Recently, I've seen QR codes on fliers for almost everything. Do malicious QR codes present any particular security...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
risk? Should I warn our corporate smartphone users about them, or is there a way to disable corporate phones from being able to read them?
Quick Response (QR) codes are like barcodes and can have URL embedded in the code. For those who aren't familiar with how QR codes work, each unique square symbol is comprised of black and white markings and can be scanned by many smartphones or other digital readers to provide information or, in many cases, link to a website.
They have similar risks to URL-shortening services in that someone scanning a QR code doesn't necessarily know what website he or she may be directed to view. Some URL-shortening services include antimalware checks in the service or a preview of the destination website, but the applications that read QR codes don’t always offer the same options. Reports have surfaced recently regarding malicious QR codes. These codes, once scanned, direct visitors to a potentially malicious website that could install malware on an unsuspecting user's phone. David Rogers has a good blog post about QR code security issues and the risks associated with malicious QR codes.
To that end, it's not a bad idea to start thinking about QR code security best practices. To protect smartphone users, a few options are to use a client antimalware application (where possible), have smartphone users take advantage of the corporate Wi-Fi network and its standard network protections to block the malware, or use a QR reader application that checks URLs against blacklists of known malware-laden websites.
None of these methods, however, will stop a targeted attack using custom malware. There have been some advances in using virtual machines on smartphones, and smartphone users with high security requirements could have a disposable virtual machine that is reset back to a known good state periodically so that, should an infection occur, it won't persist for long and will be limited to the virtual machine sandbox. Using a virtual machine could allow high-risk users or special classes of users to use a QR reader application or other potentially high-risk smartphone applications in a virtual machine sandbox with a reduced risk. However, given the nascent state of this technology and the burden of managing it, if the risk posed by QR codes is deemed unacceptable in your organization, an established and well-communicated QR code security policy may be the best approach.
Dig Deeper on Wireless LAN Design and Setup
Related Q&A from Nick Lewis
IP devices like multifunction printers and faxes may be an attack vector. Expert Nick Lewis explains the vulnerabilities, and how to secure them ...continue reading
AceDeceiver is a Trojan that can install itself on iOS devices without any certificates. Expert Nick Lewis explains how it works, and how enterprises...continue reading
USB Thief, a new type of stealth malware, leaves no trace on air-gapped targets. Expert Nick Lewis explains how the malware works and how enterprises...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.