There is danger in QR codes
QR codes have become integrated into the daily lives of many adults. Their spread was highlighted on Super Bowl Sunday, when a QR code bouncing off a brightly colored field took up 30 seconds of very expensive airtime. Capturing this particular QR code led viewers to cryptocurrency information. Codes that have appeared on restaurant tables across the country lead to menus and apps to pay for meal costs. Other codes could lead to far less benign destinations.
The same qualities that make QR codes so valuable make them a legitimate threat to business (and personal) cybersecurity. A type of barcode introduced in 1994 by automotive supplier Denso Wave, QR codes were first used to track components and sub-assemblies through an automotive assembly process. There are now 40 versions of the QR code, each containing a different amount of information. Depending on the error correction used, the capacity of the QR code can range from 72 to 16,568 bits, which is more than enough to hold important information about a malicious part or instruction for your mobile device or corporate network. .
And the opportunities for providing these malicious instructions exploded soon after the pandemic began when countless restaurants, eager to avoid the appearance of menu-accompanying viruses, moved customers to a menu displayed on their mobile phones. . How did these menus get to customers’ mobile phones? Via a scanned QR code. Convenient, hygienic and ubiquitous, QR codes have revolutionized menu delivery and customer feedback. They have also revolutionized the methods of spreading malware and social engineering attacks.
Take a closer look
The problem isn’t really with the capacity of QR codes – these capacities make the codes very useful for a number of legitimate commercial and consumer purposes. The problem is that so many people have stopped thinking about the codes they scan. How many times have you seen people walk into a restaurant and scan the QR code from a sticker on the table, often scanning the code before they’re fully seated? This type of reflective analysis is the human component of the vulnerability that code introduces into the business.
So what should a corporate security personnel do about it? Given the ubiquity of the square code, a blanket scanning ban is unlikely to work. The best approach, as with so much cyber, is solid training on the threat and best practices to minimize its impact.
The first thing employees need to learn is that scanning a QR code should never be automatic. Want to see a menu on your smartphone? Great – ask the waiter to bring you a sheet with the QR code printed on it. Want to leave a review? Great – scan the code at the bottom of your receipt. QR codes on random stickers stuck on tables and doors should be treated with suspicion, as they are found in an array of locations that are far too public to trust.
The next step is to learn to consider context when scanning a QR code. On an official sign with a logo in the lobby of your bank? May be. On a twisted sticker on the front of a gas pump? Hard no. It’s important to treat QR codes like you would any other electronic kit, because that’s exactly what they are: mechanisms to carry and transmit the code to a device. Just because they’re made of ink and paper rather than silicon and gallium arsenide doesn’t mean they’re any less effective or dangerous.
The potential danger of QR codes is actually a good excuse to introduce danger training beyond the obvious phishing email message and dodgy website. Criminals and threat actors are eager to capitalize on actions taken without thinking – times when employees are on “autopilot” regarding their actions. Train employees to stop and think about codes, images, and stickers before they launch the attached URL and you just might reduce the number of malware packages that are attached to sticky cookie orders.