InfoSec Insider

QR Codes: A Sneaky Security Threat

What to watch out for, and how to protect yourself from malicious versions of these mobile shortcuts.

If it seems like QR codes have popped up everywhere these days, you’re right. Ever since they were first used by the Japanese auto industry to streamline manufacturing processes, companies everywhere have capitalized on the benefits of QR codes. They’re cheap to deploy and can be applied to almost anything — which is why every industry from retail to healthcare is now using them as a quick and easy way to link people to websites, promotional campaigns, store discounts, patient medical records, mobile payments and a whole lot more.

QR codes aren’t just cost-effective and simple to use. They’re also essential, especially during a pandemic where contactless transactions have become the norm. What’s more, at least 81 percent of Americans now own a smartphone, and nearly all of those devices can natively read QR codes with no third-party app required. So, QR codes are clearly having their moment.

What the Numbers Say (Hint: It’s Not Good)

My company, MobileIron, wanted to better understand current QR code trends, so in September we conducted a survey of more than 2,100 consumers across the U.S. and the U.K. It confirmed that QR codes are indeed more widely used today. For instance, in the last six months, more than one-third of mobile users scanned a QR code at a restaurant, bar, retailer or on a consumer product.

The results also highlighted some alarming trends: Mobile users don’t really understand the potential risks of QR codes, and nearly three-fourths (71 percent) of respondents can’t tell the difference between a legitimate and malicious QR code. At the same time, more than half (51 percent) of surveyed users don’t have (or don’t know if they have) mobile security on their devices.

Like so many things that feel like they’ve been part of our lives forever, we don’t give QR codes much thought. Mobile devices have conditioned us to take quick actions — swipe, tap, click, pay — all while we’re distracted by other things like working, shopping, eating (and unfortunately, yes, driving).

This is exactly the kind of implicit trust and thoughtless action hackers thrive on. And it’s why, if mobile employees are using their personal devices to access business apps and scan potentially risky QR codes, enterprise IT should start taking a much closer look at their mobile security approach.

So What, Exactly, Are the Risks of QR Codes?

Hacking an actual QR code would require some serious skills to change around the pixelated dots in the code’s matrix. Hackers have figured out a far easier method instead. This involves embedding malicious software in QR codes (which can be generated by free tools widely available on the internet). To an average user, these codes all look the same, but a malicious QR code can direct a user to a fake website. It can also capture personal data or install malicious software on a smartphone that initiates actions like this:

  • Add a contact listing: Hackers can add a new contact listing on the user’s phone and use it to launch a spear phishing or other personalized attack.
  • Initiate a phone call: By triggering a call to the scammer, this type of exploit can expose the phone number to a bad actor.
  • Text someone: In addition to sending a text message to a malicious recipient, a user’s contacts could also receive a malicious text from a scammer.
  • Write an email: Similar to a malicious text, a hacker can draft an email and populate the recipient and subject lines. Hackers could target the user’s work email if the device lacks mobile threat protection.
  • Make a payment: If the QR code is malicious, it could allow hackers to automatically send a payment and capture the user’s personal financial data.
  • Reveal the user’s location: Malicious software can silently track the user’s geolocation and send this data to an app or website.
  • Follow social-media accounts: The user’s social media accounts can be directed to follow a malicious account, which can then expose the user’s personal information and contacts.
  • Add a preferred Wi-Fi network: A compromised network can be added to the device’s preferred network list and include a credential that automatically connects the device to that network.

Easy Things We Can All Do to Minimize the Risks

As scary as these exploits are, they aren’t inevitable. Educating users about the risks of QR codes is a good first step, but companies also need to step up their mobile security game to protect against threats like spear phishing and device takeovers.

What Users Can Do

Take a good look first: Make sure the QR code is legit, especially printed codes, which can be pasted over with a different (and potentially malicious) code.

Only scan codes from trusted entities: Mobile users should stick to scanning codes that only come from trusted senders. Pay attention to red flags like a web address that differs from the company URL — there’s a good chance it links to a malicious site.

 Watch out for bit.ly links: Check the URL of a bit.ly link that appears after scanning a QR code. These links are often used to disguise malicious URLs, but they can be safely previewed by adding a plus symbol (“+”) at the end of the URL.

What Companies Can Do

Hopefully your company is using an on-device mobile threat defense solution that can protect against phishing attacks, device takeovers, man-in-the-middle exploits and malicious app downloads. (If not, start looking for one now!) You need to ensure it’s deployed on every device that accesses business apps and data, because enterprise security is only as good as the weakest link in your company. Also, educate users about what it protects against (and also what it doesn’t).

If you do nothing else, now’s the time to consider eliminating password-based access to business and cloud apps, which is one of the top causes of data-breaches today. By shifting to passwordless multi-factor authentication, you not only eliminate the threat of stolen passwords, you also eliminate the hassle of maintaining them — which makes everyone (except hackers) a lot happier and more productive.

Brian Foster is senior vice president of product management at MobileIron.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.

Suggested articles