Quick Response (QR) codes are booming in popularity and hackers are flocking to exploit the trend. Worse, according to a new study, people are mostly ignorant to how QR codes can be easily abused to launch digital attacks.
The reason QR code use is skyrocketing is tied to more brick-and-mortar businesses are forgoing paper brochures, menus and leaflets that could accelerate the spread of COVID-19. Instead they are turning to QR codes as an alternative.
MobileIron warns that these QR codes can be malicious. In a study released Tuesday, the mobile device management firms found that 71 percent of survey respondents said they cannot distinguish between a legitimate and malicious QR code.
QR codes – the “QR” is short for “quick response” – allows a user to scan a special code with their phone’s camera, to automatically perform an action. These shortcuts usually open a website, but can be programmed to perform any number of mobile actions, including drafting emails, placing calls, opening marketing collateral, opening a location on a map and automatically starting navigation, opening a Facebook, Twitter or LinkedIn profile page or starting any action from any app (such as opening PayPal with a pre-seeded payment handle).
According to a survey from MobileIron, of more than 2,100 consumers across the U.S. and the U.K., QR codes are becoming fully entrenched in people’s lives, especially as the coronavirus pandemic continues to rage on. Sixty-four percent of respondents said that QR codes make life easier in a no-touch world. For instance, a common application is for restaurants to link to virtual menus rather than provide physical ones.
In all, 47 percent of respondents have noticed an increase in their QR code use since COVID-19 hit. About 84 percent of people said they have scanned a QR code before, with 32 percent having done so in the past week and 26 percent having done so in the past month.
The problem is that QR codes are appealing targets for hackers because the mobile user interface prompts users to take immediate actions, while limiting the amount of information available. Meanwhile, mobile users are less vigilant than they are when using a laptop or desktop. In fact, 51 percent of respondents in the survey said they don’t have (or don’t know if they have security software installed on their mobile devices).
“Hackers are launching attacks across mobile-threat vectors, including emails, texts and SMS messages, instant messages, social media and other modes of communication,” said Alex Mosher, global vice president of solutions at MobileIron, in new data released Tuesday. “I expect we’ll soon see an onslaught of attacks via QR codes.”
Sample attack scenarios include an attacker embedding a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned, he added. Or, the QR code could point to a phishing site that looks to harvest credentials, or other personal and corporate information.
While 67 percent in the survey are aware that QR codes can open a URL, they are less aware of the other actions that QR codes can initiate. Only 19 percent of respondents believe scanning a QR code can draft an email; 20 percent believe scanning a QR code can start a phone call; and 24 percent believe scanning a QR code can initiate a text message. And a third — 35 percent – said they don’t know whether hackers can even target victims using a QR code.
It’s an area of security that deserves more focus, especially given that 53 percent of survey respondents said they would like to see QR codes used more broadly in the future. This includes potentially risky applications, like voting – in fact, 40 percent of people in the survey said they would vote using a QR code received in the mail. And Apple Pay users may soon be able to make payments via QR codes, using Apple Wallet.
“Companies need to urgently rethink their security strategies to focus on mobile devices,” said Mosher.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.