QR Codes: What are they, and are they secure?

  • 25 May 2012
  • 0 replies

Userlevel 7
  • Retired Webrooter
  • 2146 replies
A QR Code (or Quick Response Code), is a barcode that looks like this:

When scanned with a QR Code reader, it will commonly take you to a website represented by the QR Code.

What else are QR Codes used for?
There are other uses for QR Codes as well.  In fact, they were originally used for industrial labeling, but most of the time you see them these days it will be for marketing purposes.  It’s not uncommon to see QR Codes on advertisements or even telephone poles these days.  A lot of guerilla marketing campaigns will leave QR Codes lying around cities in places people might be tempted to scan them just to see what they are.  For instance, Facebook recently painted a giant QR Code on their roof.   Readers for QR Codes are very common as well.  There are a lot of free apps available for Android and iOS devices which can be downloaded to your device and be used to scan QR Codes, which will then send you off to the sites those codes represent.
The important thing to remember about these kinds of apps is that they are not all created equally.  Some such apps will show you the link the code sends you to before you go there and allow you to choose whether or not you want to go there.  Other ones will just drop you at the link without checking with you about it first.  It’s important that when you choose your QR Code Reader app that you pick one that lets you see the site first.  Why is this important? Well, like any other links, links from QR Codes can also host malware.
What kind of malware could they contain?
The first malware discovered in a QR Code was housed in an Android app called JIMM (my username frowns at this! :robotmad:).  Ever since then, malware has become more and more prevalent on Android devices.  In 2011, malware attacks on Android grew over 3,000%. That’s not an extra zero in there.  This malware is capable of all sorts of bad stuff.  It can obtain your calendar, contacts, and credit card info, along with any other data you store on your device.  It can take your password for Google or Facebook.  It could even track your location.  The example I cited above would send SMS messages to a premium number and charge your phone bill.
If you have a good mobile security product like Webroot, it will pick up on the malware when you attempt to access the link anyway, but a lot of times you don’t even need to get to that point.  If your QR Code Reader shows you the link and it looks like a bad link, you can just tell the app you don’t want to go there.  That’s why it’s so important to have an app that lets you see that info.
Are QR Codes ever shortened URLs?
Yes, sometimes the QR Code is shortened.  I noticed recently that one of our own QR Codes uses such a shortening method because the URL it sends you to is very big otherwise.  The code provided is very vague, along the lines of a bit.ly or goo.gl link. 
There are legitimate reasons for using the link shorteners, and it certainly doesn’t mean that every QR Code that uses one is bad.  However, the shortened link hides whatever the longer link was to begin with, making it more difficult to determine whether or not the link is good or bad.  When dealing with such a link, it becomes all the more important that your mobile security product is good enough to deal with taking the risk out of visiting such a site for you.  Links that redirect are a mixed bag.  Sometimes it’s an ok website.  Sometimes it’s just masking a malware site.  If you have Webroot SecureAnywhere installed, it will take care of this for you as long as the link opens up via Android’s default browser or Webroot’s own SecureWeb app which comes bundled in the Complete version of Webroot on Android and is available for free on iOS devices.
What else can you do to protect yourself from malicious QR Codes?

  1. Back Up Your Information. One thing you should always do anyway is back up your information.  Generally speaking, your device is probably already set up to do this automatically when you plug it in to your computer.  In a worst case scenario, you could always revert to the backed up state.  You should check with your device manufacturer to ensure the automated backup is set up on your device if you are uncertain about this.
  2. Be Proactive. Another thing you can be proactive about is keeping your firmware up to date.  This is typically managed by your carrier, but you may receive prompts to install the update.  Don’t put it off.  Firmware updates are frequently used to patch exploits.
  3. Don’t Store Sensitive Data. Try not to store sensitive data on your phone.  If you can avoid it, why take the risk at all?  Don’t store your credit card number or anything else you’re afraid of a thief stealing on your mobile device.
The most important part of protecting yourself is still a good security app, but hopefully some of this knowledge will be useful to you in keeping yourself safe as well.

0 replies

Be the first to reply!