Enterprise cybersecurity technology research that connects the dots.

Scan This: There's Danger in QR Codes

Trendy restaurant tables now feature QR codes that lead to menus, payment apps, and CISO nightmares.

Workers build a QR code
Source: <a href="https://pixabay.com/users/wir_sind_klein-6630807/?utm_source=link-attribution&amp;utm_medium=referral&amp;utm_campaign=image&amp;utm_content=3970681">Wilfried Pohnke</a> from <a href="https://pixabay.com/?utm_source=link-attribution&amp;utm_medium=referral&amp;utm_campaign=image&amp;utm_content=3970681">Pixabay</a>

QR codes have become embedded in daily life for many adults. Their spread was highlighted on Super Bowl Sunday, when a bouncing QR code on a brightly colored field occupied 30 seconds of very expensive air time. Capturing that particular QR code led viewers to information on cryptocurrency. Codes that have popped up on restaurant tables across the country lead to menus and apps for paying meal charges. Other codes could lead to much less benign destinations. 

The same qualities that make QR codes so valuable make them a legitimate threat to enterprise (and personal) cybersecurity. A type of bar code introduced in 1994 by automotive supplier Denso Wave, QR codes were first used to track components and subassemblies through an automobile assembly process. There are now 40 versions of the QR code, each carrying a different amount of information. Depending on the error correction employed, QR code capacity can range from 72 to 16,568 bits — more than enough to carry significant information about a part, or a malicious instruction for your mobile device or enterprise network.

And the opportunities to deliver those malicious instructions exploded shortly after the beginning of the pandemic when countless restaurants, eager to avoid the appearance of delivering viruses along with menus, moved customers to a menu viewed on their mobile phones. How did those menus get to the customers' mobile phones? Through a scanned QR code. Convenient, hygienic, and ubiquitous, QR codes have revolutionized menu delivery and customer feedback. They have also revolutionized delivery methods for malware and social engineering attacks.

Take a Closer Look
The problem isn't really with the capability of QR codes — those capabilities make the codes very useful for any number of legitimate business and consumer purposes. The problem is that so many people have stopped thinking about the codes that they scan. How many times have you seen people walk into a restaurant and scan the QR code from a sticker attached to the table, often scanning the code before they're fully settled in their seats? That kind of reflexive scanning is the human component of the vulnerability that the code introduces to the enterprise.

So, what is an enterprise security staff to do about it? Given the square code's ubiquity, a blanket prohibition on scanning is unlikely to work. The best approach, as in so many things cyber, is solid education on the threat and best practices for minimizing its impact.

The first thing employees must learn is that scanning a QR code should never be automatic. Want to see a menu on your smartphone? Great — ask the server to bring you a sheet with the QR code printed on it. Want to leave a review? Great — scan the code on the bottom of your receipt. QR codes on random stickers stuck to tables and doors should be treated with suspicion since they're in far too public a set of locations to trust.

Next up is learning to consider context when scanning a QR code. On an official sign with a logo in your bank's lobby? Perhaps. On a crooked sticker at the front of a gas pump? Hard no. Treating QR codes as you would any other bit of electronic kit is important because that's exactly what they are: mechanisms for carrying and delivering code to a device. Just because they're made of ink and paper rather than silicon and gallium arsenide doesn't mean they're any less effective — or dangerous.

Consider Training
The potential danger of QR codes is actually a good excuse to introduce training about dangers beyond the obvious phishing email message and dodgy website. Criminals and threat actors are eager to take advantage of actions taken without thought — times when employees are on "auto pilot" regarding their actions. Train employees to stop and think about codes, images, and stickers before they launch the attached URL and you may well cut down on the number of malware packages that come attached to orders for gooey cookies.

About the Author

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights