Everyday Security Risks: QR Codes at Restaurants

Cloud Access Security Broker (CASB)
©SasinParaksa – stock.adobe.com

We are pleased to introduce our new “Everyday Security Risks” blog series, raising awareness about the potential risks in our everyday lives when using our mobile devices.


This week we discuss something you may have been using more than ever in the few last months due to pandemic – QR codes.


Initially introduced in 1994 in Japan’s car manufacturing industry, QR codes are an evolution of the traditional barcode we find on any product (e.g., canned goods, cereal boxes, etc.). However, QR codes can store more information and are more robust and resistant to physical damage, attributing to their increasing popularity in other sectors before being adopted for all sort of activities, like product and time tracking.


A single QR code can hold 4,296 ASCII characters and contain data such as a locator, identifier, or tracker pointing to a specific website or triggering an application to perform actions like adding a new contact to the phone address book, starting a phone call, sending an SMS or email, posting a message to social media, adding a Wi-Fi network, etc.


The benefits are obvious, as it is a lot easier to scan a QR code to go to specific website rather than having to manually type a whole, often long, URL. With the pandemic, a lot of restaurants are moving away from using printed menus to providing a QR code (e.g., sticker on the table) for customers to scan using their mobile phones and be redirected to the online menu. It is also more cost effective, easier, and faster for restaurants to update their offerings without having to re-print menus on paper.


However, there are some tradeoffs, and one of them is that people cannot read nor interpret the data inside a QR code without scanning it first, which is potentially dangerous as we do not see what is inside the box until we’ve opened it. (In the immortal words of Forrest Gump, “You never know what you’re gonna get!”)


Most QR codes are innocuous but some could be formatted to command a device to perform actions like connecting to a Wi-Fi network or opening a shortened URL that would eventually redirect to an unsafe website. Take, for example, 2018 when a bug in Apple iOS 11 was exploited to trick users into visiting a malicious website (read more here). QR codes could also add contacts to your mobile phone’s address book, initiate a phone call, or send an SMS or email message that could also be used to expose private user information like email address, phone number, or any other identifier that could later be used for phishing attacks. To an extent, a sophisticated malicious attack could ultimately use your phone to make a payment without your initial consent nor knowledge of it.


The Apple iOS 11 exploit has long since been patched but should serve as a reminder that nothing can be 100% safe and protected, as any system is as strong as its weakest link. In that case, the weakest link ultimately tends to be the end-user and their behavior, taking unnecessary risks due to a lack of awareness and/or simply because they want instant gratification and will click on anything to receive it.


So what should you do? Well, the best option would be NOT to scan that QR code at the restaurant, and instead check the restaurant’s website directly, searching for their menu. This is not as easy or fast as the former method, but it is safer.


However, we are only human, and at the end of the day we tend to take the easier path. Here are a few protective measures to consider practicing before scanning any QR code:

  • Where is the QR code located?
  1. Sticker pasted on the table, with or without restaurants logo?
  2. Piece of paper laying on the table?
  • Did the waiter instruct you to scan a specific QR code?
  • What is the code attempting to launch?

Although the reported cases of scanning suspicious QR codes are few compared to other cyberattacks, it is still a reality that could result in something as minor as sending you to an unsavory website or, in a more complex scheme, be a step to steal your identity. We will see other examples in our forthcoming blog posts.


This was written from a consumer approach, but what about the enterprise world? What can I, as an IT administrator, do to protect our employees’ devices and ultimately our corporate infrastructure and company data from that potential security risk? Well, disabling QR code scanning (or the camera itself) would be the safest way to go, using a UEM solution and IT policy rules, especially on work-only, regulated devices. However, we know this is not scalable as it would be counter-productive, especially with BYOD programs, and could damage your end-user level of acceptance over your whole digital workspace strategy.


Using a Mobile Thread Defense (MTD) solution would be a smart move so you can at least monitor your devices and ensure they always remain secure and compliant, detecting any possible threat or security breach and taking preventative actions all in real time.



Note: Please fill out the fields marked with an asterisk.

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group