QR Codes: Trendy Marketing and Pwning Tool


I’ve been out at SXSW for the past few days, and QR codes abound. Every telephone pole is papered with them, people walking on the street have QR codes on their shirts, with clever text below it prompting you to scan them.

I’m a big fan of the idea of QR codes – the ability to store text and even binary data in something that is small and portable is a great concept. However, while QR codes are popular in Asia, they’ve taken a lot longer to gain any momentum in the United States. That said, there are over 50 free apps in the US iTunes app store that act as QR code readers.

That’s not actually why I have a problem with QR codes though. My problem is with the fact that people – otherwise reasonably savvy, smart people – will blindly scan a QR code they find on a t-shirt, telephone pole or poster. People who know better than to open .exe or .vbs attachments in email have absolutely no hesitation in scanning a random QR code they find on the street using their (insecure, javascript-enabled) mobile device.

These QR codes can store any combination of letters, numbers or binary data. That’s part of what makes them great. That’s also part of what makes them dangerous.

QR code data capacity

Numeric code only Max. 7,089 characters
Alphanumeric Max. 4,296 characters
Binary (8 bits) Max. 2,953 bytes
Kanji/Kana Max. 1,817 characters

I think my point will be best illustrated by a scenario.

Imagine I’m a bad guy (tough stretch, right?) and I buy the domain name totallylegitimatewebsite.com and set up a malware payload, a phishing site, goatse, child porn, or another nefarious thing that will give you a virus, trick you into giving out your financial information, or some other horrible thing that will make baby Jesus cry.


Then I make up t-shirts with a QR code on the boob, with saucy text on the shirt encouraging passers-by to “scan for a good time”, or with the promise of a free iPad 2. Oh hell, let’s make it an iPad 3, because that’s how fucking awesome I am.

I pay a hot college girl some pathetically small amount (in cash) and tell her to walk around and be sexy. (Hell, I could probably get her to do it for free with the promise that it will help her acting career or some other bullshit.)

I may even use my home printer to print up a few hundred flyers to put up in the area.

I then go to a trendy, tech savvy place like SXSW, where all 10,000 attendees know what a QR code is and how to decode them.

And then combine this kind of drive-back attack with some of the more clever phishing scams we’ve seen lately, for example the iPhone SSL spoofing that Nitesh Dhanjani posts about that uses plain images and social engineering to trick users into thinking they’re entering credentials into a legitimate, secure site.

iPhone SSL Spoofing

The issue is that if and when QR codes actually become commonplace enough that the average Joe knows what they are and doesn’t think twice about blindly scanning them, they become more and more attractive as a potential opportunity to do bad things.

  • For “dangerous QR codes”, I don’t think any can beat some I’ve seen: One smallish (less than 2 inches per side) on the top of the roof of a driving instructors car on the “middle of the road” side of the car and a 1 inch square one on an advertisement hording on the opposite side of the tracks on a station platform.