They are everywhere. On television. In the grocery store. At your favorite restaurant. On the bus. In the newspaper. You probably have one within eyesight right now! No, it’s not a cute puppy. I’m talking about QR codes.

Denso Wave, a Japanese company, invented QR, or Quick Read, codes in 1994, to label automotive parts instead of using barcodes. Originally, they were simply binary representations of part and serial numbers until both their complexity and the devices used to read them matured. History lesson! (Link)

What Is A QR Code?

The basic QR code is a 2-inch by 2-inch square with three control blocks called alignment patterns. Data patterns live in the black and white section of the square. The more densely packed the black and white spaces, the more data the code could contain. The smaller the blocks, the more data will fit in the code.

Think of the clarity of a television or computer monitor. Remember how 8-bit games looked all blocky compared to the high definition of games today? OK, nerdy example, I know. But High Definition Television (HDTV) is a significant improvement because the individual pixels that create the picture are much smaller.

For decades, QR technology scarcely existed outside of manufacturing. It wasn’t until the fourth version of the QR code, when data blocks became compact enough to contain 50 ASCII characters, that they became web links. What the heck is an ASCII? (Link)

The most common use of QR codes today is as an Internet shortcut or Universal Resource Locator (URL). If you ate a restaurant during the pandemic, you likely had your first-ever experience with QR codes as replacements for physical menus. We all had to learn that our mobile phones already could read QR codes through the camera. I work deep in tech and it was the first time outside of inventory control I’d ever needed to scan one.

How Do QR Codes Work?

Without getting deep into the math weeds, most QR codes scanned by your phone are converted to binary, which is converted to ASCII characters. Some QR codes are numeric, alphanumeric, or kanji, which are symbols shared by Chinese and Japanese languages. When your camera recognizes the QR code it produces a URL to click. Again, this is the most popular current use of the technology. Learn how the Internet works here (Link).

The Good

Simplifying long, complicated URLs makes information easier to access. Would you rather type in a long URL on your phone or let your phone do all the work? Advertisers use QR codes in commercials to link to product demonstrations online and track interest. Support staff use QR codes to open direct communication channels for those experiencing technical difficulties, avoiding phone calls, emails, and delays.

QR Codes have replaced physical serial numbers for many products, well beyond its original use with car parts. A well-built conveyor system can scan QR codes on products at incredible speeds, increasing productivity. QR codes simplify financial transactions for purchases, allowing direct payment from your mobile device without the insecurity of producing cash or a card.

The Bad

So, who do you trust? Would you click on just any link sent to you without verifying the sender or the destination? The heartburn for most security specialists, including myself, is the inability to verify the link. Sure, you can disable automatic link direction, but most phones make it near impossible to see the full URL before clicking. What if the URL downloads a command-and-control software onto your device or loads viruses, malware, and ransomware on your phone for upload to local or Cloud-based storage?

Who verifies QR codes? During BlackHat (Link), the world’s most well-known gathering of security professionals, standing banners placed throughout the conference venue held QR codes offering prizes and rewards for scanning and signing up. The problem? They were all fake! Well, intentionally faked to alert users to the dangers of unverified QR scanning. Would you scan a random QR code posted on a bulletin board or with no description?

The rub is that ANYONE can create a QR code and point unsuspecting users anywhere they want with very few protections. In fact, some websites offering QR code generators actually contain Drive By Downloads or point to malicious sites before directing users to the correct location. This has led to Quishing. Yes, it’s Phishing using QR codes (Link). Anyone can print labels and stickers and cover legitimate QR codes with malicious ones. Why does everything created to make life easier always lead to insecurity?

Protect Yourself

Good news everyone! Most phone providers and apps will not automatically follow URLs. If your device auto-clicks the URL from a QR code, search your specific device or application settings to turn this off. You need the ability to verify the URL BEFORE you select it. Once you follow a link, there is no going back.

QR codes are not going away and will only appear in less expected places, like on tombstones, to provide an electronic obituary. No, I’m not joking (Link). I have heard several people openly refuse to use QR codes. The middle ground requires presenters of QR codes to include the intended URL near the code for visual validation. Users scan the QR code, compare the URL, and verify the link is clean.

Nearly all endpoint protection applications include QR code protection. Before presenting the URL, the application compares the link to a blacklist of known malicious sites. More advanced options confirm with a real-time Cloud database. The application blocks malicious links and alerts the user of a bad QR code. Read what the FBI warned about QR codes and Quishing (Link).

The Future of QR Codes

Today, QR Codes are finding uses beyond simple URLs. Manufacturers and vendors are validating the authenticity of products, software, and services with QR codes. No more searching for manuals for your refrigerator. Simply scan the QR code for troubleshooting, accessories, and filters for your specific model and serial number. The recall process for all products, including cars, validates with a simple scan. But how do we protect codes and their users?

One promising implementation of QR codes is as a digital certificate. When scanned, the code validates with Certificate Authorities, similar to how webpages verify today. Using the QR code certificate, all communications become encrypted and secure. Individuals can have their very own QR code to ensure the person is exactly who they say they are. Of course, additional protections will be required. Can you say multi-factor authentication (MFA)?

Until this becomes a reality, I recommend a QR code validation process similar to webpage security validation. As we move into higher generations of QR codes with more embedded data, security conscious users must be able to embed either a hash or full public certificate into the code. This will validate with the Certificate Authority BEFORE the link processes. If the destination webpage is protected by a digital certificate, perhaps scanners only need to verify this information first.

The world of QR codes is not a terrifying aberration of digital security. In fact, it stands to be the next great leap forward for personal privacy. When corporations deem privacy dead, wouldn’t it be great to know we as individuals control our own digital security? QR codes may give us that ability, in time.