QR Codes Pose Security Risk, Becoming Obsolete Experts Claim

by Reads (1,184)

QR codes have pre-dated their most common usage cases by decades, and just as we are getting to know them, some pundits are predicting the demise of the blocky scanner codes.

First invented by the Toyota subsidiary Denso Wave in 1994 to track vehicles during the assembly process, QR codes have made their way into the public and around the world thanks to the advances of the smartphone. Finally, 15 years after they were invented, people had a QR reader in their hands.

\"QRIt took a while, though. Denso Wave doesn\’t drive the standard the way, say, the World Wide Web Consortium drives Web standards like HTTP. Every phone platform has multiple QR code readers of varying quality, and the quality of the camera phone also goes a long way in determining how usable a QR code is.

And that, says Judy Brown, an independent technology consultant works in mobile learning and frequently advises government agencies, is why she has not recommended using them for a couple of years in her analysis.

\”It never got traction in the U.S. for the longest time. There were so many of QR readers and they just didn\’t work. A lot of the creation software wouldn\’t work with the cameras, or camera resolution wasn\’t high enough,\” she said.

This has led at least one pundit to proclaim QR codes to be doomed. Cormac Foster of ReadWriteWeb/Enterprise put QR codes on a list of 13 companies or technologies he feels are headed for the boneyard.

Foster listed all the problems as articulated above: inaccuracy, no one driving the standard, no one building the software, and no real security. The latter argument is very similar to the problem people have with URL shorteners like Bit.ly and TinyURL, in that you have no idea where you are going with these shortened links.

David Maman, CTO and founder of database company GreenSQL, had a little fun with this. During a three-day security conference in London, he created a small poster featuring a big security company\’s logo and the sentence \”Just Scan to Win an iPAD.\”

Thousands of people walked by and no one asked where the sign came from or took it down, not even a representative of the company featured on the sign. But he did get 455 people to scan the link over the three days, and this was during a conference for security professionals.

That\’s another reason Brown does not recommend QR codes to her clients. \”You have no idea where it\’s going to take you. It could grab your info or take over your phone. It\’s the same thing with URL shorteners,\” she said.

\"QRHarvestMark co-founder and CMO Elliott Grant agrees it\’s a legitimate fear, but asks \”Has anyone shown you [how you] can hijack a phone by going to a Web site?\” Not yet, he admits, but probably soon enough.

HarvestMark uses QR codes to track produce at supermarkets, allowing customers to scan the code on veggies to find out where they came from, or if they are subject to recall. Grant believes the bulk of QR code use will be inside retail locations like a supermarket, and the codes can be trusted.

For those that don\’t work, the trick to securing the QR code isn\’t changing the code itself, which would be onerous. Rather, he thinks the browser that is launched by the QR code needs to be more secure. \”The browser on the phone would have to behave like the browser on the PC. I have Firefox plugins that protect me, so if a URL takes me to a non-trusted site, it won\’t let me go there,\” he said.

Brown and Grant agree that QR won\’t last forever anyway, that near field communication (NFC) will eventually take over where QR attempted to go. \”QR codes provide a very useful bridge technology. Until things like NFC become widely available and there\’s a uniform way to see them, QR codes will provide a good bridge technology in the mean time,\” said Grant.



All content posted on TechnologyGuide is granted to TechnologyGuide with electronic publishing rights in perpetuity, as all content posted on this site becomes a part of the community.