Recently, I've seen QR codes on fliers for almost everything. Do malicious QR codes present any particular security...
risk? Should I warn our corporate smartphone users about them, or is there a way to disable corporate phones from being able to read them?
Quick Response (QR) codes are like barcodes and can have URL embedded in the code. For those who aren't familiar with how QR codes work, each unique square symbol is comprised of black and white markings and can be scanned by many smartphones or other digital readers to provide information or, in many cases, link to a website.
They have similar risks to URL-shortening services in that someone scanning a QR code doesn't necessarily know what website he or she may be directed to view. Some URL-shortening services include antimalware checks in the service or a preview of the destination website, but the applications that read QR codes don’t always offer the same options. Reports have surfaced recently regarding malicious QR codes. These codes, once scanned, direct visitors to a potentially malicious website that could install malware on an unsuspecting user's phone. David Rogers has a good blog post about QR code security issues and the risks associated with malicious QR codes.
To that end, it's not a bad idea to start thinking about QR code security best practices. To protect smartphone users, a few options are to use a client antimalware application (where possible), have smartphone users take advantage of the corporate Wi-Fi network and its standard network protections to block the malware, or use a QR reader application that checks URLs against blacklists of known malware-laden websites.
None of these methods, however, will stop a targeted attack using custom malware. There have been some advances in using virtual machines on smartphones, and smartphone users with high security requirements could have a disposable virtual machine that is reset back to a known good state periodically so that, should an infection occur, it won't persist for long and will be limited to the virtual machine sandbox. Using a virtual machine could allow high-risk users or special classes of users to use a QR reader application or other potentially high-risk smartphone applications in a virtual machine sandbox with a reduced risk. However, given the nascent state of this technology and the burden of managing it, if the risk posed by QR codes is deemed unacceptable in your organization, an established and well-communicated QR code security policy may be the best approach.
Related Q&A from Nick Lewis
As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick ...continue reading
A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against...continue reading
A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.