Why QR codes might be the weakest link in your enterprise security

Emily Brown

Nov 18, 2020

10 min read

Quick Response (QR) codes have always been popular, ever since it was first introduced in 1994 for the automotive industry in Japan. You can simply scan a QR code for code payments, to display text or message to users, to open a website URL, to save a vCard contact to the user’s smartphone, for website login, or even to compose an email by simply scanning a QR code. With the COVID-19 threat looming over our heads, using QR codes for contactless transactions and interactions has become even more popular, adding on to the already large user base of QR codes.

Scan to sign up for Hexnode
Scan now to sign up for Hexnode’s 14-day free trial
The question is: Are QR codes really secure?

For a business or an enterprise, cybersecurity remains a high priority. While QR codes can make lives simpler, it could also turn out to be a source of malicious attacks. When you scan a QR code, how can you be sure that it is legitimate? What are the threats posed by QR codes?

Security risks associated with QR codes

More than 20 percent of the Trojans and viruses are transmitted via QR codes. The threat posed by QR codes is manageable as it is not possible to hack QR codes. However, creating a QR code with explicit malicious intent is simple with readily available automated QR code generators. The possible attack scenarios can be summarised as:

1. Malicious software attack

Cybercriminals often target unsuspecting users by embedding a malware in malicious websites. When the user visits such websites, the malware gets automatically downloaded to the user’s device. This attack is called drive by download attack. Malicious apps could be installed via drive by download attack which would then exploit the device to leak sensitive data. Android smartphones are a particular target for these attacks. If the attacker uses a QR code to point towards the malicious website, the users can be tricked easily since they cannot see the web URL.

A true event

In 2011, Russian consumers became the victims of a malicious QR code scam. The QR code was disguised to download an Android app while downloading malware to the smartphone. After the download, the malware sent SMS to premium numbers, thus costing the users 5 USD per SMS.

2. Links to harmful websites

Sometimes, websites can do a lot more harm than simply installing malware on your device. These websites may contain browser exploits – a malicious code that takes advantage of any vulnerabilities in your operating system. Browser exploits may gain access to the device camera or microphone, send emails, access browser data and more. The users would remain blissfully unaware as the attacks take place in the background, while the users just see a harmless website.

3. Phishing

Any discussion of cyberattacks is incomplete without discussing phishing. Phishing is a very prevalent method for hacking into web accounts. The attacker poses as a legitimate website and tricks the user into entering his/her/their login information or other sensitive data. The phishing attacks caused due to QR codes are also known as QRishing amongst researchers.

QRLJacking(Quick Response Login Jacking): QRLJacking is an attack vector that uses the “Login with QR code” feature to gain access to all the applications that utilize it. The user is convinced to scan the attacker’s QR code instead of the secure one.

Attack Flow of QRLJacking

  1. A client-side QR session is initiated by the attacker. The Login QR code is then cloned to a phishing website. This fraudulent website with a valid and updated QR code is then sent to the victim.
  2. The victim scans the QR code using the target app.
  3. The attacker gains control over the victim’s account. All the user data is exchanged with the attacker’s session.

Login with QR codes – The risk vs utility

Any authentication method is only usable if it is more secure than it is susceptible to risks. The traditional method of using credentials like username and password to login is still the most prevalent method for login used. This credential-based authentication has many shortcomings, with risks like phishing and issues like password fatigue(the need for the users to remember a large number of passwords for different accounts). The introduction of new approaches like “Single-Sign-On” has relieved password fatigue by using a single account to authenticate to multiple services. It does come with its own shortcomings as losing one password would mean the loss of all the services associated with the SSO system.
Login with QR codes is an SSO model that uses QR code-based one-time passwords to login to the required service. At the first glance, this login method seems secure and reliable. However, if the user gets tricked to authenticate a malicious hacker to the target web services (such as in QRLJacking), it defeats the whole purpose of logging in with QR codes.

Preventing QR code attacks

Caution is the primary step that you can take for preventing QR code attacks. The scope of malicious QR codes is limited but harmful. If you are an IT admin, educate the device users to take the following precautions while using QR codes in their daily lives:

  • Check the URL before providing any information: Use a QR code scanner that shows the actual URL and verifies with you whether to proceed or not. Go to the website only if the website is from a trusted source.
  • Avoid providing your credentials to the websites that you land on via QR code unless it is a verified website.
  • Do not scan the random QR codes in public posters. The attackers may be testing out a malicious code. Also, do not scan a QR code that seems to be pasted on legitimate marketing material. Since QR codes cannot be hacked, attackers may add on the malicious code over the legitimate one to trick the user.

QR Code Enterprise Security with Hexnode

Scanning the QR code to go to a website
Scanning a QR code to go to a website

Web content filtering

The majority of QR code attacks result by directing the users to a harmful website. For devices enrolled with Hexnode MDM, the web content filtering feature allows the admin to block the websites with potentially harmful content, thus preventing the users from accessing it.

Web content filtering for iOS devices

This feature is supported for supervised iOS devices running on iOS 7.0 or later. For the enrolled devices, the admin can either blacklist or whitelist the required websites in a policy and push it to the devices. The admin can also restrict the inappropriate content to automatically filter any inappropriate websites. If the admin needs to exempt certain websites from the auto filtering, the required website URL can be added in the policy itself. On configuring web content filtering, private browsing will be disabled, hence decreasing the chance for an attack even more. 

Web content filtering for Android devices
Web content filtering is supported for Android 6+ Samsung Knox devices. Just as with iOS devices, the admin can enable web filters for the enrolled devices. The users would be able to access only the whitelisted websites and would not be able to access any of the blacklisted ones.

Web App Kiosk Mode

Web-based Kiosk or Web App Kiosk mode or Browser Lockdown are the terms used to define the locking down the device into a web browser that can access only limited pre-specified website URLs by the admin. Web-based kiosks are useful for different businesses and greatly reduces the scope of QR code attacks.

Web App Kiosk Mode for iOS devices
Supported on supervised devices running on iOS 9.3 or later, web app kiosk mode allows the user to open the websites using either Safari or Hexnode Browser. If the admin uses the Hexnode Browser for the website kiosk, the admin can configure additional browser settings such as customizing the browser toolbar, cache settings, schedule page refreshes, choose whether to allow Javascript or not and many more.

Web App Kiosk Mode for Android devices
The website URLs can be added as Web Apps to add them to the website kiosk. The Web App Kiosk Mode for Android devices uses a safe browser – Hexnode Browser Lite, Hexnode Kiosk browser or any browser of the admin’s choice. For Hexnode Kiosk Browser, there are both single tabbed and multi-tabbed browsing options and the users will be able to access only the whitelisted websites. The admin can configure additional settings for the browser such as toolbar customization, theme color, appearance settings, scheduled refresh, cache settings, content settings and many more.

Camera restrictions

Any QR code attack would be successful only if the user actually scans the malicious code. Depending on the business use-case, the admin can choose to disable the camera of the user’s smartphone, thus entirely removing the threat at its root level. Hexnode allows you to restrict the camera usage for iOS and Android devices.

Safari restrictions for iPhones/iPads

Enabling “Fraud warning” for Safari would show the user a warning if he/she tries to access fraudulent or compromised websites. The user can then choose whether to proceed to the website or not even if he/she scans a malicious code by mistake.

Separate work container for BYOD

For personal devices enrolled with Hexnode, there is a separate container for the managed work apps in Android and iOS devices. Even if the user gets attacked and the personal data gets compromised, the work apps and data would remain safe from the attack.

Business Container for iOS

The business container for iOS devices controls the flow of corporate data between managed and unmanaged apps. The admin can configure restrictions to prevent the files downloaded from unmanaged apps in a managed app. This reduces the attack window for QR code attacks targeting managed apps.

Work Profile for Android devices

For BYOD Android devices, enrolling the device as a Profile Owner with the Android Enterprise program in Hexnode creates an isolated work container that separates the work apps and data from personal apps and data. The work apps and data would be compromised only if the user scans a malicious code using a work app. If such an event occurs, the admin can remotely wipe the work profile from the Hexnode Web console.

To sum up

QR code attacks are not large-scale attacks, but these attacks can be very harmful to an organization. A legitimate QR code in itself cannot be hacked, however, there are many ways in which the user can be tricked to scan a malicious one. With QR codes becoming exceeding popular in our mobile society, it is important to take a look at all the possible threats and take proper steps for prevention.

Emily Brown

Reading is therapy and writing is healing...sincerely, a cool nerd.

Share your thoughts