Stating the Obvious: The Rise of QR Code-Based Attacks

QR code-based attacks are on the rise, and it's no surprise why. Almost everyone carries a smartphone, making QR codes effortless to scan. QR codes are everywhere—on restaurant menus, event tickets, and even advertisements—creating a massive attack surface for bad actors to exploit.

You may have come across the term “Quishing”—a blend of QR code and phishing. Essentially, it’s phishing using a QR code to lure victims. However, this is just the tip of the iceberg. Threat actors can use QR codes to deliver malicious payloads, exploit browser vulnerabilities, or carry out other harmful activities.

What’s the Right Security Approach?

For QR-based phishing, the guidance might seem straightforward: treat it like any other phishing attempt. Don’t enter sensitive information unless you’re confident in the source, and stay vigilant for suspicious signs. However, the sheer size of the attack surface and users’ reduced caution—especially when outside of a “work” context—make this easier said than done.

When it comes to browser exploits, the challenge shifts dramatically. The question isn't, “Can I safely scan this QR code?” but rather, “Should I scan it at all?” This concern grows in social situations where scanning a QR code feels almost unavoidable—be it accessing a restaurant menu or following event instructions.

What is a QR Code?

At its core, a QR code contains encoded content, most often a URL. When scanned, this URL is typically processed by a built-in browser on your device. The challenge is compounded by the fact that the URL is not visible at the time of scanning. This means traditional methods of detecting potentially malicious destinations—such as scrutinizing a URL before clicking—are ineffective in this context.

What is the solution for QR code-driven attacks?

How can we ensure secure access to random and potentially malicious URLs? Leverage inline traffic inspection technology such as Netskope SSE. The depth of security coverage should be a separate conversation  - let me just state that we are talking about the most advanced threat detection and remediation technology in the industry.  

At first glance, the solution seems straightforward: deploy the Netskope SSE engine inline between users and their destinations, ensuring SSL inspection, anti-malware and anti-phishing protection, and filtering and remediation policies are in place. Unfortunately, the reality is a little bit more nuanced. Most mobile devices in the field are personal, and with that comes strong expectations of privacy. This presents a fundamental tension: the battle between security and privacy often leaves no clear winners—like the stalemate of a nuclear arms race.

The goal here isn’t to resolve the entire security-privacy debate but to explore what can be done on iOS devices to reduce anxiety and security risks while scanning QR codes on demand.

The term on demand is crucial. Users often resist adopting security measures that might infringe on their privacy. However, the seconds required to securely scan a QR code could be viewed as an exception—striking a balance between convenience and protection.

What building blocks are required to assemble the solution?

• Netskope SSE Tenant
  • Appropriate subscription package (SWG, Threat Protection, RBI) 
  • Real-Time threat protection policy and optional RBI policy
• Mobile Device Management (MDM) tools such as Microsoft Intune, Omnissa Workspace One, Ivanti Neurons and others  
• iOS devices enrolled to MDM via (Automated) Device Enrollment type 
• Netskope Client deployed by MDMs and enrolled with the above Netskope tenant. 
  • VPN profile type should be “On-Demand” 
  • On-demand “Action - Connect” should be omitted - that the only deviation from deployment guidelines provided below
    • Microsoft Intune
    • Omnissa (Vmware) Workspace One
    • Ivanti Neurons (MobileIron Cloud)  
• iOS shortcut which should be distributed and activated manually by the users. For supervised devices the use of iOS Shortcuts should not be restricted
• User training Conduct user training sessions to educate users about QR code related threats and recommended safe scanning practices

How does it work?

Netskope Client is expected to get deployed by MDM and remain in disabled state. It activates on demand, triggered by the launch of the iOS Shortcut, which opens a QR code scanning tool. To enhance usability, the Shortcut will periodically verify if continued security is required. This approach allows users to easily disable the client when no longer needed, striking a balance between security and convenience.

Demo