The improved QR code format would let smartphone users know if they're heading to a secure website-or wading into a potential 'quishing' scam.
The ubiquitous QR ("quick response") codes that appear on everything from parking pay stations to soda cans and promotional flyers have become an increasingly popular target for cybercriminals to exploit through QR code-based phishing attacks, also known as "quishing." Bad actors will place phony QR codes that direct smartphone users to enter their sensitive private information in fake websites masquerading as bank websites, parking enforcement offices, or other seemingly official sources.
Researchers at the University of Rochester have engineered a new form of QR codes-called self-authenticating dual-modulated QR (SDMQR)-that can protect smartphone users from these types of attacks by signaling if users are being directed to a safe link or a potential scam. The technology is outlined in a new study published in the journal IEEE Security & Privacy.
The SDMQR codes provide an added layer of security by allowing an official source such as a company to pre-register its URLs and embed a cryptographic signature in a QR code. When a code is scanned by a user, the QR code decoder can signal to the user whether the link is from a verified source and can be safely followed, or if it is from an unverified source for which users should exert caution in following the link and in sharing sensitive personal information.
Importantly, the added layer of security with SDMQR codes comes transparently, without any interference with the existing functionality of a QR code. "Retrofitting security is always a key challenge because once you've got existing players in the game, and an existing workflow, changes that do not maintain backward compatibility are just too disruptive," says Gaurav Sharma, a professor of electrical and computer engineering, computer science, and biostatistics and computational biology.
SDMQR codes look much like traditional QR codes, but they use elongated ellipses instead of the traditional black and white squares. Today's smartphone cameras have such a high resolution that they can differentiate the more complex shapes and, as a result, embed more information in each code.
Sharma and his coauthor Irving Barron, an assistant professor of instruction in electrical and computer engineering, have been exploring opportunities to commercialize the technology. They worked with UR Ventures to file a patent for SDMQR codes and secured a National Science Foundation I-Corps grant to explore industry applications, such as replacing traditional UPC barcodes-the 12-digit code and series of bars that typically identify a product-with these more sophisticated QR codes.
In addition to using new shapes for QR codes, the researchers are developing QR codes that can use color to embed more information and allow a single code to drive people to up to three destinations. Sharma says that their customer discovery research through the NSF I-Corps has shown that companies are interested in the technology because it allows for branded codes that could be used on packaging to replace both the modern black-and-white codes and the UPC codes scanned at checkout aisles.
"Something that has been repeatedly brought up to us is that companies want to move away from having a traditional UPC barcode on their packaging and are increasingly moving to QR codes and other 2D barcodes because of their robustness," says Sharma. "The footprint is a concern because they want to have as much information in as small an area as possible. Our technology can help them achieve that."
