QR codes are everywhere and are now being included in so-called vaccine passports. Since important information will be included in these codes, it is necessary to find out if, or how, these codes could be hacked, either by those who want to produce fake passports or those who could benefit from stealing the information they contain.
So what precisely are QR codes? ‘QR’ stands for ‘quick response’ and it is this response that makes them so useful. They may not store as much data as you think. At a maximum, they store 3kb of data. That said, this information may include links to websites or downloads which magnify their effectiveness. Here, for example, is the QR code for this website.
QR codes come in a variety of sizes, depending on the information a user may want to encode, but they all maintain certain standard features that can be seen in the diagram below.
Almost all smartphones with cameras include QR readers. It’s no revelation that the universal use of smartphones has led to the growth in the use of QR codes.
Although most people think of QR codes as a square with a matrix of smaller black, grey, or white squares contained within it, the code can be varied. Company logos, for example, can be made a part of colorful QR codes. Here, for example, is such a code which includes the InZero company logo and which leads to the company website.
How Hackers can Use QR Codes
Probably the easiest way a hacker can take advantage of a QR code is to embed a link to a malicious website within it. Criminals may make it appear as if the code is going to a legitimate site when it is not. The malicious site may download malware to a device which could take complete control of that device. Most QR readers on smartphones will present a message asking if the user wants to proceed to the site embedded in the QR code, so for a good hack to work, the hacker would have to use a site which had a URL that looked like it was legitimate. Many free QR readers are available and some will give warnings about bad links. Others will not and should be avoided.
Many people don’t realize that emails can be generated through a QR code. In fact, there are free sites that will help you do this. Of course, this ability can be misused by hackers. Such emails will be converted into a QR code which can be sent to potential victims or simply put in public places. Those using the QR code will see a pre-written email going to a particular address. All they have to do is click ‘Send’. Sending a hacker an email will identify the sender as a possible target that can be manipulated.
Another nefarious use of a QR code would use a phishing email with a subject line containing an important message, for example, telling them that some immediate action needs to be taken. The potential victim is then persuaded to use the attached QR code. Remember that scammers try their best to obscure the destination of a link and QR codes go a long way towards doing this.
Hackers have been known to print out QR stickers or posters which can be placed almost anywhere. If, for example, the sticker was placed on a restaurant menu, it could make it appear as if the victim could email a restaurant review to the restaurant manager. They could be led to a site where they would be asked to give some personal information which would then be sent to the scammers.
Bitcoin owners need to be aware of sites that convert bitcoin addresses into a QR code to propagate easier transactions. There are legitimate sites that do this; however, there are scam sites that will generate a QR code that will send your bitcoins to the scammers’ wallets.
Covid Vaccine Passport Scams
The EU’s COVID vaccination passport, the so-called, ‘Freedom Passport’, contains a QR code. Many templates for such passports exist, mainly on the deep web. Fake vaccination passports sell for up to $150 and contain a QR code. No, they are not valid, but the code may show a link to a medical center or government site to fake their legitimacy. Since the U.S. does not have a standard vaccine passport, these fake cards may fool a number of people who serve as gateways into restaurants, theaters, or sporting events. In states where you do not need to give any personal information to get a vaccination, no database exists to test the validity of these vaccination cards.
But even where there are databases, there are sometimes problems. In France, the vaccination database was accessed by a health professional who used the information stored there to generate valid QR codes and vaccination passports. That said, on a recent return to the EU, those checking the vaccination information cards did not check any QR codes but just looked at the paper containing them. This may be because many of the apps used for downloading the QR code with vaccination information have had glitches. In other instances, the databases have not been updated. Such confusion would slow up the lines at the airport and, hence, it was easier to use the card’s face validity to allow entrance. That said, the EU realizes it has a problem and has warned users of fake vaccination certificates that they could face a fine of up to $50,000 and 3 years in jail. Russia is having a similar problem with its certificates. The fake certificates, which sell for less than $100, will have a QR code that takes the reader to a site that looks almost identical to the official validating site. Since these cards are used to get into restaurants and cafes, it is quite likely that waiters will be too busy to look closely at such certificates.
One way that legitimate vaccine certificates have been created is by stealing the QR code from people who have publicly shown their certificates online. They were not involved in criminal activity. They were simply proud of themselves for getting vaccinated and showed their cards to brag about what they did. Sadly, hackers have taken advantage of this blunder. For example, I read the code shown by the Malaysian health minister on his phone and found it took me to a podcast on SoundCloud by someone identified as “ICT Evangelist”. Try it yourself… or maybe you shouldn’t trust me. Healthy skepticism is advised in reading any QR code.
In the case of an EU vaccination passport, the QR code will be your private key which will match the public key of the database and verify your passport. If that is stolen, someone else can basically become you.
In the end, it is best to read QR codes with caution. Make sure they come from a trusted source. Use a good QR reader. Check publicly displayed QR codes to see if they have not been covered by a sticker. Avoid scanning QR codes on public posters. And never share your vaccine passport QR code with anyone.