Unshakeable Salt

QR Code Threats

The humble QR Code (Quick Response Code) has been around since 1997 but has only become common place throughout the last 10 years. It can be used from everything from storing a URL, as a contact card or even be a Wifi Network login. It’s more distinctive than the old-fashioned barcode. A square with a human readable up and down (thanks to only 3 corners having markings). It has a use and a place, it can be beneficial but also nefarious.

Since you’re here

With a bit of luck, you’re reading this page because you’re just perusing our website. However, it’s also probable that you’re here because you scanned some random QR code into your phone. You might have been expecting to see a bus timetable, to see what time a film is on at the cinema or perhaps even to pay for your petrol. 

You just saw the little black square and read the instructions to ‘scan me’. You thought the image hadn’t been tampered with, trusting the location or the advertiser to take you to somewhere ‘safe’ on the internet. 

Well Dorothy, you’re not in Kansas now.

A real benefit of QR Codes are, that they are cheap. They require little cost to produce, manufacture and if done right, prevent your competitors from stealing the links to your site. These are also the disadvantages too, as they are easy to manipulate. A couple of minutes and a sheet of sticky paper is all it takes. There’s nothing like wandering around town sticking your own set of QR Codes over posters.

What’s worse, this is also common behaviour of advertisers. Whoever it is who puts the timetables on lamp posts for First Buses in Leeds especially. Every few weeks they go out and stick a new sticker with a fresh URL over the previous month’s sticker. No wonder people don’t suspect that a URL might be fake. 

Go ahead Punk, make my day – scan me !


Now getting someone to land at a dodgy URL is bad. Getting them to click or accept something whilst there will inevitably end up with a compromised device. Easily done when the user might not even know what they should be seeing in the first place. 

There are even contexts in which QR codes can carry executable data themselves. These URLs may host JavaScript code, which can be used to exploit vulnerabilities in applications on the host system, such as a phones web browser or the image viewer, since the QR Code reader will typically send the data directly to a default application.

A bigger threat is when there are now payments by QR Code applications. A large petroleum company now has payment by QR Code on their pumps. Now if you have that app installed on your phone, it doesn’t take a lot to get a payment out. Ok, the funds aren’t landing in the bank account of the threat actor, but it still causes disruption. In fact, it’s more than feasible to DDOS a petrol station this way. Not by taking out the payment solution, just by surrounding the clerk’s desk with customers unable to pay due to the confusion about which amount has already been paid. 

Bottom line

Let’s face it – if you landed here because you inadvertently scanned a QR Code, then you’re probably not still reading. If you are, then hopefully you’ll now think before you scan in the future. You’ll also take note of any prompt your QR Code scanner provides you before taking across the Internet. 

If you’re here just because you’re reading, then well done. Go and spread the word. Advise sons, daughters, parents and grandparents about the danger. Then go and print some stickers out for yourself and have some fun.

Director of Unshakeable Salt, an Information security specialist who first started contracting in 1997.

View Comments