Is scanning QR codes with your phone risky?

I was at a restaurant where they refused to bring a menu, but wanted you to scan a QR code which had been pasted onto the table. This was to download a menu onto your phone and you were to order from there.

The QR code label looked kind of ratty, and I did not feel comfortable scanning it into my phone. I left and went looking for another restaurant.

However, I know nothing about QR codes. How safe is it to go around scanning any or all codes when told to do so? Could this download some sort of virus or phishing program into my phone?

I do not know the answer, but the few times I have done what you are describing, the QR code merely brought-up the restaurant’s online menu, that is already on their website. Seems to me that’s about as risky as browsing to the restaurant’s website on your phone, and then viewing their menu. I assume any questionable content, security-wise, would be flagged by whatever anti-virus is on your phone.

I, too, would be interested in knowing if QR codes, which are becoming ever more used, can harbor the dangers you mentioned.

The purpose of this practice, in case anyone is wondering, is to reduce the spread of (potential Covid) germs by repeated handling of menus that lots of other people have touched. Places with plastic menus can, alternatively, wipe them down every time (I have been in one or two places who claim to do that). Or they can print up disposable paper menus. The QR code solution is probably the easiest to implement, but woe betide anyone who doesn’t have a smart phone with them, or who has never used a QR code before (I had a nice server explain to me how to do it, the first time this came up). And yes, every QR code I have ever paid any attention to, restaurant menu or otherwise, has just been a link to an online site.

A QR can absolutely be potentially dangerous. The main problem is opacity; you’re being asked to scan something on complete faith it’s not malicious. It’s little different from just clicking on every link in every email you receive just because it says, “Trust me!”

You can mitigate the danger by using a QR scanner from a company like Norton or Kaspersky (both have apps for Android and iOS) which can give you a preview of the content before taking you to whatever destination it’s directing you to, and warn you if that destination is known to be sketchy. Not a perfect solution, but better than nothing.

If I had been in the OP’s scenario I’d ask for the exact URL instead to manually type into my device, and if they refused to provide it, I’d get up and leave.

It is possible, but it’s extremely unlikely that a restaurant is going to try to compromise your phone via QR code. Anything capable of doing so via a simple link is going to be a highly valuable 0-day exploit. If you had such a thing and wanted to get the most value out of it, would you:

  1. Spam the link out via some automated process and try to ensnare thousands or millions of people
    or
  2. Print out a few stickers and put them on restaurant tables and maybe get dozens of people per day.

I wouldn’t think twice about it.

What threat model is this protecting against?

I’m confused. Are you envisioning a scenario in which a restaurant would give a customer a QR code to scan that wouldn’t take them to their menu, but to some other completely different site? An actual real, open-to-the-public restaurant? In which every table is occupied by people seemingly scanning the menu from their smartphone but really being taken instead to an ad for BIG BONERZ EZ ENLARGEMENT CREAM even though nobody is saying a word about it? What would your reaction be if they were to ask for your credit card because they “want” to “use” it to “pay” your “bill?”

Who is to say that a previous diner with malicious intent didnt replace/paste over their own QR code that points to their own malware infested site that starts downloading viruses as soon as the page loads. By the time you realize it’s not the menu, it’s already too late.

Not saying this is likely or probable to happen, but definitely possible, so yes scanning a QR code could be risky.

ETA: double ninja’d

No one does this. If you have a malware infested site that can infect a phone on visit, you have to be using a fairly sophisticated exploit. No one with such a thing would waste it on a restaurant table.

The fact that it’s possible to imagine a way that a QR code could be used maliciously doesn’t mean it’s a real threat that anyone should take seriously. This is not a real threat.

Clicking on a link in an email from someone you don’t know? High risk
Reading a QR code in a restaurant? Virtually zero risk
Typing in a URL instead of scanning the QR code that gives you the exact same URL? Pointless.

A QR code is just a way of encoding a URL. Do you trust the source of the URL?

Or to appeal to Chinese tourists. It’s a normal method of operation in China.

Pasted-over QR codes certainly have risks (they’re just links), but I would score the probability very low in a restaurant - that’s not to say low-probability risks can always be ignored - for example they are still worth mitigating if the severity is high.

One specific context where I had to sternly warn against using QR codes was on public-facing signs for onstreet parking; I was working in local government, and the parking enforcement department wanted to put QR codes on signs on the street, so people could just scan them and go straight to a web page to pay for their parking. Way too easy for someone to overlabel with an alternative URL for a spoofed page that just takes the money somewhere else.

This is informative. Like I said, I know nothing about QR codes. So they’re just a link to a website?

The only other way I’ve ever used them is for airline flight check-ins, and that worked the other way - someone else was reading one off of my phone.

A friend of mine co-owns a cool up-scale bistro. His menu is discoverable using a QR code provided. I love it! There are constantly updated specials, suggestions for drinks, an accurate wine list with links for reading more, etc.

When you are finished and they bring your check you can pay traditionally, or you can use the QR code to pay, in my case with ApplePay.

More generally, they’re just a short string of text. But the short strings of text that are most useful are typically URLs, so that’s what they’re usually used for, and so most QR readers are designed to take you straight to that URL if that’s what it is.

You could, instead, make the content of a QR code an English sentence, but the reader wouldn’t know what to do with that other than just displaying it to the user, so that would bear no risk at all (absent some really weird exploitable bug in the reader, like a buffer overflow or something). In principle, you could make the content a whole novel: I don’t think there’s any inherent upper limit to the size of a QR code, except of course that if you try to make it too big a camera won’t be able to capture it.

Scan at your own risk :wink:

(For those who don’t want to do it, it’s just the exact same words as the previous post.)

I scanned it fully expecting to get rickrolled, though.

Damn I wish I’d thought of that.

Strictly speaking, that’s true. But a malicious QR code could bring up a URL that is visually similar to the real thing, and the user might not notice. Typos, substituting 0 for O, etc. Gets even worse when Unicode is involved. Try this for instance:

What happens depends a bit on your QR scanner. On mine, it brings up a URL that looks very familiar. When you click on it, though, it’s clearly not the same thing at all.

Hey, that’s (kind of) my bit!

Currently, 3 KB.

BTW, they don’t have to look plain–check out some of these.

ETA: especially these.