QR codes are used everywhere in the world. From product packaging to airline boarding passes from government documents to mobile phones. In the modern world QR codes have become the bread and butter. But are they as safe as everyone claims? Can there be malicious QR codes? Is hacking QR codes possible? Can we make custom QR codes?
Well, the truth is QR codes can easily fool humans because we cannot understand the contents of a QR code. Unlike malicious software and phishing links. Malicious and regular QR codes are indistinguishable to naked eyes. And it is relatively easy to make malicious custom QR Codes.
Thanks to security flaws in many of these scanning devices, it’s now possible to exploit common vulnerabilities and exploits packed into custom QR codes. You might be wondering how easy it is to hack these QR codes. How easy it might be for you to learn to hack with QR codes.
Look no further we will show you exactly how to hack devices using QR codes.
These malicious QR codes are easy to make. Most importantly, there are easy scripts and tools to make malicious QR codes.
DISCLAIMER: This is an educational article meant to aware and educates readers about the hacks. Do not use this tool or website on any website. Do not apply or execute any method or use tools without concern of the party. We want to make readers aware of active threats and how they work. Use this article only for educational purposes.
Table of contents
What Are QR Codes?
QR codes are the machine-readable data formats that are used to transfer data between devices automatically with a single scan. They are useful for automation and anything that needs to be scanned automatically.
Before QR codes, there used to be linear barcodes that stored data in lines. Then over the years, QR codes became more and more complex with each passing day.
First-generation was line codes, as shown below:
The second generation was 2nd and 3rd gen codes, as shown below:
As you can see from the images, the complexity of QR codes has increased, so has the amount of data it can contain. A single QR code can hold up to 4,296 ASCII characters.
This might not seem like much, but it can let you do a lot of naughty stuff.
Many phone manufacturers like MI have started giving the use of the ability to share Wi-Fi passwords using QR codes as convenient as it may sound it can leave devices exposed to QR code scams.
This works because anyone finding on the QR code would find themselves connected to the Wi-Fi network. But the real question is what would happen if the network was malicious in the first place
Because humans cannot differentiate between Malicious and regular QR codes without scanning them. It becomes challenging for regular users to be secure from malicious QR codes. Not to mention, there are no antivirus programs for QR codes.
So let’s start hacking Qr codes
We will be checking out two different types of hacks:
- Hacking Scanners with QR GEN
- Making malicious QR codes with QRGEN
Hacking scanners and devices with QR codes
The hacking tool we will be using today is QR gen. It is a Python tool that can help us make malicious QR codes. It also has a lot of readymade exploits which we can use to our advantage. But I would recommend using it on Kali Linux just because of the ease of access and functionality.
Python is by default installed in Linux If you are using any otherwise then you will have to install Python and the required dependencies in case you are using any other operating system.
- Step 1: Cloning the tool
Clone the Github repository using the following command:
git clone https://github.com/h0nus/QRGen
- Step 2: Now type the following commands:
cd QRGen ls
- Step 3: Now install all the software requirements for this tool.
pip3 install -r requirements.txt
- Step 4: If that did not work, then use this alternative command.
python3 -m pip install -r requirements.txt
- Step 5: Now, run the script by typing python3 qrgen.py.
As you can see, it’s pretty easy to see what this tool can do. And how easily hackers can exploit QR codes.
- Step 6: There are the following readymade exploits available in QR gen:
- Step 7: We will choose one of them. So let’s go with option 2. Command injection. I will use the following command to select my choice: python3 qrgen.py -l 2A bunch of QR codes will be generated and stored in the green folder.
To see your generated payloads, type cd genqr to change to the directory and type ls.
cd genqr ls
Or just open the QR gen folder. As you can probably see, each of these images has a hidden command. On your system, you can try them using a mobile scanner. Each QR code is automatically generated and has a different hidden command. But what if you wanted to make custom payloads.
Secret Method: Making Custom Payloads in QR Code
- Step 1: To encode a custom payload, we first need to create a text file which contains the payload. Do note it can only take simple payloads and not complicated payloads. So I decided to create a simple text file in the QRGen folder
cd QRGen nano exploit.txt
- Step 2: In that text file, we can put our payload or phishing URL. The one below is facebook.com. Just for simplicity, I`m using this
- Step 3: We can save the file by pressing Control X, then hit Y and Enter to confirm your save. Now, you should see a text file. Type ls to confirm
- Step 4: To write your payload to a QR code, we need to use the -w flag. I am assuming you named the file exploit.txt.
As you can see below, you need to be in the QRGen directory for this to properly work. Also, the txt file needs to be in QRGen directory.
cd python3 qrgen.py -w '/username/QRGen/genqr/exploit.txt'
- Step 5: For my facebook.com URL, it generates the QR code below. You can find this in QRGen folder.
As you can see scanning QR codes without knowing what they contain can lead to disasters. Also, there are no anti-virus systems to prevent malicious QR codes.
These malicious QR codes can make the user visit phishing pages or download malicious software and apps. Many scanning apps directly open files without checking the contents. Some even execute commands. So the next time you are scanning QR codes beware.
Commonly asked questions about QR gen
Q1. Is this tool legal to use?
Yes, hack using qr codes are only meant for testing purposes please do not use it for any legal reasons.
Q2. Can anyone use this tool?
Yes anyone who has a PC with Python installed and use it it can also be installed on Raspberry Pi if needed, but you want to speak to show the QR code if you know what I mean
Q3. Can I hack WhatsApp using this hack?
That is a different exploit – WhatsApp web exploits; this exploit is slightly different and is meant for a different purpose.
Q4. Can I make Custom QR codes without this tool?
Of course, you can. There are many tools available. Feel free to test them out.
Hope you liked hacking QR codes. Thanks for reading. Do donate and share the article.