Recently, I've seen QR codes on fliers for almost everything. Do malicious QR codes present any particular security...
risk? Should I warn our corporate smartphone users about them, or is there a way to disable corporate phones from being able to read them?
Quick Response (QR) codes are like barcodes and can have URL embedded in the code. For those who aren't familiar with how QR codes work, each unique square symbol is comprised of black and white markings and can be scanned by many smartphones or other digital readers to provide information or, in many cases, link to a website.
They have similar risks to URL-shortening services in that someone scanning a QR code doesn't necessarily know what website he or she may be directed to view. Some URL-shortening services include antimalware checks in the service or a preview of the destination website, but the applications that read QR codes don’t always offer the same options. Reports have surfaced recently regarding malicious QR codes. These codes, once scanned, direct visitors to a potentially malicious website that could install malware on an unsuspecting user's phone. David Rogers has a good blog post about QR code security issues and the risks associated with malicious QR codes.
To that end, it's not a bad idea to start thinking about QR code security best practices. To protect smartphone users, a few options are to use a client antimalware application (where possible), have smartphone users take advantage of the corporate Wi-Fi network and its standard network protections to block the malware, or use a QR reader application that checks URLs against blacklists of known malware-laden websites.
None of these methods, however, will stop a targeted attack using custom malware. There have been some advances in using virtual machines on smartphones, and smartphone users with high security requirements could have a disposable virtual machine that is reset back to a known good state periodically so that, should an infection occur, it won't persist for long and will be limited to the virtual machine sandbox. Using a virtual machine could allow high-risk users or special classes of users to use a QR reader application or other potentially high-risk smartphone applications in a virtual machine sandbox with a reduced risk. However, given the nascent state of this technology and the burden of managing it, if the risk posed by QR codes is deemed unacceptable in your organization, an established and well-communicated QR code security policy may be the best approach.
Related Q&A from Nick Lewis, Enterprise Threats
Chameleon malware targets insecure wireless access points. Enterprise threats expert Nick Lewis explains how to defend against the malware.continue reading
The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. ...continue reading
Enterprise threats expert Nick Lewis explains how to detect and avoid one of the most advanced malware threats: The Mask.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.