As a journalist, I try to remain unbiased. But, as a consultant, I owe it to my clients to be honest. So, I’m telling every one to be leery of QR codes — they’re evil.

What are QR codes?

Quick Response (QR) codes are bar codes, they just look different. That’s because QR codes use segments — like pixels on a monitor.

Whereas, more-familiar bar codes use vertical lines of varying thickness.

QR codes were developed in 1994 by Denso Corporation, a Japanese company affiliated with the car-manufacturing industry. By using segments, QR codes provide several enhancements. To start, a QR code can handle significantly more data that the 20-characters afforded UPC bar codes (courtesy of Denso).

And, QR codes:

  • Utilize two dimensions, making them smaller physically.
  • Have built in error-correction, allowing data retrieval from dirty or damaged surfaces.
  • Can be scanned faster and from any direction.

The following slide explains the different parts of a QR code (courtesy of Wikipedia).

They may not be all bad

Remember my describing QR codes as evil? Well, an old guy can change his mind, can’t he?

While preparing this article, I had a minor epiphany. QR codes do have a place. They allow me to provide digital information in a non-electronic format — my business card, for example. I have several websites and email addresses listed on the card. Pre-QR codes, people were required to input the information manually. With QR codes, it’s a simple scan.

Apparently, others have figured this out a lot sooner than I. For example, Dr. Shilpy Pattar’s blog “5 Uses of QR Codes in the Classroom” discusses how QR codes help teachers and students focus on what’s important — learning.

QR codes everywhere

I began spotting QR codes everywhere and driving my son nuts, “Look, this one is really cool. Oh wait, there’s another one.” That hyperactive curiosity nearly got me in trouble.

Not wanting any further part of my great adventure, I had to fend for myself at the local coffee house. While waiting for my decaf, a poster caught my attention. It had a QR code. Acting sufficiently cool, I scanned the code, and started to tap the link. I stopped.

Something’s not right

Something about the URL was off. Then I spotted it, the number zero instead of a lower-case O. I knew what that meant right away. Digital bad guys were on the hunt. Setting up malicious websites using domain names that are misspellings (typosquatting) of popular websites is a common ploy. is a good example. Did you notice the upper-case I instead of a lower-case L?

Upon examination

I took a closer look at the poster. Someone placed a QR-code printed sticker right on top of the real QR code. Sneaky. After I got home, I called William Francis — my Android investigative cohort — telling him about my experience. Here’s what William had to say:

“It’s fortunate that your QR-code scanner happened to be Google Goggles. It and ZXing Barcode Scanner are the only two I know of that preview a scanned link before taking any action. ShopSavvy — probably the most popular QR-code scanner — does not preview the data.”

William continued with the following example:

“It’s an issue of user education. If my son scans a QR code, and a notification pops up saying “Sprint System Update”, he will tap it. Furthermore, if it asks him “Do you want to install the update?” He will likely say yes — not realizing that Sprint has nothing to do with the app in question.”

William’s comment about user education jolted my memory. We created an example once before — R U @ RISK — to help explain an Android permissions issue. I asked if we could do something similar now. He thought we could.

You have a system update

It’s time to put your pretend propeller hat on.

You have a world-famous app from MKassner.Net — I did say pretend — on your smart phone. You receive an email from MKassner.Net. It suggests you scan the following QR code to download an update that fixes an exploitable vulnerability.

The next slide is what it looks like on my phone after scanning the above QR code. I encircled what’s embedded in the QR code. To avoid any confusion, I wanted to mention you may see different results depending on what version of Android is installed.

The next slide confirms the app has been downloaded and is ready to install. William even made the app look official, just like the bad guys would.

Now, it’s time for the brave souls who have been following along to click on the .apk and see what happens. If you see the next slide, the setting “Allow install of non-Market applications” is not checked.

Clicking on the Setting button will bring you to the following slide.

Some pundits consider this setting a security feature. Trouble is, it’s not insurmountable. If the setting was checked or the application downloaded from Android Market, sys_update.apk would have automatically installed.

Final thoughts

First and foremost, keep in mind the security advice you’ve accumulated about live links in emails and on websites. All of it applies to QR codes. For example, URL shorteners come in to play with QR codes, and I’m betting that the bad guys will use them to obfuscate the actual URL.

William wanted to add:

  • Remember QR code exploits depend on the user being uninformed. When scanning QR codes have some idea of what you expect to happen.
  • Don’t leave the “install from unknown sources” option enabled. If for some reason it needs to be enabled, be extra vigilant when scanning QR codes. There is one less layer of protection between you and the bad guys.
  • If during the process of scanning a QR code anything seems fishy — it probably is..
One last thing, William and I are really curious. What did you think of his app — sys_update.apk?
Update (10 Jan 2012): I wanted to ask a favor. There seems to be confusion as to whether the setting: “Unknown sources. Allow installation of non-Market applications” is available or not on different phone systems. If you could let us know your circumstances, it would be appreciated.