Skip to content

Can QR Codes Really Be Hacked?

by on October 7, 2013


What is a QR Code?

QR code (abbreviated from Quick Response Code) is the trademark for a type of matrix barcode (or two-dimensional barcode). A barcode is an optically machine-readable label that is attached to an item and that records information related to that item. The information encoded by a QR code may be made up of four standardized types (“modes”) of data (numeric, alphanumeric, byte / binary, Kanji) or, through supported extensions, virtually any type of data. (Source Wikipedia).

Where QR Codes are used / can be seen?

  • Business Cards
  • Advertisement Posters
  • Webpages ; signifying download links
  • Stickers
  • Within Applications (web based & binary)


The amount of data that can be stored in the QR code symbol depends on the datatype (mode, or input character set), version (1, …, 40, indicating the overall dimensions of the symbol), and error correction level.  Below is a brief list of some of the storage limitations for QR Codes:

  • Version 04 – 50 Chars
  • Version 10 – 174 Chars
  • Version 40 – 1852 Chars

Depending on the format of the input mode you wish to use, you should be able to at least be able to store 2 kBytes of data.


The use of QR codes is free of any license. The QR code is clearly defined and published as an ISO standard.

Enough already.  Can it be Hacked?

Hacking a QR code means that the intended action has been maliciously manipulated.   This is not effectivly possible due to the error-correction built into the image.  Inorder to successfully “hack” a QR code you would have to modify both the black and white blocks.  It is simply easier just to replace the QR code with another printed on a sticker to sit ontop of the original QR code.

Malicious QR Codes

A QR code can be created that redirects to malicious contents (websites that download malwares, with illegal content, etc.). You must be careful when scanning a QR code not to become a victim of these malicious QR codes.  On a computer you don’t click on a link from a non-trusted website, you must apply the same rule for QR codes: don’t scan a QR code if you have doubts about it. Nowadays, most QR codes readers now actually display the link address before opening the web browser.


Phishing targets victims by masquerading a trustworthy entity. In the case of QR codes, it means replacing the QR code on a poster by another (with a sticker for example). Users would then think they are scanning the QR code of a company they trust but would be redirected to malicious contents.

Interesting QR-Code Tricks

We briefly mentioned above that QR-Codes have a high-degree of error-correction.  It actually can be broken down into the following table:

Level L (Low) 7% of codewords can be restored.
Level M (Medium) 15% of codewords can be restored.
Level Q (Quartile)
25% of codewords can be restored.
Level H (High) 30% of codewords can be restored.

Most QR-Codes have their error-correction set to High.  This is because some cheap phones have cheap lens on the builtin camera’s and sometimes QR-Codes can be fuzzy or blurred.  However, as technology has improved and builtin cameras have become better, we now have 30% of the QR-Code to have fun with…..

This is where we can insert simple and small 2-dimensional, simple graphics (so long as they only cover < 30% of the overall QR-Code).





From → Encoding, pentura, web

  1. Nick permalink

    Another potentially simple QR vulnerability I don’t see mentioned is the ability to hack into a QR web application generation platform and simply alter any dynamic codes to redirect to malicious sites. Many of these services have inadequate security and weak pw policies. Determining the particular vendor and admin login interface/address can easily be found by inspecting QR URL strings.

    • That is a good point!

      But this posting was just concentrating on the QR codes themselves. Ive witnessed people try to print black and white dots on transparent plastic and try to stick the new-mask over a QR-code. It’s just easier to print a new QR-Code on a sticker and place it ontop.

      Similar issue to the one you describe is that I know of one pentest firm (not Pentura) that prints QR-codes on their business cards, there is nothing stoping an employee altering the QR-code (as its stored on a network share everyone in the company has access to) to read something different when they next print their own business cards. Heres hoping theres no disgruntled employees in that company!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: