Read this before scanning your next QR code

You wouldn’t click on an unknown link, so why would you scan an unknown QR code?

Before we begin, it’s vital not to underestimate how helpful QR codes can be in tracking the spread of coronavirus outbreaks; however, there is little discussion over their integrity.

A QR code is a two-dimensional barcode that often contains a link to web applications. The QR code was invented by a Japanese automotive company in the early 1990s and has become a fundamental feature for many businesses.

Since the coronavirus outbreak began, nations have been trying to identify and implement the most effective method to track the movement of their people. The purpose of tracking was to identify where and how coronavirus spreads using contact tracing quickly. Many countries and states have adopted the QR code system to track by encouraging people to scan the code with their mobile phones and sign in.

While the QR code system has been extremely useful in tracing the movement of coronavirus, questions have been raised concerning their vulnerabilities. For example, if a business could print a QR code, what would stop an adversary from fraudulently creating their own and replacing it with the business QR code?

At the moment, many QR codes are being attached to facility entry points with instructions for all visitors to scan the code and sign in. The major vulnerability in these situations is the QR code’s integrity and the security controls to ensure that the code has not been replaced or replicated by an adversary.

Suppose an adversary successfully replicated or created a QR code. In that case, the QR code could be used to conduct a man-in-the-middle attack and collect sensitive data from visitors. Although this is an unlikely attack, it is quite possible and easily executed.

There are a few ways to mitigate the risk of this occurring:

– Secure the area where the QR code is stored (e.g. keep the QR code inside)

– Ensure there is CCTV coverage of the QR code

– Encourage staff to look for suspicious behaviour.

QR codes are a great tool, especially in these times; however, before scanning your next QR code, look for any suspicious clues such as incorrect logos or colours.

Ben Connley-Walker

Ben Connley-Walker

Ben joined Connley-Walker Pty Ltd in 2019 as a Registered Security Consultant. Ben has a Bachelor of Science (Security) & Diploma of Security & Risk Managment.