Home of internet privacy

Are QR codes safe? Not always

Originally used as an alternative to barcodes to track vehicle parts in manufacturing plants, QR codes have gained widespread use as a way to open a URL on a mobile phone. This saves us from having to type long, complicated URLs into our browsers. 

It also offers consumers contactless options in numerous scenarios. For example, instead of providing physical menus, many restaurants place a QR code on the table. Patrons scan the code with their phone to be shown a menu on their screens. This type of contactless service has accelerated during Covid-19, removing the need to constantly disinfect physical menus or reassure people that they won’t contract the virus just by attempting to order their favorite cheeseburger.

[Get practical privacy tips. Sign up for the ExpressVPN Blog Newsletter.]

According to a 2020 survey by mobile-security platform MobileIron, 72% of users in the U.S. and several European countries have scanned a QR code recently, with 54% noticing an uptick in QR codes since the start of the pandemic. Meanwhile, 48% of respondents believe QR codes have security risks but continue to use them anyway. 

While QR codes might be legitimate for the most part, especially if you’re scanning them at a well-known establishment, their increasing popularity is attracting the attention of hackers. And when we consider all that QR codes are capable of, there are plenty of ways they can be used maliciously.

What are QR codes used for?

We assume that the primary function of QR codes is to open a URL. While that might be the most popular use case, the fact is that they’re capable of a lot more. For example, QR codes can be used to:

QR codes are convenient, easy to use, and provide a quick outcome. We barely give their security a second thought.  After all, what could go wrong? Unfortunately, that’s exactly what hackers and malicious entities bank on: for us to let our guard down.

Are QR codes secure? Here are the risks

An increasingly popular attack vector is hacked QR codes containing malicious URLs. Once a user scans the code, they are redirected to a site with custom malware. Or the URL could be a phishing site that extracts as much information as possible from the affected user. 

Large corporations aren’t immune to this trend. QR codes on Heinz ketchup bottles have redirected people to porn websites, with the company blaming a lapsed domain as the reason for this faux pas. 

The relative ease of hijacking QR codes and inserting a malicious URL or payload is demonstrated in this YouTube video

Tips to stay protected

QR codes are convenient, easy to set up, and pack a lot of information inside a relatively tiny image. We expect them to become even more ubiquitous, which is why it’s necessary that you always follow good security hygiene when using them.

Many of us know to open emails and links from people that we know and trust. A failure to do that puts you at risk for phishing or social engineering attacks. QR codes are no different. It’s O.K. to scan a code for a menu or information at your local gym, for example. But don’t go around scanning QR codes posted on the local neighborhood announcement board or a random flyer, for instance.

The next step is to always keep your devices updated. A malicious QR code could take you to a site containing malware. The best way to guard against that is to make sure that your devices are running on the latest operating system and that all essential security applications are updated. 

Lastly, just be prudent and don’t let your guard down. If you come across a competition advertising free money and it sounds too good to be true, then it probably is. Don’t scan the related QR code. Hackers thrive on human fallibility and indiscretion. 

Read more: How to tell if your webcam has been hacked