an innocent-looking QR code

Attack of the QR codes

Give it a try with your mobile!
Don’t worry, no barcode on this blog post is malicious

Scary attack underway!

This image is a Quick Response code.

You’ve probably seen one before, as it’s often used to store website addresses to be scanned from a mobile, so that no one has to type the whole address manually.

The obvious risk with QR codes is that they can lead you to a malicious address, for infection or phishing – make sure your scanning app lets you confirm the URL!

the “secret”

However, this QR code hides a secret: it actually contains another barcode (of a different type), inside the QR code. It could be malicious. Not all applications will see it, but some will: very sneaky!

a QR code with an inner barcode

This is the… Attack of the QR codes !!!
(~ scary music playing ~)

How is it possible?

Barcodes use Error Correction, so that even if they are torn or badly printed, the information can be recovered. Even if you overwrite a part of the picture, it may still be valid:

a QR code with an overwritten center
a QR code with an overwritten center


So, in the middle, you can put another kind of barcode, that might still be readable, and will not necessarily be clearly visible to you:

a DataMatrix barcode
a DataMatrix barcode

So, be really careful, and really double-check before scanning, and then validating!

A bit more knowledge

  • to learn: the Wikipedia page has many technical details, nicely explained.
  • to experiment: an online generator, and an online decoder
  • to explore: an impressive halftone QR codes generation technic (the image is IN the barcode, not over the barcode)
    the Avira logo IN a QR code
  • the original paper presenting this QR code attack, with detailed experiments
    "QR Inception" academic paper

The most important part

In 2015, every security risk needs a logo, so here it is:

(let's see how many people say that there is a typo)
Attack of the Q(ille)R codes
Engine developer