How QR Codes Work and How They’re Hacked
The ubiquitous QR code was invented in 1994 by Japanese Denso Wave; company engineer Masahiro Hara originally created it with the intention of making manufacturing operations more efficient
In the age of digitalization, never a day goes by without the use of a QR code. This technology has become a part of our lives, even more so after the COVID-19 pandemic in 2020, with an emphasis on contactless to prevent the spread of the deadly virus.
The ubiquitous QR code (quick response code) was invented in 1994 by Japanese manufacturer Denso Wave. August 8, 2021 marked the 27th anniversary of the QR code.
The QR code was developed by Denso company engineer Masahiro Hara, originally with the goal of making manufacturing operations more efficient.
Read also : It’s black and white: QR code scams happen, but you can stop them
According to Denso, it decided to make the technology license-free to encourage its use by as many people as possible and released general purpose QR codes.
What is a QR code?
It is a type of barcode made up of a series of black pixels in a square-shaped grid on a white background. It contains various forms of data, such as website links, account information, phone numbers, or even coupons.
Unlike standard barcodes which read in one direction – top to bottom and only store less information, QR codes are two-dimensional (2D). QR codes can be read in two directions: top to bottom and right to left. This allows them to store more data – 7,089 digits or 4,296 characters. They use about 10 times less space than a traditional barcode.
A QR code can encode numbers, alphabetic characters, symbols, binary data, check codes, and other data. They can be read at high speed regardless of the scanning angle. The secret is in three position sensing patterns, located in each code, allowing stable high-speed playback without being affected by background patterns.
Position sensing model
The most difficult problem for the QR code development team was how to make 2D codes read as fast as possible; it is more difficult for scanners to recognize the location of a 2D code than that of a barcode. One day, Hara had the idea of adding information to the code indicating its location, which could solve this problem.
Based on this idea, a position detection model, located at the three corners of each code, was created. He expected that by incorporating this pattern into a 2D code, a scanner could accurately recognize the code and thus read it at high speed.
However, developing the shape of the position sensing pattern was extremely difficult because when a similarly shaped figure was near the code, the pattern could not be accurately recognized. To avoid false recognition, the position sensing pattern had to have a unique shape.
“Members of the development team began an exhaustive investigation of the ratio of white areas to black areas in images and characters printed on flyers, magazines, corrugated cardboard and other documents after reducing them to patterns with black and white areas. They continued to study numerous printouts day and night, and finally identified the report that appeared the least on the printout. It was 1:1:3:1:1. In this way, the widths of the black and white areas in the position detection pattern were determined and the scanners became able to detect the code regardless of the scanning angle by finding this unique ratio,” the company explained. .
How do QR codes work?
According to antivirus vendor Kaspersky, the patterns in QR codes represent binary codes that can be interpreted to reveal the code’s data. A QR reader can identify a standard QR code based on the three large squares on the outside of the QR code. Once he has identified these three shapes, he knows that everything inside the square is a QR code. The QR reader then scans the QR code by breaking it all down into a grid. It examines individual grid squares and assigns each a value based on whether it is black or white. It then groups the grid squares together to create larger patterns.
Read also : Bhind cops stamp bullets with QR code to curb gun violence
Parts of a QR code
A standard QR code is identifiable based on six components: silent zone, search pattern, alignment pattern, synchronization pattern, version information and data cells, Kaspersky said and explained the following.
- Quiet zone: It’s the empty white border around the outside of a QR code. Without this border, a QR reader will not be able to determine what is and is not contained in the QR code (due to interference from outside elements).
- Search pattern: QR codes typically contain three black squares in the lower left, upper left, and upper right corners. These squares tell a QR reader that it is looking at a QR code and where the outer boundaries of the code are.
- Alignment pattern: This is another small square contained somewhere near the lower right corner. It ensures that the QR code can be read, even if tilted or tilted.
- Timing model: This is an L-shaped line that connects the three squares of the search pattern. The timing pattern helps the reader identify individual squares throughout the code and helps to read a damaged QR code.
- Version information: This is a small information field contained near the search pattern cell in the upper right. This identifies the version of the QR code being read.
- Data cells: The rest of the QR code communicates the actual information, i.e. the URL, phone number or message it contains.
Types of QR codes
QR codes can be used for multiple purposes, but there are four widely accepted versions of QR codes. The version used determines how the data can be stored and is called the “input mode”. It can be numeric, alphanumeric, binary or kanji. The mode type is communicated via the version information field in the QR code.
- Digital mode: This is for decimal digits 0 through 9. A numeric mode is the most efficient storage mode, with up to 7089 characters available.
- Alphanumeric mode: This is for decimal digits from 0 to 9, plus uppercase letters from A to Z and the symbols $, %, *, +, –, ., / and : as well as a space. It can store up to 4,296 characters.
- Byte mode: These are characters from the ISO–8859–1 character set. It can store 2,953 characters.
- Kanji mode – These are the double-byte characters of the Shift JIS character set and used to encode characters in Japanese. This is the original mode, first developed by Denso Wave, according to Kaspersky.
Are QR codes safe?
Kaspersky warns that attackers can embed malicious URLs containing custom malware into a QR code that could then exfiltrate data from a mobile device during scanning. It’s also possible to embed a malicious URL in a QR code that directs to a phishing site, where unsuspecting users could leak personal or financial information. Since humans cannot read QR codes, it is easy for attackers to modify a QR code to point to an alternate resource without being detected.
Can QR codes be hacked?
“QR codes themselves cannot be hacked – the security risks associated with QR codes derive from the purpose of the QR codes rather than the codes themselves. Hackers can create malicious QR codes that send users to fake websites that capture their personal data such as login credentials or even track their geolocation on their phones. This is why mobile users should only scan codes from a trusted sender,” the company explains.