With QR codes, even security pros play the fool

Security professionals who would never open an unsolicited attachment and would not think of clicking on a strange URL do not hesitate to scan a QR Code with a mobile device for the chance of winning a free iPad.

“That doesn’t make sense,” said David Maman, CTO of the database security company GreenSQL. But it apparently is true.

Maman made his finding in April at Infosec UK, Europe’s largest information security conference. He created a small poster with the logo of a real security company and a two-dimensional Quick Response Code urging passersby to “just scan to win an iPad.” And 455 of them did. There were 142 iPhone users, 211 Android users, 61 BlackBerrys and 41 unknown browsers. Fortunately, all their gullibility got them was a smiley face.


Managing mobile security: There's no such thing as a free app

The codes originally were developed for use in the auto industry, but because of their ability to encode large amounts of quickly scanned data they have become popular with advertisers as a way of directing traffic to websites from mobile devices. An application scans the code, which is translated into a URL that is sent to the device’s browser.

And therein lies the problem — what is on the other end of that link is anybody’s guess. Usually it’s an advertisement, a coupon or some other legitimate material. But since at least late last year they have been found also to direct users to malicious sites where malware can be downloaded.

Maman discovered one such QR Code in March that directed users to a site in China that delivered a piece of Android malware. It was that discovery that led him to try his experiment.

“Remember, this was a conference for security professionals,” he said.

The first line of defense against malicious QR Codes is common sense, he said. Think before you scan, just as you would before you click. Does the code seem to come from a reliable source? Does the URL it encodes appear to be what it says it is?

But evaluating a code and the link can be difficult because small-screen browsers often do not show the entire URL at once. And URLs can be spoofed or traffic redirected. So mobile devices also need security software, including URL filters to block blacklisted addresses and antivirus engines.

No tool is foolproof, however, and it ultimately is up to the user not to play the fool. So before you scan, ask yourself: Is it really worth it?


About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • blockchain (Immersion Imagery/

    DARPA eyes 'less-explored avenues' of blockchain

Reader Comments

Wed, Sep 19, 2012 mjhugo Florida

The concern is valid, although QR codes could be handled in many ways to make them "secure" while exploiting its simplicity and speed of execution. The story does not end with QRC being an unknown link. HTTP browsers links used to be as cryptic to the end user as QR codes are today, but there are hundreds of methods to protect the unaware user of clicking on a dangerous link. Why not to consider a similar approach?

Thu, Sep 13, 2012 Cowboy Joe

Sounds like the key vulnerability might just be them "free" QRC readers you can get for just about all the smart phones. I wonder who's writin' those.

Thu, Sep 13, 2012 Paul

A conference doesn't necessarily make one safe. Physical security and other measures are usually lax to non-existent at most conferences. In this case, it may have been safer than scanning a code from some unknown source but one should always assume the worst until able to verify otherwise. That's the whole point of security.

Thu, Sep 13, 2012

Just because the venue was a Security Conference does not mean that all advertisements and posters in the vicinity of the conference were vetted and approved by the conference host. The activities that take place while setting up a conference are so hectic that it would be easy for an individual to put up a poster like this outside of the Conference Display areas with no one thinking anything about it. It is important to remember that many individuals with the desire to build a tool like this would have no problem with putting it up in the vicinity of a conference venue.

Thu, Sep 13, 2012 peter

Interesting article but as the article states this was at a security conference where the vendors were supposedly vetted and trusted, so risk was very low. Its not like they were scanning a random QR code on the street or in a newspaper advertisement.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group