QR codes need security revamp, says creator

Museums use them to bring their paintings to life. Restaurants put them on tables to help customers pay their bills quickly. Tesco even deployed them in subway stations to help create virtual stores. QR codes have been around since 1994, but their creator is worried. They need a security update, he says.

Engineer Masahiro Hara dreamed up the matrix-style barcode design for use in Japanese automobile manufacturing, but, as many technologies do, it took off as people began using it in ways he hadn’t imagined. His employer, Denso, made the design available for free. Now, people plaster QR codes on everything from posters to login confirmation screens.

If you thought QR codes were just a passing marketing gimmick, think again. They’re hugely popular in China, where people used them to make over $1.65 trillion in payments in 2016 alone, and Hong Kong too has just launched a QR code-based faster payments system.

The codes generated enough interest that Apple even began supporting them natively in iOS 11’s camera app, removing the need for third-party QR scanning apps.

Hara is a little spooked by all these new uses for a design that originally just helped with production control in manufacturing plants. In a Tokyo interview in early August, he reportedly said:

Now that it’s used for payments, I feel a sense of responsibility to make it more secure.

He’s right to be concerned. Attackers could compromise people in various ways using QR codes.

One example is QRLjacking. Listed as an attack vector by the Open Web Application Security Project (OWASP), this attack is possible when someone uses a QR code as a one-time password, displaying it on a screen. The organisation warns that an attacker could clone the QR code from a legitimate site to a phishing site and then send it to the victim.

Another worry is counterfeit QR codes. Criminals can place their own QR codes over legitimate ones. Instead of directing the user’s smartphone to the intended marketing or special offer page, the fake code could take users to phishing websites or those that then deliver JavaScript-based malware.

They could also exploit the growing use of QR codes for payments. A fraudster could replace a QR code taking people to a legitimate payment address with their own fake payment URL.

There have already been some proposals for security measures in QR codes, as laid out in an MIT course document by researchers there. One suggestion uses encryption to stop a third-party from snooping and cloning QR codes used for logging people in. To do this, the online app would send an encrypted QR code to an already-logged in (and therefore trusted) mobile device. Only the logged-in device can decrypt the QR code, which it then displays for the second device to read. The QR code contains a URL which logs them into the app. There are also several encrypted QR code login systems now in production.

Another proposal embeds digital signature information into the code to confirm its authenticity but uses more of the code’s available space for the extra data.

These are all great ideas, and perhaps Hara has some more. But he’d better move fast. As QR codes catch on, the widely deployed design will become increasingly difficult to change.