Connley Walker Security Consulting Blog: Read this before scanning your next QR code

Since the coronavirus outbreak began, nations have been trying to identify and implement the most effective method to track the movement of their people. The purpose of tracking was to identify where and how coronavirus spreads using contact tracing quickly. Many countries and states have adopted the QR code system to track by encouraging people to scan the code with their mobile phones and sign in.

While the QR code system has been extremely useful in tracing the movement of coronavirus, questions have been raised concerning their vulnerabilities. For example, if a business could print a QR code, what would stop an adversary from fraudulently creating their own and replacing it with the business QR code?

At the moment, many QR codes are being attached to facility entry points with instructions for all visitors to scan the code and sign in. The major vulnerability in these situations is the QR code’s integrity and the security controls to ensure that the code has not been replaced or replicated by an adversary.

Suppose an adversary successfully replicated or created a QR code. In that case, the QR code could be used to conduct a man-in-the-middle attack and collect sensitive data from visitors. Although this is an unlikely attack, it is quite possible and easily executed.

There are a few ways to mitigate the risk of this occurring:

– Secure the area where the QR code is stored (e.g. keep the QR code inside)

– Ensure there is CCTV coverage of the QR code

– Encourage staff to look for suspicious behaviour.

QR codes are a great tool, especially in these times; however, before scanning your next QR code, look for any suspicious clues such as incorrect logos or colours.