How QR codes work and what makes them dangerous – a computer scientist explains

Among the many changes brought about by the pandemic is the widespread use of QR codes, graphical representations of digital data that can be printed and then scanned by a smartphone or other device.

QR codes have a wide range of uses that help people avoid contact with objects and close interactions with other people, including sharing restaurant menumailing list signups, car and home sales information, and medical and work appointment check-in and check-out.

QR codes are a close cousin to barcodes on product packaging that cashiers scan with infrared scanners to notify the checkout computer of products purchased.

Barcodes store information along an axis, horizontally. QR codes store information about vertical and horizontal axes, which allows them to hold much more data. This extra amount of data is what makes QR codes so versatile.

Anatomy of a QR Code

If it is easy for people to read Arabic numerals, it is difficult for a computer. Barcodes encode alphanumeric data as a series of black and white lines of varying widths. At the store, barcodes record the set of numbers that specify a product’s ID. Importantly, the data stored in barcodes is redundant. Even if part of the barcode is destroyed or obscured, it is still possible for a device to read the product ID.

QR codes are designed to be scanned using a camera, like those found on your smartphone. QR code scanning is built into many camera apps for Android and iOS. QR codes are most often used to store web links; however, they can store arbitrary data, such as text or images.

When you scan a QR code, the QR reader in your phone’s camera decrypts the code and the resulting information triggers an action on your phone. If the QR code contains a URL, your phone will present the URL to you. Tap it and your phone’s default browser will open the webpage.

QR codes consist of several parts: data, position markers, quiet zone and optional logos.

The anatomy of the QR code: data (1), position markers (2), silent zone (3) and optional logos (4).
Scott Ruoti, CC BY-ND

The data in a QR code is a series of dots in a square grid. Each dot represents a one and each blank a zero in binary code, and patterns encode sets of numbers, letters, or both, including URLs. At the smallest, this grid is 21 rows by 21 columns, and at the largest, it is 177 rows by 177 columns. In most cases, QR codes use black squares on a white background, which makes it easy to distinguish the dots. However, this is not a strict requirement and QR codes can use any color or shape for dots and background.

Position markers are squares placed in the upper left, upper right, and lower left corners of a QR code. These markers allow a smartphone camera or other device to orient the QR code as it is scanned. QR codes are surrounded by a blank space, the quiet zone, to help the computer determine where the QR code begins and ends. QR codes can include an optional logo in the middle.

Like barcodes, QR codes are designed with data redundancy. Even if up to 30% of the QR code is destroyed or difficult to read, data can still be recovered. In fact, the logos are not actually part of the QR code; they hide some of the QR code data. However, due to the redundancy of the QR code, the data represented by these missing dots can be retrieved by looking at the remaining visible dots.

Are QR codes dangerous?

QR codes are not inherently dangerous. They are simply a means of storing data. However, just as clicking on links in emails can be dangerous, visiting URLs stored in QR codes can also be risky in several ways.

The QR code URL may redirect you to a phishing website that tries to deceive you enter your username or password for another website. The URL could direct you to a legitimate website and trick that website into doing something harmful, like giving an attacker access to your account. Although such an attack requires a flaw in the website you are visiting, these vulnerabilities are current on the internet. The URL may direct you to a malicious website that tricks another website you are logged into on the same device into performing an unauthorized action.

A malicious URL can open an app on your device and cause it to take action. You may have seen this behavior before when you clicked on a Zoom link and the Zoom app opened and automatically joined a meeting. While such behavior is generally benign, an attacker could use it to trick certain apps into revealing your data.

[Understand key political developments, each week. Subscribe to The Conversation’s politics newsletter.]

It is essential that when you open a link in a QR code, you ensure that the URL is safe and comes from a trusted source. Just because the QR code has a logo you recognize doesn’t mean you have to click on the URL in it.

There is also a small chance that the application used to scan the QR code contains a vulnerability that allows malicious QR codes to take control of your device. This attack would succeed by simply scanning the QR code, even if you don’t click on the link stored there. To avoid this threat, you should use trusted apps provided by the device manufacturer to scan QR codes and avoid downloading custom QR code apps.

Comments are closed.