Recently, I've seen QR codes on fliers for almost everything. Do malicious QR codes present any particular security...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
risk? Should I warn our corporate smartphone users about them, or is there a way to disable corporate phones from being able to read them?
Quick Response (QR) codes are like barcodes and can have URL embedded in the code. For those who aren't familiar with how QR codes work, each unique square symbol is comprised of black and white markings and can be scanned by many smartphones or other digital readers to provide information or, in many cases, link to a website.
They have similar risks to URL-shortening services in that someone scanning a QR code doesn't necessarily know what website he or she may be directed to view. Some URL-shortening services include antimalware checks in the service or a preview of the destination website, but the applications that read QR codes don’t always offer the same options. Reports have surfaced recently regarding malicious QR codes. These codes, once scanned, direct visitors to a potentially malicious website that could install malware on an unsuspecting user's phone. David Rogers has a good blog post about QR code security issues and the risks associated with malicious QR codes.
To that end, it's not a bad idea to start thinking about QR code security best practices. To protect smartphone users, a few options are to use a client antimalware application (where possible), have smartphone users take advantage of the corporate Wi-Fi network and its standard network protections to block the malware, or use a QR reader application that checks URLs against blacklists of known malware-laden websites.
None of these methods, however, will stop a targeted attack using custom malware. There have been some advances in using virtual machines on smartphones, and smartphone users with high security requirements could have a disposable virtual machine that is reset back to a known good state periodically so that, should an infection occur, it won't persist for long and will be limited to the virtual machine sandbox. Using a virtual machine could allow high-risk users or special classes of users to use a QR reader application or other potentially high-risk smartphone applications in a virtual machine sandbox with a reduced risk. However, given the nascent state of this technology and the burden of managing it, if the risk posed by QR codes is deemed unacceptable in your organization, an established and well-communicated QR code security policy may be the best approach.
Dig Deeper on Wireless LAN Design and Setup
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.