By Corey Nachreiner, CSO at WatchGuard Technologies
Do you remember Coinbase’s mysterious Super Bowl ad? The moving QR code on a plain black background with no other information was intended to make viewers curious and lure them into scanning the QR code.
While this might have been a clever marketing idea, there are dangerous cybersecurity implications. This marketing tactic helps normalize poor security practices, namely scanning QR codes without knowing where the link will lead. With the constantly evolving QR/AR technology and the increasing sophistication of threat actors, it’s essential to ensure users are trained in good cybersecurity hygiene and understand the risks associated with scanning QR or AR codes.
Although QR codes are not inherently malicious, like any other link, they can be the first step in a phishing or malware attack. Depending on where you encounter the QR code, there’s a risk the link you’re accessing has been compromised for malicious purposes. Mobile devices may do a good job of mitigating risk by presenting the link first and not just automatically taking the user to the URL upon scanning the QR code with their phone. Offering the full link will at least allow the user to verify the domain they are considering visiting and decide if it looks legitimate. Shortened links are still an issue, however, since there’s currently no easy solution that lets users see the destination. Even if a user sees the shortened link on a mobile device before it opens, they still don’t always see the full link – which could lead to potentially dangerous malware.
Realistically, you probably don’t have to fear the TV ads, like the Superbowl one. When a QR code comes from a legitimate creator, it’s probably fine. It’s unlikely an attacker could access and change a QR code broadcast on TV to something malicious. However, you do need to worry about QR codes in public, on signs, posters, etc. It’s trivial for an attacker to print a different QR code with a malicious link and put it over the original. You should also remain skeptical about any that come in an email. It could just be part of phishing or spoofed mail to help it look legitimate.
Like traditional email phishing attacks, threat actors can use QR codes to direct users to malicious sites to steal data or potentially embed malware on the victim’s device. But attackers are seeing an opportunity with QR codes found in seemingly trustworthy places – such as on restaurant menus or parking meters. They are pasting their own QR codes over the real ones to ensnare unsuspecting victims. In Austin, TX, hackers recently pasted their QR codes onto parking meters to try and trick users into visiting a fake parking payment site. QR codes increased dramatically during the pandemic as businesses (especially restaurants) attempted to limit the sharing of things like menus to prevent the spread of disease. The increasingly indiscriminate use of QR codes creates bad habits by desensitizing users to the need to know what they are clicking.
Here are some best practices for when you encounter QR codes in public. Look for any signs of a modification, like how you would look for and notice a weird skimming device added to an ATM. Are there edges suggesting a sticker? Does the color match the rest of the ad? If there is a logo in the middle, does it match the brand for the thing you expect?
- Only use your mobile native QR code scanner (part of the standard camera), not a third-party app. Only use a scanner that previews the link before taking you to it.
- Verify the URL. Make sure the domain matches what you expect.
- If it is a shortened link, avoid visiting it until you copy it, and use online tools to expand the link. (http://checkshorturl.com/)
- Don’t scan random QR codes just found in public. Curiosity killed the cat.
This same problem could affect the AR world as well, with potentially worse exposure. AR codes are semi-new and are just QR codes for AR devices (like phones with AR SDKs, the Magic Leap, Microsoft’s Hololens 2, the soon-to-release Meta Quest Pro, and even discontinued products like Google Glass). For example, an AR headset may automatically add 3D elements tracked to your real-world space if they “see” AR codes in their view. If you’ve ever seen the movie Minority Report, where Tom Cruise walks around in public with holographic, personalized ads popping up all around him, AR devices could potentially deliver this reality with AR codes. At the end of the day, AR codes are just links too and typically should redirect to a web application that displays that 3D tracked element. However, also like QR codes, malicious ones could easily direct your AR device to a malicious site too. The question the industry has not “decided” yet is whether AR codes will work automatically without asking the user to confirm they should visit the link/execute the AR code. In AR, I can see some creators arguing your AR headset should process any AR code it sees without user interaction to deliver the compelling use case of their 3D content just magically appearing for you in the real world. However, if designed this way, malicious AR codes would render immediately too.
AR codes haven’t been productized or widely adopted, but we hope they take the same path as mobile devices and require that you ASK the user before visiting the AR code and showing the content the link directs the device to. If AR handles QR codes like mobile devices, there is a chance of safety as users at least have an opportunity to see bad links and say no. However, if the AR use case drives companies to want things to show in AR automatically, AR codes would be even more dangerous, and attackers could easily plant malicious ones anywhere with stickers.
It’s paramount to ensure that users are trained in good cybersecurity hygiene and understand the risks of scanning QR codes (or any link). As the technology continues to evolve and QR/AR codes become even more ubiquitous in our daily lives – on ads, restaurant menus, business cards, Wi-Fi sharing, and more – users need to be aware of the risks and be more cautious about just clicking away on every code they see. Convenience should never trump security.
Corey Nachreiner, Chief Security Officer at WatchGuard Technologies is a front-line cybersecurity expert for nearly two decades; he regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles. Corey is the primary contributor to the Secplicity Community, which provides daily videos and content on the latest security threats, news, and best practices. A Certified Information Systems Security Professional (CISSP), Corey enjoys “modding” any technical gizmo he can get his hands on and considers himself a hacker in the old sense of the word.