Security risks of scanning an unknown QR code

You never must trust in user input, independly if this is a string, a bar code or a qr code. All of them, can exploit your application. Eg. SQL-Injection. Take a look in this PDF, its very useful for your question :) http://qrcodethursday.files.wordpress.com/2011/03/qr_code_security.pdf

Bonus: I don't know if this is a joke or really true, but make sense: http://cicero.files.wordpress.com/2010/04/500x_for_traffic_cameras.jpg


This are some risks you can face:

  1. If the QR code linked you to a poisonous website, this site can try to exploit your browser, the danger depends if your browser is secure or have vulnerabilities and of the type of explotation.

  2. The QR code can exploit the scanner application, this exploit can be performed by an intentionally corrupt QR code, this code can affect the process of the scanner application, obviously the exploit only can have success if the scanner application is vulnerable. Like in the first case the danger depends of the type of explotation.

References

QR code - Wikipedia


A QR Code, Quick Response Code, also known as a two dimensional code, is a small white square with small sections of black covering it. It can be read by the camera of a smartphone, and once read it may instantly redirect the smartphone user to a webpage.
How are QR Codes used?
QR Codes can be used in a variety of ways to market a business, to provide further information on a product or service by encoding general text, URL, phone number, business card and even provide WiFi access.
Best Practices
* If it smells phishy, throw it back. Most of us aren’t tempted to open emails which are obviously spam. However, QR codes are tricky because you cannot weed out the bad from the good by simply looking at the code. Because the vulnerability is practically part of the design, consider downloading an app on your phone which provides a preview to each code before it opens a webpage (eg: I-nigma). This way, you will have right of refusal if you think the QR code is corrupted.
* Remember the old proverb, “Curiosity killed the cat.” Hackers prey on curiosity, thus if you see a lonely QR Code posted on a wall, DO NOT scan it to find out why is it there and what it does.