Among the many changes brought about by the pandemic is the widespread use of QR codes, graphical representations of digital data that can be printed and then scanned with a smartphone or other device, but which pose some security risks. The Federal Trade Commission warned again in December 2023 about the dangers of scanning codes from an unknown source.
QR codes have many uses to help people avoid physical contact with objects and close interactions with others, including sharing restaurant menus, signing up for email lists, car and home sales information, and registering for and returning medical and professional appointments.
QR codes are a form of barcode similar to the barcodes on product packaging that cashiers scan with an infrared scanner so that the checkout machine knows what products are being purchased.
Barcodes store information in a single, horizontal axis. QR codes store information both vertically and horizontally, allowing them to hold significantly more data. That extra data is what makes QR codes so versatile.
Anatomy of a QR Code
While Arabic numerals are easy for people to read, computers have a hard time reading them. Barcodes encode numeric data as a series of black and white lines of varying widths. In the store, barcodes record a set of numbers that designate a product’s ID. Importantly, the data stored in a barcode is redundant. Even if part of the barcode is destroyed or obscured, the device can still read the product ID.
QR codes are designed to be scanned by a camera, such as the one found on your smartphone. QR code scanning is integrated into many camera apps for Android and iOS. QR codes are commonly used to store web links; however, they can store arbitrary data, such as text or images.
When you scan a QR code, the QR reader in your phone’s camera decodes the code and the information it captures triggers an action on your phone. If the QR code contains a URL, your phone will show you the URL. Tap that URL and your phone’s default browser will open the website.
A QR code consists of several parts: data, a location marker, a quiet zone, and an optional logo.
How qr codes work and what makes them dangerous
The data in a QR code is a series of dots in a square grid. Each dot represents a one and each blank represents a zero in binary code, and the patterns encode combinations of numbers, letters, or both, including URLs. At its smallest, the grid is 21 rows by 21 columns, and at its largest, it is 177 rows by 177 columns. In most cases, QR codes use black squares on a white background, which makes the dots easy to distinguish. However, this is not a requirement, and QR codes can use any color or shape for the dots and background.
The location markers are squares placed in the upper left, upper right, and lower left corners of the QR code. These markers allow the camera of a smartphone or other device to orient the QR code when scanning. The QR code is surrounded by blank space, a quiet zone, to help computers determine where the QR code begins and ends. QR codes can include an optional logo in the middle.
Like barcodes, QR codes are designed with redundant data. Even if up to 30% of the QR code is destroyed or illegible, the data can still be recovered. In fact, the logos are not actually part of the QR code; they cover up some of the QR code’s data. However, since QR codes have redundant data, the data represented by these missing dots can be recovered this option deserves a look at the remaining visible dots.
Are QR codes dangerous?
QR codes are not dangerous. They are simply a way to store data. However, just as clicking on a link in an email can be dangerous, accessing a URL stored in a QR code can be dangerous in many ways.
The QR code’s URL may take you to a phishing site that tries to trick you into entering your username or password for another site. A URL can take you to a legitimate website and trick that website into performing a malicious action, such as giving an attacker access to your account. While such an attack requires a vulnerability in the website you are visiting, such vulnerabilities are common on the internet. A URL can take you to a malicious website that tricks another website you are logged into on the same device into performing an unauthorized action.
A malicious URL can open an app on your device and cause that app to perform some action. You may have seen this behavior when you click on a Zoom link and the Zoom app opens and automatically joins the meeting. While such behavior is usually harmless, attackers can use this to trick some apps into revealing your data.
It is important that when you open a link in a QR code, you ensure that the URL is safe and comes from a trusted source. Just because a QR code has a logo you recognize doesn’t mean you should click on the URL it contains.
There’s also a small chance that the app used to scan the QR code could contain a vulnerability that would allow a malicious QR code to take control of your device. This attack would work just by scanning the QR code, even if you didn’t click on the link stored in it. To avoid this threat, you should use trusted apps provided by your device’s manufacturer to scan QR codes and avoid downloading custom QR code apps.
Read More: How to Incorporate a Japanese Massage Chair into Your Daily Routine
