Understanding QR Code Security Issues for Enterprise Devices


QR codes are commonplace on everything from restaurant menus to billboards, but these seemingly benign codes can pose a serious security threat to corporate mobile devices.

Over the past few years, scanning a Quick Response Code (QR Code) has become a popular way to access paperless menus, complete contactless transactions and more. However, due to their convenience and growing ubiquity, QR codes are also a popular target for hackers looking for new ways to spread malware and steal information. Organizations need to be aware of the various threats that can appear under the guise of a handy QR code and know how to avoid them.

What are QR codes?

People sometimes describe QR codes as 3D barcodes. They consist of a series of squares arranged in a much larger square and work similarly to a barcode. While a barcode can normally only represent short alphanumeric strings, a QR code is capable of storing larger amounts of data.

QR codes are often used for advertising because they can store long strings of data, which makes them perfect for storing URLs. This capability has proven to be particularly useful considering that smartphones are so widely used and can act as QR code scanners. Virtually anyone can scan a QR code and be taken directly to the corresponding website without having to manually enter the site address. As a result, advertisers prominently display QR codes on billboards, in magazines, on trade show booths, and just about anywhere a QR code might attract attention.

QR codes also help organizations measure the effectiveness of their various advertising campaigns. If a business buys ad space in multiple locations, it can use a different QR code for each location, with each QR code pointing to a unique URL. This allows the company to determine which codes people scanned to arrive at the advertised website. By tracking the scans, the company can determine which advertisements are generating the most interest among Internet users.

It’s not just advertisers who benefit. In fact, QR codes have become a mainstream trend in many other industries in recent years. Since the start of the COVID-19 pandemic, many restaurants have abandoned traditional menus. Instead, these locations may display QR codes on tables or other prominent places. Customers can scan these codes to view the menu on their mobile devices.

QR codes can also make their way into books. A few publishers have experimented with the idea of ​​including QR codes on certain pages. If readers want more information on a topic relevant to a certain page, a QR code can direct them to a news article, YouTube video, or other resources.

QR code security issues

Although QR codes have many useful applications, malicious actors can also use them for malicious purposes. In January 2022, the FBI issued a warning that cybercriminals could forge QR codes to direct victims to malicious websites. Scammers often turn to the latest trends for new cybercrime tactics.

There are two main types of QR code exploits used by cybercriminals. The first is a QR code-based phishing attack, sometimes called quishing. This attack uses a QR code to lure a victim to a phishing page that hackers have designed to steal the victim’s credentials, personal data, or other sensitive information.

The other main type of QR code attack is sometimes called QRLjacking. In this type of attack, hackers use a QR code to deliver malware to the victim’s device. The attacker tricks the user into scanning a QR code that directs the user’s device to a malicious URL, which infects the device with malware.

Besides these two basic types of attacks, QR codes can initiate other types of device-level actions. For example, a hacker can use a QR code to automatically make a phone call or send an SMS from the device that scanned the code. Under the right circumstances, hackers can even use QR codes to initiate a payment from the user’s device or force the device to join a certain Wi-Fi network.

Under the right circumstances, hackers can even use QR codes to initiate a payment from the user’s device or force the device to join a certain Wi-Fi network.

Why QR Code Exploits Work

In the past, if cybercriminals wanted to run a phishing scam or lure potential victims to a malicious website, they typically resorted to using email. The problem with this approach, at least from the criminal’s perspective, is that there are telltale signs that an email is not legitimate, such as misspellings or links to sketchy URLs. Often a phishing message will ask a victim to take actions that seem completely illogical. Some bolder examples include requests to pay an overdue tax debt using Apple gift cards, or messages that the recipient has won a nonexistent lottery and needs to click a link to claim their winnings.

Even when a phishing message is more convincing, there are still hints that the message is illegitimate. Anyone who knows what to look for and who takes the time to scrutinize such a message will have no trouble determining that the message is false.

This is not the case for QR codes. People can read a phishing email to look for suspicious items, but QR codes don’t offer such an opportunity. When someone scans a QR code, they have no way of knowing in advance if the code is legitimate. This is what makes QR code-based attacks so devastating. The basic elements of the attack are no different from an attack that hackers spread through email. Since the victim cannot assess the validity of a QR code, a QR code-based attack is more likely to succeed than an email-based attack.

Another problem with QR codes is that hackers can easily replace a legitimate QR code with a malicious one. For example, if a restaurant provides QR codes linked to its menus, an attacker could simply create stickers containing malicious QR codes and then place those stickers above the legitimate QR codes. There have also been incidents where hackers replaced a legitimate QR code in an email with a malicious code. There are even incidents in which random QR codes are placed in public places in case someone becomes curious enough to scan the code.

How organizations can protect themselves from the dangers of QR codes

There are three things organizations must do to protect users from QR code-based attacks. Consider the following steps to avoid the potential consequences of a fraudulent QR code:

  1. Make sure users are running security software on any mobile device that has access to company resources. The software must be able to protect against device takeover attacks, phishing attacks, and other mobile device exploits.
  2. Educate users about the cybersecurity dangers associated with scanning QR codes. Otherwise, users may not realize that QR codes can be problematic.
  3. Temporarily implement Multi-Factor Authentication (MFA) requirements across the organization, then gradually work toward adopting an authentication solution that doesn’t rely on passwords. Many QR code-based attacks are designed to trick users into entering their passwords so that cybercriminals can steal their credentials. Working on eliminating passwords can help thwart these types of attacks.

Source link