QR code security in the physical and digital world

QR code security in the physical and digital world title image

With the pandemic-driven proliferation of QR codes throughout day-to-day life in Western countries, including in sensitive applications like accessing medical records, cyber threat actors have predictably started to take advantage of the QR code scanning process. A wave of QR-related phishing attacks hit over the summer of 2022, with a good amount of media coverage following each detected instance. In these attacks, the threat actors deployed QR codes encoding links to phishing sites both in physical spaces and in the usual digital spaces like emails, simply by replacing traditional links with QR-encoded links. While the expansion of phishing into the physical realms is truly frightening, these incidents have formed an unfortunate, misleading association between “QR codes” and “phishing”. While phishing attacks involving QR codes are a genuine threat, QR codes themselves are slightly more phishing-resistant than traditional links in terms of detectability by users, and more importantly, their ability to assist in establishing encrypted channels between two devices presents exciting new use cases for secure data transfer with no manual setup, which we here at Keyri enable.

The digital structure of a QR code phishing attack is no different from a regular phishing attack. Where a regular phishing attack involves the bad actor giving the victim a link to click or tap to their phishing site that either dumps malware when visited, or more typically, presents a form that harvests credentials and other sensitive information, a QR phishing attack encodes the same link in a scannable code format that the victim usually visits on their smartphone. These QR phishing links are more easily detectable visually than regular links because, rather than having to read the URL while hovering over them (desktop) or after visiting the malicious URL (mobile), the QR link presents itself with the domain displayed atop the QR in the native iOS and Android scanners, so users must read the relevant portion of the URL prior to visiting it. However, the physical contexts in which phishing QR codes may present themselves may make it more difficult to identify them as such, as in busy restaurants, gas stations, and storefronts that impose significant urgency and sensory distractions. While this novel expansion of phishing into the physical world is a serious threat, the old approach of “user education” may work better with QR links than regular hyperlinks thanks to their superior visual presentation. Additionally, phishing-resistant authentication methods behind the QR link, like WebAuthn, go a long way in nullifying the phishing threat.

The notion of distributing sensitive information through QR codes, like medical records as in the article linked above, may seem dangerous at first glance because of the fact that QR codes typically need to encode unencrypted data to maximize usability, implementation of sensible best-practices can ensure security while not compromising on ease-of-use. The QR code on, for example, a patient’s bracelet, can simply encode an ID number. Scanning that code would transfer the ID number to the medical professional’s mobile device, which would in turn authenticate itself with a data server and submit to it the ID number to receive the patient’s medical records. In this way, the medical professional’s device would access sensitive data only through a secure connection to the server, with the QR code serving to merely facilitate the data query by removing the need to manually input a patient identifier. In other words, the QR code can encode the identifier of a secure data channel (i.e., non-sensitive data) that can only be accessed if the scanning device contains the appropriate credentials and is querying the correct server. This is the fundamental principle underlying Keyri – the dynamic codes that our QR widget displays encode a channel ID that any scanning device can tap into. Once scanned, the device must authenticate itself to the relevant server through that channel and can only access protected resources if that authentication succeeds. This enables the secure transmission of arbitrary data from one device to another over HTTPS with no manual entry required.

Today, we use this communication architecture to enable fast, secure authentication into desktop devices through leveraging existing authenticated sessions on mobile devices – sending cryptographic credentials through a secure channel to the relying party behind an unauthenticated desktop client session, which in turn issues session tokens to that desktop client. The possibilities for securely sending data from one client to another client or server without manual authentication are numerous, and we’re excited to explore them with our users. In doing so, we hope to gradually introduce this more nuanced view of the security of QR codes – that while some simple use cases do present real novel dangers, sensible implementations taking into account their limitations can substantially diminish the phishing threat and improve user experiences.