archives/2022/02/stealing-bicycles-by-swapping-qr-codes.html
https://www.schneier.com/blog/archives/2022/01/fake-qr-codes-on-parking-meters.html
https://www.schneier.com/blog/archives/2012/12/qr_code_scams.html
https://www.schneier.com/blog/archives/2021/11/wire-fraud-scam-upgraded-with-bitcoin.html
Hi Leo, Quick QR question not covered above. I have been seeing various commercials on TV w/ this kid of code embedded into the ad. Is it possible to scan or use a Smartiephone by pointing same at TV screen or on a monitor screen? I remember seeing these codes on grocery items too. They are similar to the price scan codes the cashier ‘reads’ w/ a hand held or counter embedded scanner but I never really knew what the Dickens they were. Many thanks for the answers above and the warnings too. I only use a laptop or desktop PC and I have no scanners and no Smartiephones. Happy Eastertide!- Jack/keimanzero
Campbelltown/Palmyra PA
That’s the whole idea. Those QR codes in TV ads are made to be scanned with a smart phone or tablet. I’ve done it with WhatsApp. When I want to use WhatsApp on my computer, I scan a QR code on my phone to set it up on my WhatsApp computer app.
Yes, you can point your smartphone’s camera at the screen and it should work.
Thank you for the article. I always wondered about the QR, but refused to touse them as I suspected the security concerns. I rarely use my cell phone anyway and I am mostly at my desktop, so I have been safe. But, now, knowing this, I feel “safe”! Safe enough to avoid using them, unless I know the content text.
Leo
I guess the QR codes are not for everyone. I am confused on why they are necessary?
I have never used or need to use them, especially since you stated it may be a security issue with regards to what the QR codes may hold, malicious coding.
So, Who can you trust if what you have stated is true?
More like being blindfolded and walked towards a cliff, no really trust me, walk this way it’s all ok!
I believe QR codes came out several years ago (or they were made public at that time). I never saw them in use until recently and now they are all over. What happened?
Tipping point? I do think the pandemic and the opportunity to use them for “touchless” operations was a factor.
Watch out for official-looking letters with QR codes. They might not be as official as they look.
Now Scammers Are Sending Bank-Draining Malware Through Snail Mail
Not a cure-all by any means, BUT a QR-Code-Reader that was put out by a reputable virus scanner company, and scanned any decoded URL automatically, would be a BIG help.
I had been giving out QR codes so visitor can access my WI-FI. But someone suggested that these can be decoded and reveal my password.
Is this correct?
No special software is necessary. The QR code scanner included on any phone or tablet can decode them.
There have been fake QR codes stuck over real ones on parking meters in the UK. Not only are payments sent to the scammers but the motorist is also fined for not paying for their parking.
When you scan a QR code, the URL appears on your device and you have to manually tap the URL to go to the page. Before tapping, check the URL carefully. It’s not a perfect. A hacker might be able to obfuscate the URL:
Phishing: How to Know It When You See It
Instead, open your browser and go to the site yourself, using your own bookmarks or typing the URL you already know to be correct. If the URL doesn’t exactly match the site you thing you are going to, as described in the linked article, close the QR code scanner and manually type the URL. If in doubt, don’t tap or click.
My solution to QR codes is simple: I avoid them when possible, except in specific circumstances. I have a USB3 HD webcam for my laptop. When I’m getting a passkey for a new account or when upgrading the security of an existing one, I’m often presented with a QR code to scan with my authenticator. Since I now use 1password as my authenticator, I open it and use it to scan the QR code, and the passkey’s automatically stored in 1password along with everything else I have for that site. Beyond that, I avoid QR codes wherever I can. Period!
Ernie
Years ago, I downloaded onto my phone a malicious qr code reader from google play store. I never used it until recently. I was at a store and was attempting to get a special price on an item, but in order to do so, I had to scan their qr code on the sale sign.
I scanned the qr code on the sign and the code reader on my phone redirected me to a scam site. I complained to the staff about what I thought was their defective code. So a staff member pulled out her phone and she scanned that same qr code using her iphone camera. Her phone sent her to the correct site to claim the discount.
The lesson I learned is that its not just a malicious qr code, but the reader itself. I learned a valuable lesson. When I downloaded that qr reader years ago, my phones camera was incapable of scanning codes. I think it was perhaps on my Samsung S-6 or10. That app was transferred to my new phones every time I upgraded. I no longer needed a separate qr scanner because I discovered my phone (S-23) now has a built in qr scanner in the camera app.