QR codes are used everywhere in the world. From product packaging to airline boarding passes from government documents to mobiles phones. In the modern world QR codes have become the bread and butter. But are they as safe as everyone claims? Can there be malicious QR codes? Is hacking QR codes possible? Can we make custom QR codes?
Well, the truth is QR codes can easily fool humans because we cannot understand the contents of a QR code. Unlike malicious software and phishing links. Malicious and regular QR codes are indistinguishable to naked eyes. And it is relatively easy to make malicious custom QR Codes.
Thanks to security flaws in many of these scanning devices, it’s now possible to exploit common vulnerabilities and exploits packed into custom QR codes. You might be wondering how easy it is to hack these QR codes. How easy it might be for you to learn to hack with QR codes.
Look no further we will show you exactly how to hack devices using QR codes.
These malicious QR codes are easy to make. Most importantly, there are easy scripts and tools to make malicious these malicious QR codes.
DISCLAIMER: This is an educational article meant to aware and educates readers about the hacks. Do not use this tool or website on any website. Do not apply or execute any method or use tools without concern of the party. We want to make readers aware of active threats and how they work. Use this article only for educational purposes.
What Are QR Codes?
QR codes are the machine-readable data formats that are used to transfer data between devices automatically with a single scan. They are useful for automation and anything that needs to be scanned automatically.
Before QR codes, there used to be linear barcodes which stored data in lines. Then over the years, QR codes became more and more complex with each passing day.
First-generation was line codes, as shown below:
The second generation was 2nd and 3rd gen codes, as shown below:
As you can see from the images, the complexity of QR codes has increased, so has the amount of data it can contain. A single QR code can hold up to 4,296 ASCII characters.
This might not seem like much, but it can let you do a lot of naughty stuff.
Many phone manufacturers like MI have started giving the use of the ability to share the Wi-Fi passwords using QR codes as convenient as it may sound it can leave devices exposed to QR code scams.
The way this works is anyone finding on the QR code would find themselves connected to the Wi-Fi network. But the real question is what would happen if the network was malicious in the first place
Because humans cannot differentiate between Malicious and regular QR code without scanning it. It becomes challenging for regular users to be secure from malicious QR codes. Not to mention, there are no antivirus programs for QR codes.
So let’s start hacking Qr codes
We will be checking out two different types of hacks:
- Hacking Scanners with QR GEN
- Making malicious QR codes with QRGEN
Hacking scanners and devices with QR codes
The hacking tool we will be using today is QR gen. It is a Python tool which can help us make malicious QR codes. It also has a lot of readymade exploits which we can use to our advantage. But I would recommend using it on Kali Linux just because of the ease of access and functionality.
Python is by default installed in Linux If you are using any otherwise then you will have to install Python and the required dependencies in case you are using any other operating system.
Step 1: Cloning the tool
Clone the Github repository using the following command:
git clone https://github.com/h0nus/QRGen
Step 2: Now type the following commands:
cd QRGen ls
Step 3: Now install all the software requirements for this tool.
pip3 install -r requirements.txt
Step 4: If that did not work, then use this alternative command.
python3 -m pip install -r requirements.txt
Step 5: Now, run the script by typing python3 qrgen.py.
As you can see, it’s pretty easy to see what this tool can do. And how easily hackers can exploit QR codes.
Step 6: There are the following readymade exploits available in QR gen:
Step 7: We will choose one of them. So let’s go with option 2. Command injection. I will use the following command to select my choice:
python3 qrgen.py -l 2A bunch of QR codes will be generated and stored in the qrgen folder.
To see your generated payloads, type cd genqr to change to the directory and type ls.
cd genqr ls
Or just open the QR gen folder. As you can probably see, each of these images has a hidden command. On your system, you can try them using a mobile scanner. Each QR code is automatically generated and has a different hidden command. But what if you wanted to make custom payloads.
Secret Method: Making Custom Payloads in QR Code
Step 1: To encode a custom payload, we first need to create a text file which contains the payload. Do note it can only take simple payloads and not complicated payloads. So I decided to create a simple text file in the QRGen folder
cd QRGen nano exploit.txt
Step 2: In that text file, we can put our payload or phishing URL. The one below is facebook.com. Just for simplicity, I`m using this
Step 3: We can save the file by pressing Control X, then hit Y and Enter to confirm your save. Now, you should see a text file. Type ls to confirm
Step 4: To write your payload to a QR code, we need to use the -w flag. I am assuming you named the file exploit.txt.
As you can see below, you need to be in the QRGen directory for this to properly work. Also, the txt file needs to be in QRGen directory.
cd python3 qrgen.py -w '/username/QRGen/genqr/exploit.txt'
Step 5: For my facebook.com URL, it generates the QR code below. You can find this in QRGen folder.
As you can see scanning QR codes without knowing what they contain can lead to disasters. Also, there are no anti-virus systems to prevent malicious QR codes.
These malicious QR codes can be used to make the user visit phishing pages or downloading malicious software and apps. Many scanning apps directly open files without checking the contents. Some even execute commands. So the next time you are scanning QR codes beware.
Commonly asked questions about QR gen
Q1. Is this tool legal to use?
Yes, it is only meant for testing purposes please do not use it for any legal reasons.
Q2. Can anyone use this tool?
Yes anyone who has a PC with Python installed and use it it can also be installed on Raspberry Pi if needed, but you want to speak to show the QR code if you know what I mean
Q3. Can I hack WhatsApp using this hack?
That is a different exploit – WhatsApp web exploits; this exploit is slightly different and is meant for a different purpose.
Q4. Can I make Custom QR codes without this tool?
Of course, you can. There are many tools available. Feel free to test them out.
Hope you liked hacking QR codes. Thanks for reading. Do donate and share the article.