Recently, I've seen QR codes on fliers for almost everything. Do malicious QR codes present any particular security risk? Should I warn our corporate smartphone users about them, or is there a way to disable corporate phones from being able to read them?
Quick Response (QR) codes are like barcodes and can have URL embedded in the code. For those who aren't familiar with how QR codes work, each unique square symbol is comprised of black and white markings and can be scanned by many smartphones or other digital readers to provide information or, in many cases, link to a website.
They have similar risks to URL-shortening services in that someone scanning a QR code doesn't necessarily know what website he or she may be directed to view. Some URL-shortening services include antimalware checks in the service or a preview of the destination website, but the applications that read QR codes don’t always offer the same options. Reports have surfaced recently regarding malicious QR codes. These codes, once scanned, direct visitors to a potentially malicious website that could install malware on an unsuspecting user's phone. David Rogers has a good blog post about QR code security issues and the risks associated with malicious QR codes.
To that end, it's not a bad idea to start thinking about QR code security best practices. To protect smartphone users, a few options are to use a client antimalware application (where possible), have smartphone users take advantage of the corporate Wi-Fi network and its standard network protections to block the malware, or use a QR reader application that checks URLs against blacklists of known malware-laden websites.
None of these methods, however, will stop a targeted attack using custom malware. There have been some advances in using virtual machines on smartphones, and smartphone users with high security requirements could have a disposable virtual machine that is reset back to a known good state periodically so that, should an infection occur, it won't persist for long and will be limited to the virtual machine sandbox. Using a virtual machine could allow high-risk users or special classes of users to use a QR reader application or other potentially high-risk smartphone applications in a virtual machine sandbox with a reduced risk. However, given the nascent state of this technology and the burden of managing it, if the risk posed by QR codes is deemed unacceptable in your organization, an established and well-communicated QR code security policy may be the best approach.
This was first published in January 2012