IBroderick's picture

Eric Mikulas recently wrote an interesting article about the dangers of scanning QR codes. He conducted an experiment where he put up his own QR codes with no explanation of where they linked to, to see how many people would scan them. He found that a surprisingly large number of people scanned these unknown codes.

We conducted an interview with Eric to get his opinion on the possible dangers of the QR codes and possible malicious uses for this new phenomenon.

Q: What mistakes do consumers make when scanning QR codes?

Eric: In my personal opinion, consumers make the mistake of trusting unreadable codes (unreadable by humans) that could really take a person anywhere. With the vulnerabilities that are discovered on a regular basis with smart phones, I feel that it is only a matter of time until we see an explosion in malware for mobile platforms. My long term fear is that we will see an explosion in smartphone based bot nets and even malware specially crafted to to see personal information, ranging from phone contacts to login information to bank accounts.

Q: What mistakes do companies make when putting QR codes on posters?

Eric: Again, I'd like to say I think we put way to much trust into something that is unreadable by humans. I honestly can't think of mistakes that companies make in putting QR codes onto posters, but my mind makes me think of multiple things that could go wrong, even without taking into account people like me, who would paste their own QR code over legitimate QR codes. What would happen if you have a disgruntled Graphic Designer? Oh you pay, and treat your people well? Well what about a disgruntled print tech, or someone else along the lines from design to production to actual delivery. It is a far cry, from printing a URL on a poster to posting a QR code. At least with a URL, I can type it in myself, but by scanning a QR code, I putting an incredible amount of trust into an inanimate object that I personally cannot verify.

Q: What can consumers do to protect themselves when scanning QR codes?

Eric: Don't.

That aside (this coming from someone in security, where paranoia is your greatest asset) the best advice I can give is two fold. Find a QR scanner that allows you to verify where a code will take you before actually visiting the site. If the site contains a URL that is shorted by a service (such as tinyURL or bitly) try to find an app that will follow the entire chain of links to the end to tell you where it will go.

Q: What are the risks of scanning unknown QR codes?

Eric: "Drive by" vulnerabilities may take over your phone by just visiting a webpage. As yet unknown vulnerabilities (known as zero day Vulnerabilities in security). Having your phone be a part of a bot net without your knowledge, or worst case scenario, stealing your information to drain your bank account.

Q: How can consumers identify trusted QR codes and avoid possible malicious codes?

Eric: I hate to say it, but you really can't. I decided to try this experiment with just stickers, because in my experience in the professional world, if there was a printing mistake, often times the printer would issue stickers that would be placed over the offending area with the proper information. Just because you see a sticker on top of a poster doesn't mean that a bad QR code was placed. If you must scan QR codes, take some of my above advice about apps to use on your phone to protect yourself.

About Eric

Eric Mikulas is a security minded professional who thrives on technology. Eric learned how to solder before learning how to cursive write (He is also better at soldering, than writing). Eric has over 12 years of professional software experience ranging from machine to automation to eCommerce, and everything in between. When he isn't coding, or trying to tag QR codes, he can often be found building guitars or tweaking ones he already built to make sure everything is just exactly perfect.

Comments (3)

CEng | June 20, 2012 2:05 pm

Relevant: http://picturesofpeoplescanningqrcodes.tumblr.com/

Eric Mikulas | June 20, 2012 2:29 pm

You aren't wrong Chris, I got 10 scans on the over 80 I placed. I am working on a new tactic for the next round

Kelly McIvor | June 21, 2012 12:43 am

Eric is clearly a security guy. Cautious to the point of paranoia. To-date there have been few, if any, cases of a QR codes that resulted in something malicious. Unless you think taking the person to a non-mobile site is malicious, which I do.

To balance Eric's view, marketers are often advised to tell people what to expect when they scan a QR code. Many do but too often the QR code is added by the clueless print layout person who's brother in law told them about these neat little codes. There's nothing evil in it, only naivete.

Eric's advice about finding a scanner app that can trace a URL before you actually to there is an interesting idea, though. I have half a dozen apps and I don't think any of them do that. It's the app, by the way, that is the biggest threat. As a native software application it will be the one to access your contacts and/or personal information stored on the phone. Stick to a popular, well-respected app and you'll be just fine.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.