Eric Mikulas recently wrote an interesting article about the dangers of scanning QR codes. He conducted an experiment where he put up his own QR codes with no explanation of where they linked to, to see how many people would scan them. He found that a surprisingly large number of people scanned these unknown codes.
We conducted an interview with Eric to get his opinion on the possible dangers of the QR codes and possible malicious uses for this new phenomenon.
Q: What mistakes do consumers make when scanning QR codes?
Eric: In my personal opinion, consumers make the mistake of trusting unreadable codes (unreadable by humans) that could really take a person anywhere. With the vulnerabilities that are discovered on a regular basis with smart phones, I feel that it is only a matter of time until we see an explosion in malware for mobile platforms. My long term fear is that we will see an explosion in smartphone based bot nets and even malware specially crafted to to see personal information, ranging from phone contacts to login information to bank accounts.
Q: What mistakes do companies make when putting QR codes on posters?
Eric: Again, I'd like to say I think we put way to much trust into something that is unreadable by humans. I honestly can't think of mistakes that companies make in putting QR codes onto posters, but my mind makes me think of multiple things that could go wrong, even without taking into account people like me, who would paste their own QR code over legitimate QR codes. What would happen if you have a disgruntled Graphic Designer? Oh you pay, and treat your people well? Well what about a disgruntled print tech, or someone else along the lines from design to production to actual delivery. It is a far cry, from printing a URL on a poster to posting a QR code. At least with a URL, I can type it in myself, but by scanning a QR code, I putting an incredible amount of trust into an inanimate object that I personally cannot verify.
Q: What can consumers do to protect themselves when scanning QR codes?
That aside (this coming from someone in security, where paranoia is your greatest asset) the best advice I can give is two fold. Find a QR scanner that allows you to verify where a code will take you before actually visiting the site. If the site contains a URL that is shorted by a service (such as tinyURL or bitly) try to find an app that will follow the entire chain of links to the end to tell you where it will go.
Q: What are the risks of scanning unknown QR codes?
Eric: "Drive by" vulnerabilities may take over your phone by just visiting a webpage. As yet unknown vulnerabilities (known as zero day Vulnerabilities in security). Having your phone be a part of a bot net without your knowledge, or worst case scenario, stealing your information to drain your bank account.
Q: How can consumers identify trusted QR codes and avoid possible malicious codes?
Eric: I hate to say it, but you really can't. I decided to try this experiment with just stickers, because in my experience in the professional world, if there was a printing mistake, often times the printer would issue stickers that would be placed over the offending area with the proper information. Just because you see a sticker on top of a poster doesn't mean that a bad QR code was placed. If you must scan QR codes, take some of my above advice about apps to use on your phone to protect yourself.
Eric Mikulas is a security minded professional who thrives on technology. Eric learned how to solder before learning how to cursive write (He is also better at soldering, than writing). Eric has over 12 years of professional software experience ranging from machine to automation to eCommerce, and everything in between. When he isn't coding, or trying to tag QR codes, he can often be found building guitars or tweaking ones he already built to make sure everything is just exactly perfect.