Enter the Matrix: How QR Codes Hide Privacy, Security Risks to Smartphones
|This QR code will take you to SecurityNewsDaily's homepage.|
QR codes, those little black-and-white puzzle-like square matrixes that increasingly populate ads and promotional posters, are meant to provide smartphone users with product details. But trusting consumers who scan these squares and comply with permission requests could get more than they bargained for in the way of security and privacy problems.
There's no doubt that QR code use (the letters stand for "quick response") is on the upswing. Consumer adoption of two-dimensional bar-code-scanning applications among smartphone owners has jumped to 15 percent, versus 5 percent a year ago, according to Forrester Research, with Android models and iPhones being the most common smartphones used.
But experts say all this swiping could cause some security, and perhaps privacy, issues for unsuspecting users. The QR code itself can link to malicious text messages or malicious websites, said Tim Armstrong, a malware researcher at the international anti-virus firm Kaspersky Lab.
"You can scan a barcode for a prompt to download an application, but you don't know the source of the application," Armstrong said.
Compounding the potential for problems is the fact that a QR code is cheap and easy to create, making the field ripe for scammers who use them to create phishing attacks. Such codes don't only appear in expensive advertising campaigns; they can be produced as stickers and adhered illicitly onto legitimate posters and placards.
Such malevolent cases might still be relatively rare, but they do occur, said Armstrong. For instance, this fall Kaspersky Lab learned of a scam emanating from a Russian website that was offering a chat client. Users who were sent to the site by a QR code could download the client to their phones.
While the site did ask permission from the user to install the application on the user's phone, the application would then secretly send premium text messages at $1 per message all on the tab of the unsuspecting smartphone user.
Another factor that consumers should be aware of are the two flavors of QR code: direct and indirect. A direct QR code contains all the product information you need to know within itself, but an indirect code requires an application to reach out to an online server to look up the needed information.
In the latter case, the QR code works in harmony with an app, which must sometimes be purchased, to determine the app's destination from the database, says Andrew Kinnear, senior digital strategist at Aimia Inc., a loyalty-marketing firm in Toronto.
Indirect codes typically require the user to use a proprietary app, since they are going to "decode" the QR Code to determine the destination, he says.
"Because of this fact, there is lots of opportunity for the app maker to put in measurement and tracking systems (which is their selling feature to marketers)," Kinnear said.
While tracking might occur and privacy concerns could arise, the silver lining, Kinnear said, is that in the pay model used by some indirect-QR-code users, there is less room for rogue players.
And not all is innocuous on the direct QR Code side either. Direct codes can use shortened URLs to take a user to an unknown website, confusing a user as to the true destination and possibly installing malware on his phone.
There will be security pitfalls to watch out for as the QR code world develops, say the experts, much as there were in the desktop Web browsing world before it.
"Unfortunately, this is a case of buyer beware," Armstrong said. "Being that this is a new territory, be suspicious of everything. If you are walking through town and see a QR code on a local real-estate office, there's a small chance of being infiltrated, but if you are visiting a Russian website, you have a much larger chance of being infected."
Kinnear echoed that advice.
"Similar to desktop security, users should always know what is being installed and when, and should try to determine the source so they can use only trusted sources," he said. "Understanding your device, the QR app, how it interacts with URLs, and how permissions are granted with your mobile OS are important."