QR Codes: Obsession and Regulation

QR Codes: Obsession and Regulation

Summary: Can something as benign as a QR Code be malicious? They can. What we need is a bit of regulation. Self-regulation.

TOPICS: Apple, Malware

Quick Response or QR Codes are these bizarre-looking, black and white, square bar code thingies that you see everywhere now. You see them in restaurants, on food product packages, in store windows, on plumber's vans and on websites. It's very odd and I'm absolutely and pathologically obsessed with the darn things. I've generated them for just about everything that I do.

Why praytell, would anyone use these things or have an obsession with them?

I can only speak for myself but they are intriguing in that they are a compact method of distributing information in a format that isn't human readable. I like that I can give someone my contact information in one, send a web address in one or even transmit a short text-based message in one.

I only find one thing to be wrong with the whole QR Code phenomenon: Digital signing.

Or, actually the lack of digital signing.

No, I don't mean digital sign such as ones that you see on new-fangled billboards or on the backs of trucks that roam around cities. By digital signing, I mean encryption. And, yes, I'm fully aware that you can encrypt QR Codes. But, what I'm talking about is the verification, third-party or otherwise, that signs codes as legitimate. Kind of like when you accept a certificate from a website.

I want to know, before I save a scanned QR Code, that it is legitimately created by the source. In other words, if I scan some random QR Code, how do I know that it's really a harmless bit of contact information, website or other packet of useful information? It could be a malicious hunk of code created to steal my Apple ID and password. It could be a "virus" that grabs my phone number, sends it to a spam site and then bombards me with unwanted advertisement texts.

I'd like to put forth the following ideas and suggestions to the people or industry or whomever is responsible for managing these things:

  • Code Digital Signing to legitimize the Code.
  • A pre-scan informative message describing the QR Code's contents.
  • A watchdog organization that exposes malicious QR Code generators.
  • A "Scan Ban" on those who create malicious codes.
  • A rating system for codes that might not be suitable for all audiences.

I've already described my digital signing idea, so let me explain the other points to you. A pre-scan message would provide a short description of the Code's contents and a symbolic system to let you know if it's a commercial Code, information only, website link, etc. A voluntary watchdog organization that exposes QR Code generators--allowing a feedback box for those who upload the codes to describe what happens when you scan it. Eventually, that database of information would be checked in the pre-scan phase on your device.

The "Scan Ban" would ban the code from being entered into your device and a recorded instance of the Code's location and creator would be automatically uploaded into the Watchdog database.

A rating system such as the MPAA's rating system would work pretty well for QR codes too. I just don't want my ten-year-old daughter scanning in some adult-oriented QR code that takes her to a site or downloading a movie that she shouldn't see. This sort of thing could be handled in the pre-scan phase, where a message would appear that warns you of age-related content.

I think QR Codes are cool and I'd like to see their use expanded. Just think of the possibilities. You could do a lot with them but unfortunately, since there are many 'less then savory' individuals out there, I'd like to see a bit of self regulation of them. After all, who wants to reset their device to factory defaults just because you scanned some malicious QR Code?

And, if it hasn't happened yet, it will.

It's really too bad that anything good can be twisted by evildoers and those who have too much time on their hands. I used to believe, naively, in the goodness of mankind but not so much anymore. I think that we have to regulate ourselves in these matters and take those few individuals to task who want to steal, defraud or harm us, whether in person or electronically.

I like the thought of using QR Codes even for simple communications but I think that we should be careful with them. With great power comes great responsibility. Peter Parker's uncle was a wise man.

And, now some completely harmless QR Codes, rated G, for all audiences.

What do you think of QR Codes and my ideas for a bit of self-regulation of them? Talk back and let me know.

Topics: Apple, Malware


Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • QR Codes: Regulation

    You raise some very valid points Ken.

    With QR codes being an open public standard, they, like guns, can be used and abused by just about anyone.

    I believe a bit of common sence is the best guide to avoiding potential bad QR codes.
    TIP: Use a qr code scanner that first shows you what is inside and what it wants to undertake. This way you can see the URL and/or instructions before they are executed.
    This unfortunately rules out all the URL shortening services, which by the way is also a perfect way of spreading malware even without QR codes as you have no idea where they go just by looking at them.
    Jeroen Steeman
    • Thanks

      Someone just told me about QR Pal, an app that actually incorporates SafeScan technology to validate codes before they're downloaded. There's no way to know other than taking the scan plunge that a code is bad. Someone wrote me and said that you can't regulate them because they're open source, which is wholly inaccurate. The GPL, for example, regulates open source to a very large degree. There could be a regulatory code group that does the same for codes of all kinds, not just QR.
  • How is this different than clicking a link?

    In fact, most QRCode readers, if the content is a link, just route the contents to your browser, which should have a link checker on it anyway.

    The other kinds of contents are mostly benign other than iCard... and that's just a contact card.

    That being said, most of the QRCode readers on Android *don't* take you directly to a browser or similar app - they show you the contents and let you decide.
  • Nanny State QR Codes

    A QR Code is text - read it or don't. If that text is a URL, then follow it or don't. If that is too daunting, then perhaps we also need a [i]QR Code Helmet Law.[/i] Digital signatures may not be sufficient. Perhaps, NYC could institute [i]Low-Fat QR Codes[/i].

    As for the sample QR Codes at the bottom, they are not valid. The white space surrounding a QR Code is required. Further, laying them out horizontally makes them much too difficult to scan. I thought the author said he had used QR Codes before.

    Rather than referencing "whomever is responsible", perhaps the author could take two minutes and define [i]whomever[/i]. It's a pretty good bet that Wikipedia has the answer. In a pinch, one could Google it.

    I normally enjoy ZD articles but this drivel was phoned in. If you have nothing to say, then please don't waste our time.
  • Apps that decode the QR code should give opt-in info first

    Apps that decode a QR code should show you the decode QR text and possibly preview the link page contents in a safe sandbox mini browser window, before asking you if you really want to go there...
  • Maybe we need to ban Net Stupidity

    Maybe we need to ban Net Stupidity a QR code cant be malicious. Maybe the code contained in one can be (and then only if it's a URL). That's like saying can your smartphone or PC be malicious?, because they can both take you to dangerous web sites among other things.

    Any half decent QR code reader software should, after scanning a code, display the code's contents and ask what you wish do with them, be it add a contact, send an email, or most importantly go to a website.
  • QRCode with password

    I found this website : www.qrlinq.com which is giving the possibility to create QR Codes with password for free.

    This can be interesting for giving a good perception to users.
  • Branded QR Codes

    Great article Ken,

    I am an affiliate of a company that may have a viable solution to this issue. ConnectMeQR.com has a product called the MCard. They put thier branded seal around the QR Code and when scanned it sends visitors to a secure mobile landing page with secure links to content.

    check it out:

    I agree that there should and will be more secure method to identify valid and or safe qr codes in the future. I also like the idea of a rating system for certain content.

    H.A. Justice
    Partner, BlueOctopusQR.com
    Atlanta, GA