Skip to main content

QR Code Security: What are QR codes and are they safe to use?

QR Code Security: What are QR codes and are they safe to use?

QR code definition and meaning

QR stands for "Quick Response."

While they may look simple, QR codes are capable of storing lots of data. But no matter how much they contain, when scanned, the QR code should allow the user to access information instantly – hence why it’s called a Quick Response code.

What are QR codes?

A QR code is a type of barcode that can be read easily by a digital device and which stores information as a series of pixels in a square-shaped grid. QR codes are frequently used to track information about products in a supply chain and – because many smartphones have built-in QR readers – they are often used in marketing and advertising campaigns. More recently, they have played a key role in helping to trace coronavirus exposure and slow the spread of the virus.

Check out this video on YouTube how to recognize malicious QR codes and protect yourself:

The first QR code system was invented in 1994 by the Japanese company Denso Wave, a Toyota subsidiary. They needed a more accurate way to track vehicles and parts during the manufacturing process. To achieve this, they developed a type of barcode that could encode kanji, kana, and alphanumeric characters.

Standard barcodes can only be read in one direction – top to bottom. That means they can only store a small amount of information, usually in an alphanumeric format. But a QR code is read in two directions – top to bottom and right to left. This allows it to house significantly more data.

The data stored in a QR code can include website URLs, phone numbers, or up to 4,000 characters of text. QR codes can also be used to:

  • Link directly to download an app on the Apple App Store or Google Play.
  • Authenticate online accounts and verify login details.
  • Access Wi-Fi by storing encryption details such as SSID, password, and encryption type.
  • Send and receive payment information.
  • And much more – a company in the UK called QR Memories even creates QR codes for use on gravestones, allowing people to scan the code to read more about that deceased person’s life (if they have an obituary or news story relating to them online).

The development team behind the QR code wanted to make the code easy to scan so that operatives did not waste time getting it at the right angle. They also wanted it to have a distinctive design to make it easy to identify. This led them to choose the iconic square shape that is still used today.

Denso Wave made their QR code publicly available and declared they would not exercise their patent rights. This meant anyone could make and use QR codes.

Initial uptake of the idea was slow; however, in 2002, the first mobile phones containing built-in QR readers were marketed in Japan. The use of smartphones led to an increase in the number of companies using QR codes.

In 2020, Denso Wave continued to improve on their original design. Their new QR codes include traceability, brand protection, and anti-forgery measures. There are many new uses for the QR code, from transferring payments to determining objects' positions within augmented reality.

How do I scan QR codes?

Most smartphones have built-in QR scanners, which are sometimes built in the camera. A QR scanner is simply a way to scan QR codes.

Some tablets, such as the Apple iPad, have QR readers built into their cameras.

Some older devices may require a particular app to read QR codes – these apps are readily available on the Apple App Store and Google Play.

Scanning a QR code using your device is straightforward:

  1. Open the QR reader application or the camera on your smartphone.
  2. Point it at the QR code – you should be able to point your camera from any angle and still receive the necessary information.
  3. The data will be instantly shown on screen – for instance, if the QR code contains contact details, your phone should instantly download these.

Are QR codes safe?

Attackers can embed malicious URLs containing custom malware into a QR code which could then exfiltrate data from a mobile device when scanned. It is also possible to embed a malicious URL into a QR code that directs to a phishing site, where unsuspecting users could disclose personal or financial information.

Because humans cannot read QR codes, it is easy for attackers to alter a QR code to point to an alternative resource without being detected. While many people are aware that QR codes can open a URL, they can be less aware of the other actions that QR codes can initiate on a user’s device. Aside from opening a website, these actions can include adding contacts or composing emails. This element of surprise can make QR code security threats especially problematic.

A typical attack involves placing malicious QR codes in public, sometimes covering up legitimate QR codes. Unsuspecting users who scan the code are taken to a malicious web page which could host an exploit kit, leading to device compromise or a spoofed login page to steal user credentials. Some websites do drive-by downloads, so simply visiting the site can initiate a malicious software download.

Mobile devices, in general, tend to be less secure than computers or laptops. Since QR codes are used on mobile devices, this increases the potential risks.

Do QR codes collect my personal information and data?

QR code-generating software does not collect personally identifiable information.

The data it does collect – and which is visible to the code’s creators – includes location, the number of times the code has been scanned and at what times, plus the operating system of the device which scanned the code (i.e., iPhone or Android).

Can someone hack a QR code?

The QR codes themselves can’t be hacked – the security risks associated with QR codes derive from the destination of QR codes rather than the codes themselves.

Hackers can create malicious QR codes which send users to fake websites that capture their personal data such as login credentials or even track their geolocation on their phone.

This is why mobile users should only scan codes that come from a trusted sender.

How do QR codes work?

The patterns within QR codes represent binary codes that can be interpreted to reveal the code's data.

A QR reader can identify a standard QR code based on the three large squares outside the QR code. Once it has identified these three shapes, it knows that everything contained inside the square is a QR code.

The QR reader then analyzes the QR code by breaking the whole thing down to a grid. It looks at the individual grid squares and assigns each one a value based on whether it is black or white. It then groups grid squares to create larger patterns.

QR code on mobile

What are the parts of a QR code?

A standard QR code is identifiable based on six components:

  1. Quiet Zone - This is the empty white border around the outside of a QR code. Without this border, a QR reader will not be able to determine what is and is not contained within the QR code (due to interference from outside elements).
  2. Finder pattern - QR codes usually contain three black squares in the bottom left, top left, and top right corners. These squares tell a QR reader that it is looking at a QR code and where the outside boundaries of the code lie.
  3. Alignment pattern - This is another smaller square contained somewhere near the bottom right corner. It ensures that the QR code can be read, even if it is skewed or at an angle.
  4. Timing pattern - This is an L-shaped line that runs between the three squares in the finder pattern. The timing pattern helps the reader identify individual squares within the whole code and makes it possible for a damaged QR code to be read.
  5. Version information - This is a small field of information contained near the top–right finder pattern cell. This identifies which version of the QR code is being read (see “Types of QR code” below).
  6. Data cells - The rest of the QR code communicates the actual information, i.e., the URL, phone number, or message it contains.

how to use QR codes

Do QR codes collect my personal information and data?

QR code-generating software does not collect personally identifiable information.

The data it does collect – and which is visible to the code’s creators – includes location, the number of times the code has been scanned and at what times, plus the operating system of the device which scanned the code (i.e., iPhone or Android).

Types of QR code

QR codes can be used for multiple purposes, but there are four widely accepted versions of QR codes. The version used determines how data can be stored and is called the "input mode." It can be either numeric, alphanumeric, binary, or kanji. The type of mode is communicated via the version information field in the QR code.

  1. Numeric mode - This is for decimal digits 0 through 9. Numeric mode is the most effective storage mode, with up to 7,089 characters available.
  2. Alphanumeric mode - This is for decimal digitals 0 through 9, plus uppercase letters A through Z, and symbols $, %, *, +, –, ., /, and : as well as a space. It allows up to 4,296 characters to be stored.
  3. Byte mode- This is for characters from the ISO–8859–1 character set. It allows 2,953 characters to be stored.
  4. Kanji mode - This is for double–byte characters from the Shift JIS character set and used to encode characters in Japanese. This is the original mode, first developed by Denso Wave. However, it has since become the least effective, with only 1,817 characters available for storage. A second kanji mode called Extended Channel Interpretation (ECI) mode can specify the kanji character set UTF–8. However, some newer QR code readers will not be able to read this character set.

There are two additional modes which are modifications of the other types:

  • Structured Append mode - This encodes data across multiple QR codes, allowing up to 16 QR codes to be read simultaneously.
  • FNC1 mode - This allows a QR code to function as a GS1 barcode.

NOTE: A QR code can use multiple modes, so long as each QR code contains the correct version information field.

paying with QR codes

What are the different styles of QR code?

It is possible to create QR codes in many different shapes and styles, but five types are most commonly found. They all do the same job – they just look slightly different.

1. QR code - This is the original version of the QR code created by Denso Wave in the 1990s. It's easy to identify by its three finder patterns in the bottom–left, top–left, and top–right corners.

2. Aztec code - While it looks similar to a QR code, the Aztec code, developed by Welch Allyn, contains only one finder pattern, right in the middle.

An Aztec code linking to kaspersky.com

3. Maxi code - This type of QR code is used by the United States postal service. It's similar to the Aztec code in that it places the finder pattern in the middle, but it uses a honeycomb pattern instead of squares.

A Maxicode linking to kaspersky.com

4. PDF417 - Invented in 1991 by Ynjiun Wang of Symbol Technologies, the oddly named PDF417 predates the QR code by three years. It looks like a mix between a QR code and a barcode and is easily recognizable by its rectangular shape.

A PDF417 linking to kaspersky.com

5. Semacode - Developed by a software company of the same name, the Semacode is a data matrix that looks a lot like an ordinary QR code but doesn’t have recognizable finder patterns.

A Semacode linking to kaspersky.com

QR code use examples

QR codes are used in numerous contexts – for example:

QR codes in sales and marketing

Many advertisers use QR codes in their campaigns because it provides a faster and more intuitive way to direct people to websites than by entering URLs manually.

They can also be used to link directly to product pages online. For instance, if you were searching for the exact dress a model was wearing in a poster, a QR code could directly take you to the web page where you could purchase it.

QR codes for coronavirus tracing

The coronavirus pandemic has supercharged the use of QR codes. For example, in the UK, visitors to hospitality venues such as bars and restaurants are invited to scan a QR code upon arrival using the NHS Covid-19 tracing app. This is to help trace and stop the spread of the virus. If someone tests positive for Covid-19 at that venue, other visitors to the location are alerted by an app, thanks to the data accumulated from QR code scans.

QR codes on product packaging

You may also find QR codes on the packaging for some of your favorite products. These QR codes can reveal information about the product, such as nutritional information or special offers you can use next time you make a purchase.

QR codes in industry

QR codes were initially invented to help track parts in vehicle manufacturing, and they are still used throughout the manufacturing industry. You'll also find QR codes used by other businesses that need to keep a close eye on products and supplies, such as the construction, engineering, and retail industries.

QR codes in postal services

Postal services around the world also use them. Because they can contain a large amount of information, they are often relied upon to track parcels. For example, global fashion brand ASOS have moved entirely to QR codes for tracking refunds.

QR codes in education

QR codes are also used in schools and colleges to help engage with students. They have appeared everywhere, from the classroom to the library, for tasks such as helping students find the books they are searching for.

QR code use and definition

How can I increase QR code security?

There’s no telling where and when you might come across a malicious QR code. That’s why it is essential to use a QR Scanner you know you can trust and not download a random one from the app store or online.

Kaspersky QR Scanner instantly checks that a scanned link is safe before submitting any information to you.

The scanner provides QR code authentication and alerts you to potential dangers behind a QR code, such as:

  1. A phishing scam
  2. A forced app download or premium text message scam
  3. Dangerous links

Kaspersky QR Scanner still provides everything you need from a QR Scanner, such as adding contacts to your phone. It also creates a log of past scans so that, if necessary, you can trace back to see when and where you may have been compromised.

Related Articles and Products:

QR Code Security: What are QR codes and are they safe to use?

What are QR codes and are they safe to use? A QR code is a type of barcode that can be easily read by a digital device. Learn about QR code security today.
Kaspersky logo

Related articles