Can QR Codes Really Be Hacked?

QR-Code

What is a QR Code?

QR code (abbreviated from Quick Response Code) is the trademark for a type of matrix barcode (or two-dimensional barcode). A barcode is an optically machine-readable label that is attached to an item and that records information related to that item. The information encoded by a QR code may be made up of four standardized types (“modes”) of data (numeric, alphanumeric, byte / binary, Kanji) or, through supported extensions, virtually any type of data. (Source Wikipedia).

Where QR Codes are used / can be seen?

  • Business Cards
  • Advertisement Posters
  • Webpages ; signifying download links
  • Stickers
  • Within Applications (web based & binary)

Storage

The amount of data that can be stored in the QR code symbol depends on the datatype (mode, or input character set), version (1, …, 40, indicating the overall dimensions of the symbol), and error correction level.  Below is a brief list of some of the storage limitations for QR Codes:

  • Version 04 – 50 Chars
  • Version 10 – 174 Chars
  • Version 40 – 1852 Chars

Depending on the format of the input mode you wish to use, you should be able to at least be able to store 2 kBytes of data.

License

The use of QR codes is free of any license. The QR code is clearly defined and published as an ISO standard.

Enough already.  Can it be Hacked?

Hacking a QR code means that the intended action has been maliciously manipulated.   This is not effectivly possible due to the error-correction built into the image.  Inorder to successfully “hack” a QR code you would have to modify both the black and white blocks.  It is simply easier just to replace the QR code with another printed on a sticker to sit ontop of the original QR code.

Malicious QR Codes

A QR code can be created that redirects to malicious contents (websites that download malwares, with illegal content, etc.). You must be careful when scanning a QR code not to become a victim of these malicious QR codes.  On a computer you don’t click on a link from a non-trusted website, you must apply the same rule for QR codes: don’t scan a QR code if you have doubts about it. Nowadays, most QR codes readers now actually display the link address before opening the web browser.

Phishing

Phishing targets victims by masquerading a trustworthy entity. In the case of QR codes, it means replacing the QR code on a poster by another (with a sticker for example). Users would then think they are scanning the QR code of a company they trust but would be redirected to malicious contents.

Interesting QR-Code Tricks

We briefly mentioned above that QR-Codes have a high-degree of error-correction.  It actually can be broken down into the following table:

Level L (Low) 7% of codewords can be restored.
Level M (Medium) 15% of codewords can be restored.
Level Q (Quartile)
25% of codewords can be restored.
Level H (High) 30% of codewords can be restored.

Most QR-Codes have their error-correction set to High.  This is because some cheap phones have cheap lens on the builtin camera’s and sometimes QR-Codes can be fuzzy or blurred.  However, as technology has improved and builtin cameras have become better, we now have 30% of the QR-Code to have fun with…..

This is where we can insert simple and small 2-dimensional, simple graphics (so long as they only cover < 30% of the overall QR-Code).

Examples:

RPi-QRCode

qrcode-youtube

qr-android-app