QR codes can be found on flyers, on packaging and even on products themselves; they are everywhere. A small square box containing a maze-like pattern, a QR code is a “Quick Response code” that acts as a barcode to access information online. Usually, QR codes lead to URLs that prompt further action, such as receiving discount off a product from a certain shop. A simple Google search will lead you to multiple websites that can generate QR codes for you – regardless of size and colour – at no cost. Mobile apps that can capture QR codes and bring you to the content are just as common. The ease at which it can be created and understood has resulted in it becoming an ubiquitous sight.
A QR code can be classified as direct or indirect. A direct QR code refers to one that allows you straight route to gain the content embedded. Therefore, an indirect QR code requires other supporting equipment. Indirect QR codes need an internet connection, a specific scanner belonging to the company behind the QR code and may even incur costs.
Alas, the benefits of a QR code are also the risks it carries. Since a QR code takes you to a URL, it could possibly lead you to malware. Such malicious software may be embedded in the website you have been brought to and secretly downloaded onto your device. All this invasion happens when we conveniently use a mobile app to capture a QR code without considering its source. One way in which such malicious QR codes are distributed is through a security compromise of marketing firms. The marketing firms in this case are those which offer the service of generating QR codes. Criminal hackers could access the QR codes meant for the clients and change them to malicious codes before they are published. Therefore when someone scans the malicious QR code to access information about the business, a Trojan virus is being downloaded as well. This Trojan virus can carry out tasks on the user’s device without his permission, such as obtaining data stored on a mobile device.
Cross-site scripting vulnerability is another security loophole by which attackers can go into legitimate websites and replace their QR codes with malicious ones. Malicious QR codes are scary indeed – they can steal sensitive information (e.g. passwords, locations), they can manipulate mobile devices to eavesdrop on conversations and even use its camera!
Example of an Attack
In 2011, Russian consumers gained first-hand experience of the threat of a malicious QR code. Disguised as a QR code leading to an Android app called Jim, the consumers had no idea they were downloading a malware at the same time. Once downloaded, the malware sent SMS codes to premium phone numbers. Each message costed the consumer 6 USD. Compared to other forms of privacy invasion, cases of QR code infections are still relatively low. However, we should still take precautions instead of scanning every QR code that we find without a second thought.
1) Aurnou, S. (2013). QR Codes Can Pose a Security Risk. Yes, Really… | The Security
Advocate.Thesecurityadvocate.com. Retrieved 19 March 2015, from
2) Geer, D. (2013). The dangers of QR codes for security. CSO Online. Retrieved 19 March 2015,
3) Hoffman, C. (2013). QR Codes Explained: Why You See Those Square Barcodes
Everywhere.Howtogeek.com. Retrieved 19 March 2015, from
4) Kaspersky Lab United States,. Kaspersky Personal & Family Security Software. Retrieved 19
March 2015, from http://usa.kaspersky.com/internet-security-
5) Kinnear, A. (2011). Andrew Kinnear | Digital Marketing Toronto. Blog.andrewkinnear.com.
Retrieved 19 March 2015, from http://blog.andrewkinnear.com/2011/01/direct-vs-indirect-qr-
6) Roger,. (2011). Infected QR Codes Or Mashable Hype?. 2d-code.co.uk. Retrieved 19 March 2015,
7) Suggett, P. QR Codes – The What, Why, How and When.. About.com Money. Retrieved 19 March
8) Waters, J. Security Risks that Come with Use of QR Codes – For Dummies. Dummies.com.
Retrieved 19 March 2015, from http://www.dummies.com/how-to/content/security-risks-that-