The increasing use of QR codes as a way to add interactive elements, apps and websites to display advertising, competitions or print magazines could pose a risk to smartphone users, Australian researchers at Murdoch University have warned
There is no standard for marking out a ‘safe’ QR code, Murdoch University researchers point out in Phys.org‘s report – and no easy way for a human to tell whether it’s an innocent promotional website that his code reader is sending him to, or a malicious site.
Murdoch University researcher Dr Nik Thompson said that the fact that the codes can only be read by machines creates a barrier that can be useful to cybercriminals, “There have already been cases of QR codes used maliciously to installmalware on devices, or direct them to questionable websites.”
The nature of marketing itself means that the codes can crop up in unexpected places – particularly in guerrilla campaigns, or in grey or illegal markets. Creative Guerrilla Marketing points out that it has become common for men advertising illegal prostitutes in Las Vegas to wear T-shirts saying ‘scan here for Escorts’.
Even disregarding the social stigma of steadying a smartphone in front of someone in the street to download a web address for prostitutes, the provenance of the code is completely unknown – it could direct a user to download malware, or visit an infected website, or subscribe people to unwanted services, such as premium SMS.
People seem willing to ‘trust’ the codes, even when they appear at random, the researchers say. In one recent case, a poster with a QR code was placed on the wall at a security conference, inviting passers-by to scan the code to win an iPad.During the weekend conference, 445 people scanned this code and visited the linked website.
“The fact that so many people were willing to scan this untrusted QR code, even at a conference dedicated to IT security, highlights the possibly dangerous level of trust that is placed in printed materials such as posters,” he said.“Most of us are familiar with standard barcodes, which have been used safely for decades, and so don’t understand the risks associated with QR codes.”
A standard barcode can represent up to 20 characters of information, while QR codes can carry much more data – up to thousands to characters.
ESET Senior Research Fellow David Harley says, “This isn’t wrong, but there isn’t really anything new about it either. The first malicious QR link I remember was reported in 2011 – in fact, I included a QR in the ‘click of death’ article discussing phishing tactics to make the same point. It links to a harmless ‘simulated phishing page’.
Dr Thompson also suggests using QR code readers which allow you to preview the entire URL before proceeding to the site. He also recommends seeking out one of the many anti-malware apps available, developed by well-known internet security companies.
“Internet users need to be just as cautious with their mobile and tablet devices as they are with their laptop and desktop computers,” Dr Thompson said.“Never log in or submit personal details to any website you access by QR code, as it could be a fake site set up to capture your information. Criminals follow the money, so if more people are using mobile devices, that’s what they’re going to target.”
Author Rob Waugh, We Live Security