Malicious QR Codes - The Digital Slip & Fall
Before customers cross a business's threshold, its manager does not spray soap onto the porcelain tile to induce a broken hip. Instead, “warning” signs are posted around any slippery area to advise individuals to step around the hazard. Given these precautions against potential injury, why continue to use QR codes? It’s a digital slip and fall, with potential for class-action level liability.
QR codes let anyone with a smart phone or device (which is everyone) scan a code that is unreadable to the human eye, to reach a website or launch a program. Commonly used at restaurants and medical centers, customers scan the QR code to read the menus or check-in for appointments. Thought a clever alternative to avoid hand-to-surface contact in a Covid-phobic world, it is unsurprising that cyber criminals capitalized on the recycling of this digital tool.
Since QR codes cannot be read by the human eye, it is impossible to know if a QR will lead the scanner to the intended web-page or application. Not even Dustin Hoffman in Rain Man could distinguish an intended QR code from a malicious QR code. And, unfortunately, QR Code hacking is easy.
Generally, QR codes are compromised in 2 ways: 1) Phishing (referred to as “Quishing”); and 2) QRL-Jacking. "Quishing" occurs when the web-page that the QR Code opens is compromised and prompts the scanner to enter sensitive information/credentials – such as creating an IT helpdesk ticket with an organization. Both the user and QR Code host are totally unaware.
QRL-Jacking occurs when the QR code, once scanned, downloads malicious code onto the device through an application’s launch or website that is laced with malicious code. Sometimes, the compromised QR code will launch a remote access control program, giving the criminal control over the device or enable payments from financial applications.
Applied to reality, malicious QR codes can be created by the simple practice of printing stickers and placing those stickers over publicly-visible QR codes at restaurants, inside banks, rental cars, and retail stores. And, compromising edits to QR codes are extremely easy to find (1 Google Search – not even using a Tor Browser):
The easiest way to mitigate the legal liability from QR codes is to stop using them – remove them from the business’s premises and advise customers that QR codes are not used for goods/services. It’s the same reason that retail stores are swept and mopped at night (when no one is present and able to slip and fall).
Just as easy as it is to find and print malicious QR code stickers, it is as easy for attorneys to argue that a business is responsible for the QR codes offered to its clients . By creating a forward-facing information portal, the use of which is encouraged, the business creates its own duty to ensure its delivered services are not defective.
Failure to exercise due diligence in routinely testing the QR Codes for quality assurance would be a basic argument for a breached duty. And with the Federal Bureau of Investigation and Information Sharing Analysis Centers broadcasting public warnings about the risks of using QR codes, knowledge of the risks of QR codes is attributable to the QR code’s host.