Scanning QR Codes in Restaurants: Why A Meal May Cost You Your Privacy

If you’ve been to a restaurant amid the coronavirus pandemic, you may have been asked to use a QR code to access a digital menu.

Quick Response (QR) codes are barcodes that can be scanned by smartphone cameras to direct consumers to a website. When accessed, the code enables you to browse the menu, order a meal, or make a payment.

The use of QR codes in restaurants and bars have become popular because of the COVID-19 safety protocols. Restaurants had to either use QR codes or disinfect menus between each use which could have only led to excessive work for restaurant employees.

But, taking advantage of the rise of touchless services during the pandemic, cyber criminals have found a new way to infect mobile devices using QR codes.

A Sneaky Security Threat

Sudarashan Pillai, 32, a resident of Pune who recently visited a south Indian restaurant chain said that he had to scan the QR code in order to gain access to the digital menu.

But soon after he scanned the QR code, his phone was bugged with adware. "After I went home, unwanted notifications with sexual content started to appear on my screen," he told The Quint.

Pillai had to format his device to stop unwanted notifications to appear on his device.

Another Pune resident Navneet Bhandare, 28, alleged that he started receiving spam emails as soon as he scanned a QR code in a restaurant after he was asked to register his name and email address on the link.

QR codes are here to stay due to the amount of customer data that can be collected from scanning it.

This data includes the list of best-selling dishes, customer’s order history, preferences, average time and money spent and even their credit card/ debit card information.

A 32-year-old sales manager in Chandigarh placed an advertisement to sell his refrigerator. He was approached by a person posing as a buyer who offered to buy the product at the marked price.

The caller did not negotiate and told the victim that he would like to buy the product for Rs 21,000. But he said he would make the payment online and asked the victim to scan a QR code.

"As soon as I scanned the QR code, a sum of Rs 32,000 was withdrawn from my account. Then the caller switched off his phone and was unreachable thereafter," the victim told The Quint.

How Do Hackers Steal Data Via QR Codes?

The Quint in a joint investigation with Sourajeet Majumder, an independent cyber security researcher, tested an experiment to demonstrate how hackers steal your data via QR codes.

For this experiment Metasploit, a software widely used by Hackers and Security Researchers was used.

After firing Metasploit on Kali Linux machine and using a set of codes, a malicious application which can access all your files was created.

A fake QR code was created by pasting the malicious link on a QR code generator. The QR code was then installed to a phone device (in this case researcher's own device). As soon as the QR code was scanned, the spyware was installed.

The Kali Linux machine was ready to gain complete access to the mobile phone's data. Starting from accessing the victim device's call logs, contacts, SMS, screenshots geolocation, and even camera.

How Should You Stay Safe?

Here are some strategies to prevent QR hacking:

• Try to avoid scanning QR codes as much as you can. if the link looks suspicious don't scan it.

• Before scanning any QR code, check where the code is pasted. If it’s on a famous restaurant menu it’s probably safe to scan but not always.

• Do not scan a code sent by someone you do not know personally.

• Install a QR scanner app with a preview function. So that you can inspect any link before opening it.

• Be suspicious of generic black and white QR codes.