I Don’t Trust QR Codes. How Can I Manually Preview Them?

Factual Questions
1

In another thread, I asked for a method that would eventually lead me to the answer to the question “How can I make it so my Amazon Echo never speaks except when spoken to, and then only to respond to my commands?

So far, no responses. So I’m giving y’all another opportunity to help me become the very best technology user I can be, consistent with my aspirations (keeping in mind that I don’t aspire to become a gamer, or a coder or anything like that).

As stated in the thread title, I do not trust QR codes. With a url, I can at least try to vet the site I’m about to be directed to. But a square of seemingly random dots? Go ahead and pull the other one.

It would ease my mind considerably if someone would fill me in on how QR codes are constructed, and how to deconstruct them, as it were. I learned how to read and write Grade 2 Braille; I can probably manage this, too.

TIA

2

Previewing them completely manually, without any sort of electronic device? That’s going to be extremely difficult, unless you can do base conversions of large numbers in your head.

But previewing them without your device taking action on them is very easy, since that’s the default behavior of devices that can read them. If you open up your camera app and point it at a QR code, a little yellow box will pop up on your screen, containing the contents of the code (which is usually a URL, but doesn’t have to be). If, after reading that URL, you decide to click on it, then you’ll be taken to whatever page it points to. But if, after reading the URL, you decide, for any reason, that you don’t trust it, all you have to do is nothing.

3

I read your OP on the Amazon echo.
I didn’t have anything official or cite-able to offer.

altho’, I’ve heard others complain about that before.

I did wanna help out. But I couldn’t. post these in MPS, you’ll get loads of answers. I believe you’d have gotten a semi-factual answer. Plus they are relevant to our times and fun

About QR codes. Funny these were on my mind last night.
The only facts I know are my experiences.
So, sorry again.

:face_with_peeking_eye:

4

Don’t worry about it, Beck. I’m not holding the dearth of responses against anyone.

5

Yeah, this is important. My banking website on my laptop uses a QR code to ensure I am the owner of the phone associated with that account. My banking app on the phone reads the QR, then my laptop lets me in.

QR codes are almost all like barcodes. Pure information, and not a lot, because they need to handle a fair amount of redundancy.

You know the game “snake”? The smallest ever version was written by some genius in code in just 69 bytes. The QR code below is massively more complex than, say, the one you might use to pay for a coffee at your local. And that represents 1.4 KB of data.

This is the game written on a QR. It is substantially more complex a QR than you will ever see in the wild

QR codes may lead you astray, but it is your choice. FWIW, most camera apps will read QR but do not have the ability to actually execute code in them, unless, as in the above example, you choose to, AND have the appropriate software.

Tl/dr: QR codes are as safe as shortened urls. If you trust a bit.ly url, trust a QR.

Obviously, caveat emptor.

6

Safer, because bit.ly won’t show you what the real URL actually is before sending you there. But a QR reader will.

7

That’s not quite how the camera app on my Android phone works. If you point the camera at a QR code, it just shows the domain name, not the full URL. If there’s a way to display the whole URL before opening the URL in a browser, I haven’t found it. There are many third-party apps that will do this, but if you’re worried about QR Codes, you may not want to install an app.

8

QR codes are actually extremely complex — far, FAR more so than, say, the ISBN barcodes on books or UPC barcodes on grocery store products.

You can in fact decode simpler ones by hand: Decoding small QR codes by hand (or watch a video: https://www.youtube.com/watch?v=KA8hDldvfv0)

(that one spells out someone’s name)

But QR codes can encode much, much more data than that (up to about 3 kilobytes), and they have multiple different versions, encoding schemes, error correction levels, etc.

One that holds more information can look like this:

(From Wikipedia. It is just a message saying how much text QR codes can hold, who invented it, blah blah blah)

If you had a few years, yes, you could still decode that by hand — it’s just a computer algorithm, like any other — but it would be incredibly difficult, tedious, and error-prone.

Here’s a more technical explanation: QR Code Structure: Everything you need to know

Their “error correction” system alone is quite advanced, with a lot of built-in error checking and redundancy so that even if the code is scratched, or your camera doesn’t take the best photo of it, etc., it can often still be salvaged. Here’s a cool visualization of how the error handling works: https://qris.cool/

The red squares are areas that I mutilated beyond use, but even with those, the QR code as a whole still scans.

All this complexity means that there is always room for security issues. Although rare, they CAN happen… they are a data payload, like any other, and sometimes buggy software can scan a malicious QR code and execute code, as in ZBar Heap-based Buffer Overflow Vulnerability - HackMD (aka CVE-2023-40889 in the US gov-associated software vulnerability database).

There is no one single QR code scanner software either, so different vulnerabilities/malicious codes may affect each one differently. Google has their own (built into the camera app in recent versions of Android), Apple has their own, Samsung has their own, there are a ton of third-party ones on the app store, etc.

There is no real way you can guarantee the safety of a QR code you scan, with a particular phone you have, because there are too many possible permutations. If you really want to be safe, get an old burner phone, take out its SIM, put it on permanent airplane mode, and use that to scan QR codes if you want to.

Or just ignore them ask for a regular URL instead, and only follow that if you trust the domain.

Real-world attacks with QR codes are very very rare, but if you are paranoid… the possibility is there.

9

I use this app on my android to decode QR codes and other barcodes.

There are others, too. I installed this one through the f-droid store, but there might be some on the play store.

When I scan a code it shows me the encoded text. If it is a link, I can click on the link to open it in my browser. If it is some other text I can copy it to the clipboard, or whatever. For example, I pointed it at the fleshy one above, and it says “Maci Clare Peltz”.

10

Maybe in the US. But where I live, (a) publicly-posted QR codes are used to trigger a lot of online interactions, and (b) that leads to widespread efforts to hijack the function.

The most common is related to our parking kiosks, where a QR code is used to trigger your “pay for parking” app. The scammer just covers the official code with a sticker that directs the user to a website which simulates the parking app and harvests login details. Or, for kiosks which don’t present an official QR code, just put the sticker on anyway, knowing that people are familiar with the use case and will scan it out of habit.

Here’s a recent news article about the phenomenon here. The same happens in neighboring countries with meaningful frequency.

11

According to news stories I’ve read, twice someone has used drones to put a QR code in the sky above a city at night. Many people in the city pointed their cell phones at it and clicked on the QR code. They discovered they had been Rickrolled.

12

Ah, good point. Yeah, the social engineering ones probably work way better (for the scammers) than any software vulnerability.

13

Yeah, when I worked in IT in local government, I strongly argued against the idea of the parking service putting QR codes on all of their signage, just because it’s incredibly easy for anyone to just overlabel them with a different code that points to a fake payment portal.

Slight tangent: it seems a significant number of non-technical users regard barcodes and QR codes as somehow more ‘secure’ than plain text and I have had to discourage users from using them to encode login credentials that would then be kept in plain sight. A computer workstation with a barcode stuck on the monitor frame, containing your password that you scan using a reader that is plugged into the computer is slightly LESS secure than one where the password is written in plain text on a sticker on the underside of the keyboard, because at least in that latter case, someone might at least type in the password incorrectly.
Here’s an example of someone doing that, notionally because they think it’s more secure.

14

I will say, even though I don’t trust QR codes in the wild, there are certainly useful and even clever applications for them.

For example: my older daughter’s high school class did a presentation for parents a couple of weeks ago, recapping a field trip they took earlier in the year. Their show included a PowerPoint type deck for sharing pictures and other information about the trip.

At the very beginning, they put up a slide with a QR code, which embedded the URL to the night’s program. This saved them the trouble (and wasted paper) of making copies and distributing them to the audience.

Then, toward the end, they put up another code, which linked us to an automatic sign-in page for an online game portal, where they’d created a quiz on the information they’d shared about the trip. Anyone who wanted to participate just scanned the code and immediately joined the pool of competitors. Faster and more efficient than putting up an instruction slide about going to a web address and clicking X and choosing an Avatar etc etc.

So while one should be on one’s guard, they do have their uses.

15

It IS a URL. Just in 2D barcode format. In essence, a regular 1D bar code like a UPC code can only hold so much data, and something was needed to encode more information- like say… a good sized URL.

QR codes are the method that stuck. But there’s nothing magical or mystical about them- they’re just a URL that’s been encoded into a 2D bar code.

My phone (galaxy S23 ultra) shows a little preview of the URL that can be expanded before it actually opens it. Maybe your phone can do something similar?

One thing that is being discussed where I work is digitizing the manuals and documentation for all sorts of industrial equipment and putting them into Sharepoint or something similar, and then creating QR code stickers to actually put ON the piece of equipment or gear, so maintenance folks can find the exact documentation they need when and where they need it.

16

Unless the network is down and they need the manual to know how to fix it…

17

PK, I’ve never used one.
Do I need a special app on my phone to do it?

18

Not anymore.

When QR codes were first introduced for general/commercial use, maybe a decade ago, one did need a specialized QR reader app to read them (and direct your phone browser to the correct website). Today, the standard camera apps on iPhones and Android phones have the capability to read the codes, and send you to the websites.

To read a QR code, just open your phone’s camera app, and point your phone’s camera lens at the code (you may need to adjust how far away the phone is from the code, to read it clearly). You’ll likely then get a prompt asking you if you want to proceed to the website encoded in the QR code.

19

I hope that tattoo artist practised a bunch with pen and paper before getting the needle out! Here’s a guy who made a QR code out of Damascus steel. It points to his web shop.

20

Well, yeah. But in this case, there is a lot of redundancy, and this was for routine maintenance more than emergency maintenance.