Why you shouldn’t scan them recklessly.
During a recent televised sporting event, a company spent a lot of money to run an advertisement that was nothing more than the display of QR code, not unlike the one displayed above.
Apparently, against all common sense and with no regard for security, millions of people used it.
Why? What did it mean? What are you supposed to do with it, and how does it relate to security?
They’re actually pretty cool.
But they can also be weaponized, and you’d never know.
Become a Patron of Ask Leo! and go ad-free!
QR codes
QR codes are text encoded in a machine-readable format so scanners and smartphones can easily decode them. They’re most often used to encode webpage URLs. Since there’s no easy way to ensure they point to a non-malicious webpage, be skeptical and use them with caution.
QR: Quick Response
A QR (for Quick Response) code is nothing more than text encoded in a machine-readable way. Seriously, that’s it.
Here’s the previous paragraph encoded as a QR code:
Here’s the Gettysburg Address encoded as a QR code:
And at the top of the page is a QR code for the URL “https://askleo.com”.
Using a QR code
QR codes are intended to be scanned by apps on smartphones and other devices.
Depending on your phone, you may need to install a dedicated QR code scanning app, or it may already be built into your phone’s camera software.
Here’s the QR code at the top of the page, as “seen” by the camera in my Pixel smartphone:
I’ve circled the text decoded by my camera. The camera previews the beginning of the decoded text if it can sense that it’s looking at a QR code.
If I were to tap on the text circled in red above, it would open the web browser on my phone and take me to that URL.
And that’s the general idea. While there are other uses, the primary intent is that you point your phone’s camera at a QR code, let it decode what it sees, and then go to the URL encoded within.
But there’s a risk.
Why millions of people were wrong to scan
You can’t tell what a QR code contains before you scan it. Many scanning apps only display the first part of what they find, so even the “preview” above could be incomplete. Some don’t preview at all and simply go.
Blindly scanning and using a QR code is like clicking on a link you can’t see. You have no idea where it will take you.
You have no idea whether it’s legit or dangerous.
Hackers and scammers know this.
Now, the QR code displayed in that TV add is very likely legitimate,1 as are those I’ve shown above.
But you just don’t know.
Using QR codes safely
Be skeptical. Like any URL you click on, make sure you trust the source.
If you don’t — if you’re not sure — then don’t. Get to the information it purports to represent some other, safer, way.
Creating QR codes
Many browsers now have controls allowing you to make a QR code for the URL currently displayed in your browser.
In addition, there are several QR code generators available on the web and in various applications.
Do this
Scan this QR code:
and subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: Although it did crash the servers at the target website because of the overwhelming volume.
It seems to me that the proper course is to install a QR Code-Reading App that displays the content of the QR Code — the whole QR Code — ALL of it — and then explicitly asks whether it should load the webpage (or otherwise “execute” the text).
On an side matter, I have a question: You put the Gettysburg Address in a QR Code! So, just how much text is a QR Code able to hold?!?
A LOT. The code size expands as needed. In practice, it can be as much as you want, as long as the camera to decode it has enough resolution to see it clearly (and the holder of the camera has a steady enough hand).
Leo, you wrote:
“…The [QR] code size expands as needed. In practice, it can be as much as you want…”
Oh. So — at least in theory — you could embed the entire Bible into a QR Code?!?
LOL!!! :)
And, Yeesh!
In theory. :-)
Can you suggest a trusted QR reader. My phone doesn’t have one bundled in.
The one I’ve used on occasion is https://play.google.com/store/apps/details?id=com.kaspersky.qrscanner — now, because of the current political climate I need to acknowledge that that’s by Kaspersky, which causes some people pause. I’d love to see recommendations from others here as well.
I have used zxing (zebra crossing) that can decode almost any bar codes in the past.
I am currently using QrEasy
With the Kaspersky controversy, you might want to recommend a different App.
My phone also did not have a built in QR scanner, so I installed “Trend Micro QRScanner”. The nice thing about this scanner is that it tries to verify the URL before asking if you want to navigate there (you can configure it to automatically navigate to URLs that it has determined are safe). There are plenty of legit sites that show up as “unverified”, but then you just have to use your judgement as to whether to continue.
First, let me say that this week’s articles are a welcome diversion from all the backup articles – not that backups are bad.
One way of looking at QR codes and the software in your phone is that a QR code tells your phone to do something. That something may be bad. Remember how the original HTML evolved from a graphical rendition language to a full blown programming language that can do anything to your device? This is likely to happen with QR codes. Already QR codes (and the associated software) can send emails, dial phone numbers, detect and report your location, download apps, etc.
Be careful of those QR codes, especially if you see one on a sheet of paper (like a one page restaurant menu or a hand-out at your local retail store). A malicious person can easily make copies of the paper, remove the QR code if it had one, add their own QR code, and put the new copies on the counter. Also, be cautious if the QR code is attached with adhesive. The real QR code might be underneath (if there was one) and a malicious QR code could be stuck on top of it.
Is there a (free) QR program that you recommend to download on your desktop computer to help us generate copy as we develop that? I’d appreciate it. I tried generating some QR codes a while back and it showed funny pictures in the QR which I thought was weird so I just didn’t complete the project. Thanks Leo. I love your newsletters and you’re doing a great job (especially for us beginner non-geeky types). Denice
See Leo’s post of 17 March.
If you don’t trust Russian software, there are several free QR code generators available. You can find them with a search engine by searching “QR code generator”.
Security expert and cryptographer Bruce Schneier has documented several QR code-based scams :
https://www.schneier.com/blog/archives/2022/02/stealing-bicycles-by-swapping-qr-codes.html
https://www.schneier.com/blog/archives/2022/01/fake-qr-codes-on-parking-meters.html
https://www.schneier.com/blog/archives/2012/12/qr_code_scams.html
https://www.schneier.com/blog/archives/2021/11/wire-fraud-scam-upgraded-with-bitcoin.html
Hi Leo, Quick QR question not covered above. I have been seeing various commercials on TV w/ this kid of code embedded into the ad. Is it possible to scan or use a Smartiephone by pointing same at TV screen or on a monitor screen? I remember seeing these codes on grocery items too. They are similar to the price scan codes the cashier ‘reads’ w/ a hand held or counter embedded scanner but I never really knew what the Dickens they were. Many thanks for the answers above and the warnings too. I only use a laptop or desktop PC and I have no scanners and no Smartiephones. Happy Eastertide!- Jack/keimanzero
Campbelltown/Palmyra PA
That’s the whole idea. Those QR codes in TV ads are made to be scanned with a smart phone or tablet. I’ve done it with WhatsApp. When I want to use WhatsApp on my computer, I scan a QR code on my phone to set it up on my WhatsApp computer app.
Yes, you can point your smartphone’s camera at the screen and it should work.
Thank you for the article. I always wondered about the QR, but refused to touse them as I suspected the security concerns. I rarely use my cell phone anyway and I am mostly at my desktop, so I have been safe. But, now, knowing this, I feel “safe”! Safe enough to avoid using them, unless I know the content text.
Leo
I guess the QR codes are not for everyone. I am confused on why they are necessary?
I have never used or need to use them, especially since you stated it may be a security issue with regards to what the QR codes may hold, malicious coding.
So, Who can you trust if what you have stated is true?
More like being blindfolded and walked towards a cliff, no really trust me, walk this way it’s all ok!
I believe QR codes came out several years ago (or they were made public at that time). I never saw them in use until recently and now they are all over. What happened?
Tipping point? I do think the pandemic and the opportunity to use them for “touchless” operations was a factor.
Watch out for official-looking letters with QR codes. They might not be as official as they look.
Now Scammers Are Sending Bank-Draining Malware Through Snail Mail