Hacking QR Codes For Fun And Profit

QR codes are everywhere these days, from being printed onto receipts to chiseled into granite tombstones. [Will] came up with a way to modify existing QR codes, and his hack has the potential to cause quite a bit of harmless mischief.

[Will]’s hack involves a little photo editing, transparency film, and some white-out/Liquid Paper/Tippex. After the ‘target’ and ‘destination’ QR codes have been imported into Gimp, the differences are found and the result printed out on a transparency sheet. After that,  hang the transparency over the original and the QR code now goes to the URL of your choice.

On a ‘high’ level of error correction, a lot of neat stuff can be done with the design of a QR code including putting logos inside a QR code by modifying the 359 ‘data pixels’ of a 25×25 code. We’re wondering if anyone has ever written a script to exploit the error correction of QR codes. In any event, it is possible to brute-force changes until the least number of pixels are changed.

The ISO 18004 standard is available online if anyone would like to take up that challenge. If a Hack A Day reader figures it out, send in the code on the tip line and we’ll put that right up.

45 thoughts on “Hacking QR Codes For Fun And Profit

    1. You need to relax. A prank is a prank. If you are soooo distraught over losing a couple seconds that you COULD have used to easily type out the address manually, then you really need to rethink your priorities.

    2. Actually, this is valuable as a teaching tool. People need to understand that just because the words says “google” doesn’t mean that’s what the black-and-white blocks have in them.

      Nothing is easier to forge than a barcode, because most humans simply can’t read them. They can’t inherently know if they’re looking at a good one or a malicious one.

      I see too many people who simply trust barcodes completely. They confuse the human readable for the data. Or they think it’s a good idea to slap on a barcode that represents the actual value instead of a pointer to the value (coupons).

      For that matter, you can even do SQL barcode injection attacks just like on the web. Some guy presented it at C3 a couple years ago where he hacked a video rental kiosk by injecting bad barcodes. Do you still think it’s a great idea to have your cash register scan your customer’s iPhone screen, Starbucks?

    3. I believe it is a reasonable teaching tool as well. The reason is very clear— If a person can manipulate the code this way, then what do you think they can do to your bank account information if or when you cash a check using this thing. Sometimes the easiest way to do something is not always the best way, and I believe this teaches the limitations, and problems with this type code.

    1. I’m sure it would be possible to modify a QR code with just a marker, but you’ll invariably run into situations where you’ll need to change a black pixel to a white pixel.

      Looking at the ISO spec, it’s possible, but I can’t find anything on a script that will find the most efficient change from an original QR code to a ‘target’ code.

    1. 100% what i was thinking. I guess the only advantage is that a transparent film could hang over anything where as a white paper could potentially look out of place against a colored background.

    1. yes mon frere, yes it would. With the right type of sticker paper it would look official, albeit an official afterthought.

      Now I need a deck of pain series QR stickers in my wallet at all times.

  1. I was thinking about this the other day when I noticed lots of stores hanging this on their windows for easy access to their website.

    Excellent “rick rollin'” target if you ask me.

    @Zee: QR codes are inherently unsafe. It is unwise to use them; at least with a URL you can see what it’s visiting. For all, it could link to a PDF file exploiting native browser or operating system vulnerabilities… THAT would be really nasty…

    1. Excellent idea … We make a site that uses flash/pdf/whatever exploit to install a rickroll spyware.

      Software Description:

      Sit silently until a set of events occur (eg the user types “Rick”). Then turn the volume down low and play pieces of “Never Going To Give You Up”. The target will have that song stuck in their heads and not know why! Epic trolling!

    2. I’ve only used one QR code reader (on my Android phone) but I would assume they all show you the decoded information and make you press a button to view the data (e.g. browse to the URL). Besides that, some codes aren’t even a URL at all, just text, etc.

      Now, that doesn’t remove the danger of “phishing” using a URL that, at first glance, looks legit, but that doesn’t make QR codes any more “inherently unsafe” than human-readable codes, if you’re paying attention.

  2. This is just silly. As an aside. A lot of advertisement posters are actually put up illegally. So, the better question is: Is vandalizing a vandal’s work really morally evil?

  3. Umm.. why would you waste your time overlaying it and manually drawing in the white splotches when you could just print the QR code straight up and paste it over top or something similar?

    I get how the idea is neat, but it’s never pratical.

  4. I thought this was an interesting bit of research into how to analyze QRs and find their differences…but yeah, in practice it would make much more sense to simply cover over the entire QR.

    Like already said, if you are going to physically stick something over the code in the first place, you might as well replace the whole thing.

  5. A friend and I had discussed this very thing, and had our Facebook profile pics set as QR codes.

    His led to a page that said “You just lost the game”

    Mine led to Goatse

    The comedy potential for this is near-infinite.

    Protest Signs (HELLO news) are wonderful targets

  6. I’m not sure why you would need to, but you could place these overlays on your own ad like a flip chart to have multiple QR codes without needing to take up more space on your advertisement.

  7. i for one appreciate this for 1 reason
    he didnt take the obvious route of simply replacing it(which would work alot better)
    he went the needlessly complicated route for 1 reason
    because he can appear geekier than ever!

  8. IMHO replacing a QR code isn’t much different from giving someone an obscure url like lemonparty…Or one that is supposed to look legit like bankofamerica.123.com. So in essence it’s not really a new thing.

  9. I predict that this will be the next wave in advertising. In the same way that websites have integrated ads until the usefulness of the web has been reduced to the point where I won’t go online without an adblocker, advertisers will start plastering QR codes all over the place. The fact that people can’t just look at a QR code and know what it says or where it goes makes most people an easy target. Even worse, most QR code apps don’t tell you what the code says before they happily send you to a target URL.

    I’m not looking forward to being QR rick-rolled.

    1. That is fine, as QR codes become more ‘viral’ QR code reading devices will be forced to become ‘secure’ in the sense that they will warn users of the site they’re about to visit.

      Hopefully the app makers will catch on quickly enough to where it’s not a real problem. Luckily we don’t have to get QR codes thrown at us like popups, we can simply ignore them.

  10. we need to have an android app that programatically finds the smallest differences needed, and displays what you needed to colour in black/white. its all well and good saying its easier to print out a whole QR code, but i for one dont usually carry a printer around with me.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.