[Updated Oct 22, 2022. There are some new dangers since I wrote this article. See below]
As of 9am this morning, I’ve seen one too many hair-on-fire “beware QR code” articles. I’m getting really tired of reading breathless, click-bait headlines extolling the dangers of these glorified bar codes. I need to set the record straight. It’s time to demystify these scary square symbols and debunk their mystical powers.
What is a QR Code
First, “QR” stands for “quick response”. These funky codes were invented way back in the 1990s, believe it or not. But QR codes didn’t get really useful or popular until we all carried around smartphones with built-in cameras. QR codes are essentially 2-dimensional bar codes that can be scanned from any angle. They can hold a lot more information than the older UPC bar codes like you see on most grocery product boxes (which was originally patented in the 1950s).
QR codes plus smartphones basically solved a marketing problem: how can I create an internet link on a piece of paper that people can “click”. It’s a clever way to connect something in the real world to something in the virtual world. You’ll see them on posters, billboards and business cards. But they became even more popular in restaurants during the pandemic, directing people to a web version of their menu instead of passing around virus-riddled physical menus. (If you have never scanned a QR code, you can learn how here: iOS/Android.)
QR Codes Are Just Web Links
Can scanning a QR code cause bad things to happen? Sure. So can blindly clicking on any link, button or image from an email or on a website. But the QR code itself is just a mechanism to direct you to a website. That’s it. That’s all it is. It’s a web link. Yes, it’s an obfuscated web link – you can’t tell where it will take you just by looking at it. But I got news for ya… you can’t look at regular web links and tell where they’ll take you, either. Look at the link below.
Now hover over that link with your mouse to see the actual link. Or just click it. It’s okay.
But even hovering over links won’t always give you the truth. There are tricky ways to fake that out, including URL shortening services like bitly. Google (and other search engines) take this to crazy levels by actually replacing the URL as you click on it in search results to quickly redirect you through a tracking site first. So basically, you can’t trust any link, really. And QR codes are just funky web links.
QR Codes Don’t Contain Malware (Yet)
Mostly. Sigh. Okay, it’s actually not that simple – because of course it’s not.
QR codes are unbelievably versatile. You can use a QR code to convey contact information, WiFi passwords, phone numbers, and even just plain text – like the one in this article (have you scanned that code yet?). You can easily create them yourself using one of dozens of free online QR code generators (links removed – see update below). I use a laminated QR code to give out the WiFi password to my guest network. It’s very handy.
But – at least for now – QR codes themselves do not contain malware. I have no doubt that some plucky software engineer will propose updating the QR code spec to include computer code that you can directly run on your phone. And that engineer should be ritually shamed and summarily fired because that’s a singularly horrible idea.
QR Code Scams
So, is it safe to scan QR codes or not? Well, they’re no more dangerous than clicking on any other link. But because people don’t understand them very well, you can argue that people might be less careful about scanning codes than clicking links. That’s what I’m trying to address with this article.
Question the source of any QR code before you scan it. Spare at least one second to consider whether someone could have slipped you a fake code. And yes – like any link, it can be used to track you. Often, that tracking is just a way to collect analytics for marketing stats.
Be particularly careful with scanning QR codes for buying things, sending money, downloading apps, or that take you to any site where you need to log in. Again – like any link – it can be used for phishing scams.
The bottom line is: QR codes themselves are not inherently, magically dangerous. But like any web link, they can be used to track you and/or direct you to bad destinations.
Fun with URIs and Bar Codes
In the spirit of Halloween, let me follow the trick with a treat.
You might be interested to know that regular web links (like QR codes) can do more than just take you to websites. The technical name for a “web link” is a Uniform Resource Locator (which is actually a subset of the more generic Uniform Resource Identifier). Website link URL’s begin with “http” or “https”, but there are other types of URL “schemes”. They have prefixes that can be used to send an email (“mailto”), open a local file (“file”), download a file from the internet (“ftp”) or call a telephone number (“tel”). And there are many, many more.
Here’s a really fun, random tidbit for you. Back in the heady internet bubble days (and before smartphones), some enterprising company came up with another solution to the problem of linking the real world with the internet. They produced a bar code scanner for home use called a CueCat that allowed people to scan a bar code in a magazine ad (for example) that would take them to the corresponding website. It quickly went defunct. But you can still buy these funky little cat-shaped USB scanners on eBay for under $20. When you plug it into your computer, it appears to be a keyboard. You swipe the scanner over the code and it “types” the code into your computer. I bought one years ago and used it to scan my book library.
UPDATE: QR Code Generator Scams
Since I wrote this article, I became aware of a new angle on QR code scams: generator websites that charge you a subscription for your codes to continue working. (This article covers this and some other new dangers.) Because of course they would do this. QR codes are dirt simple to generate, but most people don’t have the resources to do it themselves. (I’ll show you how in a sec.) So tons of websites have popped up to help you create them… for “free”. But the QR code doesn’t route people directly to the URL you gave them, it inserts a redirect link, like bit.ly or similar. Whenever someone scans your code, they first go to the redirect site, and then to your intended destination. They have now made themselves a gatekeeper for your website. And at some point your QR code redirect will stop working and you’ll have to pay to get it working again. Can you imagine if you printed up 1000 business cards or 100 posters with this code and it suddenly stopped working unless you paid the extortion fee?
So, I would avoid free online code generator sites. There’s a really nice Mac app you can use called QR Factory, but it does costs money. You can also generate QR codes with a simple python script. And I hate to recommend Google for anything, but you can use Chrome to generate a QR code, too.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!