The eagerness with which some marketers and their disciples have embraced QR codes® reminds me of the 1950s fascination with decoder rings. Remember the scene in "A Christmas Story" when Ralphie finally receives his ring and anxiously decodes the secret message only to be disappointed to read, "Be sure to drink your Ovaltine"? In a similar way, smartphone users download QR code reader apps, snap images, answer personal questions, and marvel at the information deciphered ... or not. To the old axiom that you can only have two of the following three -- cheaper, faster, better – there should be a new triad. That triad is cheaper, faster, safer (more assured). If it's cheaper and faster, it will probably not be safer.
QR code® (a registered trademark of Denso Wave Incorporated) technology was developed in 1994 to record information using one-tenth the space of a traditional bar code through its matrix readability: vertically and horizontally. Initially used to facilitate scanning parts in manufacturing processes, its adaptation for mobile device use has stimulated the interest of companies hoping to capture the attention of smartphone users. Back in the USA, the most likely target for codes will be a male between the ages of 18 and 34 with a household income above $100K -- based on evidence gathered about the14 million US-based individuals (6.2 percent of the total US mobile audience) that used their smartphones to scan a QR code during June 2011i.
While the number of scanners continues to grow, so do the spammers, scammers, and slammers. QR codes are machine readable, not human readable, and are easily attached to spam-like messages. How do you know that a QR code is legitimate or trustworthy? How can you verify the URL before landing on the site when you cannot read its full details? One precautionary measure is to use code reading software that reveals the action about to be taken so that websites are "discovered" before connecting to them. Websense Labs security researcher, Elad Sharf, has remarked, "In many ways it was just a matter of time before we saw spam messages point to URLs that use embedded QR codes. This is a clear movement and evolution of traditional spammers towards targeting mobile technologyii."
Even more disturbing is this technical insight from Joe Levy (CTO of Solera Networks) quoted in Dark Reading: "QR codes -- typically read by QR code-scanning applications running on smartphones -- provide a direct link to other smartphone capabilities, such as email, SMS, and application installation. So potential attack vectors extend beyond obscured URLs and browser exploits very nearly to the full suite of device capabilitiesiii." It's easy to guess the types of criminal activities and cybersecurity risks this could enable, such as:
- Compromising personal identity and contact information
- Stealing financial information stored locally in mobile banking applications
- Stalking individual smartphone users (including children)
- Installing keylogger software remotely
- Distributing malware
- Incurring premium SMS charges for users through Trojans like Jimmv
Some analysts question the value of QR codes when used for marketing and sales purposes outside the manufacturing environment. They point to nonsensical placements (e.g., in subways without Wi-Fi access, on the sides of vehicles moving through traffic, as aerial banners) and the still-limited adoption by smartphone users (less than 7 percent penetration). Perhaps the value is in other vertical applications similar to manufacturing such as education, to which bar codes could be applied. Education is one area in which QR codes have been used to update textbooks with stickers that lead to online information resourcesv. Of course, this use case should also involve many learning moments with students about the safe use of online tools.
An intriguing use of QR codes for emergency and medical care practitioners is being piloted in Marin County (California). The proposed Lifesquare project would encourage individuals to register information about their medication use to its website and place their QR encoded sticker(s) where they could be scanned as needed by appropriate personnel -- on a bike helmet, for examplevi. Privacy and data integrity issues abound, of course, but this may be a viable digital equivalent of a medical bracelet. Or is it just the 21st century version of the decoder ring that Ralphie desired in the 1950s?
i "14 Million Americans Scanned QR Codes on their Mobile Phones in June 2011 Newspapers/Magazines and Product Packaging Most Likely Source of QR Code." Press release from comScore Inc. dated August 14, 2011 and retrieved from reference.
ii Leyden, John. "Spammers hit mobes with QR code junkmail jump pads." Security (January 11, 2012). Retrieved from reference.
iii Chickowski, Ericka. "QR Code Malware Picks Up Steam." Dark Reading. (December 29, 2011.) Retrieved from reference.
iv Fiener, Norman. " QR Codes-Business Opportunity or Criminal Abuse?" Retrieved from reference.
v Barrett, Tom. "48 Interesting ways to use QR codes to support learning" - discusses elementary school use cases for QR codes." A Google document retrieved from https://docs.google.com/present/edit?id=0AclS3lrlFkCIZGhuMnZjdjVfNzY1aHNkdzV4Y3I.
vi Davis, Kerry. "Emergency workers scan QR codes for quick access to health info." Computer World (May 30, 2012). Retrieved from reference.