QR Codes and Hackers | Pt 1: How QR Codes Get Hacked

QR codes are a useful bridge between the real and digital world. When you scan a QR code in real life, you can visit handy websites and perform digital actions in just a few seconds. People today scan QR codes to access digital menus at restaurants or even to pay their downtown parking meter. QR codes are used to link to games, to mobile apps, and payment platforms. But can hackers get through a QR code?

Unfortunately, the answer is yes. Hackers have recently caught up with the QR code craze and have begun placing infected and decoy QR codes in order to infect phones and hack private users directly through their personal devices. Every QR code you scan could be infected.

How do QR codes work, and how can we protect ourselves and others from hacked QR codes? That’s exactly what we’re diving into today.

How QR Codes Work

QR codes are like a barcode, but able to hold complex data in two directions instead of one. QR codes store data including links and software commands in a scatterplot of square dots. The dots are read by your phone camera from top to bottom and right to left. When the QR code is scanned, your phone takes the action indicated by the code.

A safe phone will ask you if you want to follow the link, but some respond immediately to the code embedded in the QR pattern. The good news is that, in most cases, you will be asked to slide-approve a QR scan – so you have a final chance to decide if a code is safe after you scan it.

What QR Codes Can Do: Why Hacked Codes are Dangerous

The real problem with QR code hackers is how versatile and useful a QR code can be. A legitimate or hacked QR code can do more than open a web link. These code squares have the potential to achieve a wide variety of both useful and dangerous actions on your phone.

• Follow website links
• Direct-download apps from your app store
• Call phone numbers
• Add contacts to your phone
• Convey up to 4K words
• Authenticate an online account
• Verify login details
• Access a wifi network
• Send and receive payments
• Compose emails

Some of those functions are extremely risky when scanning codes from unknown or malicious sources. From direct download to joining a wifi network, there are many routes to infect your phone or hack your device directly.

How Hackers are Corrupting QR Codes

• QR Code Stickers used to replace legitimate codes
• False QR code advertisements with infected links

QR codes are found “in the wild” all over our society. Restaurants use them for menus and coupons. You can find QR code links to bus routes in the bus station. Your parking meter might have a QR code for payment, and so too might your farmer’s market vendor. QR codes are often used in advertisements on flyers and newspaper ads.

There was a time when it was safe to curiously scan a QR code stuck to a telephone pole on your morning walk – but no longer.

QR Sticker Hacking & Flyer Spam

Hackers have realized that the freedom of QR codes is a loophole in personal device security. What is the primary source of infected QR codes? Stickers. Hackers translate their infected links and device commands into square-print QR codes . They then print them onto sticker sheets. With a close-cut white background, hackers replace legitimate QR codes with a quick sticker over the original. When you scan for your menu or parking meter, you get an infected link instead.

The smart ones can mask the link to look legitimate so you don’t even realize your phone has been infected.

Hackers also post false advertisement flyers for local businesses, garage sales, and retail discounts to get people to scan. It might even look legitimate before you swipe, bearing the same domain or URL details as printed on the flyer.

Join us next time for the second half of this two-part series as we talk about how to protect yourself from hacked QR codes found in the world around you. Contact us for more information on data security and how to stay safe in a modern business environment.

[Continued in Part 2]

This article is for general information purposes only. It is not insurance, tax, legal, business, or other advice. For specific insurance questions related to you or your business, please contact our office.