QR Code Security is Not Being Talked About Enough
What Are QR Codes and the Issues #
QR codes or quick-response codes were made by a Japanese company in 1994. Since then, use outside of big businesses has become more commonplace since 2020.
They are usually appear more commonly on menus, leaflets, billboards, adverts, job adverts, consumer products and more. These are there to replace text Uniform Resource Locators (URLs) because they can be difficult to type in a short amount of time and can eliminate typo frustration.
The issue with QR codes is security because they are easy to manipulate, here’s why:
- Dynamic QR codes’ accounts can be hacked and redirected to a malicious URL.
- They can be replaced or edited without anyone knowing immediately.
Bad actors can target smart phone users to get them to use phishing websites and applications, thinking they are genuine. The only way to reduce this is by using static QR codes that are laminated or fixed down, and checking the URL manually for inconsistencies. QR codes should be avoided as a direct payment method or anything involving money. It can be very difficult for businesses to manage a batch of QR codes or trust online QR code generates to embed the correct URL.
Being pressured to do something because it is quicker can lead to worse outcomes. On the other hand, QR codes for network engineers are wonderfully useful. I recognise these concerns through my own training and security practices but they are talked about in other articles IEEE computer society
Microsoft have been showing unusually placed QR codes on their Windows login screens to promote their products: “Microsoft spammed Windows 11 lock screen with Copilot QR code ads to ’educate users”
Good Uses of QR Codes #
1. Easier to Access a List of Host Networks and Ports. #
Imagine having network devices that each act as a host to connect to, it makes sense to have a QR code for each one. I’ve used generators to give guests access to a Wi-Fi network during parties and I also suggest generating ones using software that do not collect data and work offline such as wificard.io.
2. Automating Daily Tasks #
Some REST API endpoints can trigger smart devices around the home, rather than using voice activation it could be more secure to use a phone. This may become more widespread if voice authorisation software is often required.
3. Create Recipes or Lists of Instructions #
Add a QR code linking to an online text document or manual for instructions on how to use a boiler, and as a backup for the next resident in a rental property.
Or if you often forget how to work a device because of infrequent use. This could also include plant labelling where instructions on how to care for these go missing, or placed on animal collars to locate the owner’s information without getting too close.
Automation and Reliability Testing of QR Codes #
I recently found this video interesting on how to automate QR code testing; produced by the company “repeato.app”: