Museums use them to bring their paintings to life. Restaurants put them on tables to help customers pay their bills quickly. Tesco even deployed them in subway stations to help create virtual stores. QR codes have been around since 1994, but their creator is worried. They need a security update, he says.
Engineer Masahiro Hara dreamed up the matrix-style barcode design for use in Japanese automobile manufacturing, but, as many technologies do, it took off as people began using it in ways he hadn’t imagined. His employer, Denso, made the design available for free. Now, people plaster QR codes on everything from posters to login confirmation screens.
If you thought QR codes were just a passing marketing gimmick, think again. They’re hugely popular in China, where people used them to make over $1.65 trillion in payments in 2016 alone, and Hong Kong too has just launched a QR code-based faster payments system.
The codes generated enough interest that Apple even began supporting them natively in iOS 11’s camera app, removing the need for third-party QR scanning apps.
Hara is a little spooked by all these new uses for a design that originally just helped with production control in manufacturing plants. In a Tokyo interview in early August, he reportedly said:
Now that it’s used for payments, I feel a sense of responsibility to make it more secure.
He’s right to be concerned. Attackers could compromise people in various ways using QR codes.
One example is QRLjacking. Listed as an attack vector by the Open Web Application Security Project (OWASP), this attack is possible when someone uses a QR code as a one-time password, displaying it on a screen. The organisation warns that an attacker could clone the QR code from a legitimate site to a phishing site and then send it to the victim.
Another worry is counterfeit QR codes. Criminals can place their own QR codes over legitimate ones. Instead of directing the user’s smartphone to the intended marketing or special offer page, the fake code could take users to phishing websites or those that then deliver JavaScript-based malware.
They could also exploit the growing use of QR codes for payments. A fraudster could replace a QR code taking people to a legitimate payment address with their own fake payment URL.
There have already been some proposals for security measures in QR codes, as laid out in an MIT course document by researchers there. One suggestion uses encryption to stop a third-party from snooping and cloning QR codes used for logging people in. To do this, the online app would send an encrypted QR code to an already-logged in (and therefore trusted) mobile device. Only the logged-in device can decrypt the QR code, which it then displays for the second device to read. The QR code contains a URL which logs them into the app. There are also several encrypted QR code login systems now in production.
Another proposal embeds digital signature information into the code to confirm its authenticity but uses more of the code’s available space for the extra data.
These are all great ideas, and perhaps Hara has some more. But he’d better move fast. As QR codes catch on, the widely deployed design will become increasingly difficult to change.
Rahn
I wonder if Steve Gibson’s (Gibson Research) SQRL software wouldn’t take care of the issue of security. SQRL sounds like a very well designed software solution.
Steve Gibson
Rahn,
I very much wish that SQRL could help with the QR code spoofing problem, but unfortunately it cannot. SQRL can be used in two modes: “Same device” and “Cross device.” In “same device” mode, where the user has a SQRL client installed on the machine they are logging into, SQRL provides uniquely-strong anti-spoofing / anti-MITM protection because, using “Client Provided Session” (CPS) the SQRL client returns the authentication directly to the user’s browser, thus bypassing and cutting out any 3rd-party. Fortunately, this is the mode that will be most common and it’s super-strong. But it uses “click to login with SQRL” rather than a QR code.
The “gee whiz” mode that’s super-sexy is where a SQRL client in a smartphone is used at the authenticator for a login to another machine. And that’s where we have the same problem: A malicious site could use the QR code for another site to obtain the user’s authentication for that other site. To combat this, all SQRL clients show the domain being authenticated to and request confirmation… but that puts the user in the loop and so it will be an imperfect solution.
/Steve.
Anonymous
Suggestion #1 is dumb. #2 sounds much more plausible.
Jeff
There’s been QR code security concerns for years. Seems to me that they needed a security update a long time ago.
Bill Justesen
If I recall the Sophos Mobile Security for Android asked me if I wanted it to scan with it. I’m grateful you all are on top of these things!
Paul Ducklin
Our (ahem, 100% free!) Sophos Mobile Security apps for both Android and iOS include a ‘safer scanner’ for QR codes.
Unlike the QR scanner built into your camera app, which autodetects QR squares that are in frame and decodes them for immediate use, ours scans QR codes and puts them through our live ‘is this a safe URL’ system first, via the cloud.
In other words, you get a safety check on any URL extracted from a QR code before you’re invited to visit that URL. The cloud lookup needs very little bandwidth so it generally adds just a tiny fraction of a second after pointing your camera at the QR square. The use of a cloud lookup means the app doesn’t need a giant (and rapidly outdated) database of URLs clogging up your phone.
There’s a link to the Android app above in the ‘Free tools’ bar at the end of the article, or search Sophos Mobile Security in the App Store or Google Play.
Henk
That’s very cool, it’s just embedded inside a menu inside an app instead of being readily available using a shortcut icon…
Paul Ducklin
On Android you can create a one-click icon. Go into the app, click the three-dots menu (top right), create a shortcut for the code scanner menu item, and then [Add] it to the Home screen.
(On iOS this sort of shortcut isn’t possible.)
Nobody_Holme
Hands up here, i’ve seen it but never used it, can it not just throw the URL it points to up as a “do you want to go here?” pop up instead?
(Due to my job, I have a multi-format barcode reader app I use instead)
Paul Ducklin
Ah, I should have been clearer above – you point your camera at the QR code; then you do get a popup that shows you where you’re about to go, tells you our classification of it (e.g. ‘here be dragons – keep your distance’) and waits for you to confirm or block the visit.
So even if the site has no known vices we’ll show you the URL before it gets loaded, in case you don’t want to go there anyway. That makes it like clicking on a web link where you can see your destination beforehand instead of a bit of a leap into the unknown.
Peter Verhas
Maybe I am not an expert enough in the topic, but for me, QR code is nothing else than a series of characters encoded in a form that it is automatically scanned and does not need a human to read and type into anywhere, like the URL field of the browser. QR codes do not suffer from any security issue which would not be there just creating a picture with the characters. Any security hardening for QR should also be followed by the same hardening for other encodings, like characters. Creating an electronic signature is certainly a good thing, but that is more of the responsibility of the application that uses the data in the QR. The QR is just an optical channel encoding.
I have the feeling that a built-in QR electronic checksum and signature would require a centra CA and this is driven by those who want to own the only and exclusive CA for the QR issuers.
Paul Ducklin
I treat QRs the same way – like a URL I didn’t need to type in.
The obvious differences between QRs and plain URLs, however, are: no typing needed, point-and-go, no human-readable characters in the QR square.
So the security issue is more about the frictionlessness of it all (you can’t easily point your camera at a website name and almost immediately and no-handedly end up on it). In other words, all the phishing and scamming problems to do with URLs and browsing on phones are definitely no better and probably much worse with QR codes.
That’s the problem that we’re trying to solve in the Sophos Mobile Security ‘safe QR scanner’ component mentioned above – we interpose an easy-to-use but clearly visible pop-up dialog between your phone camera and your visit to some possibly unknown website. The idea is to give you time to stop. Think. Connect.
Ash
Cloud based look-up is great but how do they/you report an incident and who is the first guinea pig(s). Safer scanner…well you nailed the speak there😏. Perhaps reporting a link has the same challenges as phone no. reporting apps….some people could black list anything. A body to approve QR Codes and a bank/body to report false ones also🙄
Paul Ducklin
Yes, we accept ‘bad-link’ reports (there’s a form on our website or there is is-spam@sophos.com and is-phish@sophos.com).
No, we don’t blocklist links just because one person said so.
No, we don’t wait until N people report a link before we do anything.
We actively scour the web looking for compromised sites; we use threat metrics from our own telemetry to find dodgy sites; we use call-home data obtained from malware analysis; we use DNS changes to highlight suspicious new web properties; we participate in various sharing schemes for threat intelligence; and much more.
Sure – sometimes, neither we nor any of our competitors and fellow travellers spot a newly-compromised website proactively and we learn about it because someone stumbles into it in real life…
…but that’s no reason for everyone else to have to stumble upon it too.
Peter Miller
Third party validation of QR codes is interesting, but it comes with significant overhead, and requires participation by remote entity at transaction time between two individuals who might want freedom from such entanglements. Not all QR codes contain URLs.
Advanced visual systems with secondary visual fingerprint validation techniques are also interesting, but rely on authentication as determined by software, and therefore a perfect entrance portal for hacking. Again these approaches inject more third party software at transaction time between two parties.
Another arriving technology not given much attention so far has been to make the QR codes themselves intrinsically verifiable by humans. Not readable mind you, but verifiable as likely authentic and from the source they expect them to be from. This approach mirrors the methods of cash money: only governments (or extreme hackers – aka counterfeiters) can take the time and effort required to make the details on your cash, yet any person can verify in a few moments for authenticity by simply viewing critically. Human beings already possess one of the most powerful optical scanners and authenticators known: our eyes and brains. In a few months time you’ll likely see this approach start to appear in the marketplace as a cheap yet reliable way to thwart bad players and their malicious QR codes.