If you are having trouble viewing this page contact us

Can a QR Code be hacked?

As for any technology, there are stories of QR Codes being used maliciously. It is important to know what is made-up and what are the real risks. Here is what you need to know on the subject.

No, a QR Code cannot be hacked

Hacking a QR Code means that the action triggered would have been modified through a manipulation.

This is not possible, since this is the way the small square modules are arranged that determines this action (the data is encoded by the module arrangement). To change this action, one would have to change the arrangement of the modules. This implies physically modifying the QR Code if it has been printed.

QR Code Hacker
Example

You just printed a QR Code on a poster. Can somebody with bad intents change the redirection website?
Definitely no, because they would need to find a way to modify the arrangement of the modules of the QR Code, and not be detected. Besides, they would have to know exactly which modules must be modified to achieve their goal and re-do the hack on every poster!

...but QR Codes can be used maliciously

QR Codes cannot be hacked, but it is possible to replace a QR Code by another or to create a QR Code that will redirect to malicious contents.

Malicious QR Codes

A QR Code can be created that redirects to malicious contents (websites that download malwares, with illegal content, etc.). You must be careful when scanning a QR Code not to become a victim of these malicious QR Codes.
On a computer you don't click on a link from a non-trusted website, you must apply the same rule for QR Codes: don't scan a QR Code if you have doubts about it. Besides, most QR Codes readers now actually display the link address before opening the web browser.

Evil QR Code

Phishing

Phishing targets victims by masquerading a trustworthy entity. In the case of QR Codes, it means replacing the QR Code on a poster by another (with a sticker for example). Users would then think they are scanning the QR Code of a company they trust but would be redirected to malicious contents.

Phishing
Google+