There is way too much human interest to that article and way too little substance on the problems. Tl;dr - there’s no security risk unique to QR codes are that aren’t simply present on the Internet at-large.
Yes, but there are security risks unique to QR code menus at pizza joints that aren't present on pizza joint menus at large. The status quo for restaurant menus is printed text.
Also, QR codes obfuscate the request that is being sent.
The link to the article wasn't intended to be the be-all reason... just a general "something to think about here".
There is an inherent security risk... it is trivial, as the OPs article suggests, to print out a QR code, cover an existing public one, and send people to a phishing site. Unless people are being very careful about what sites they are on, they could easily be scammed.
I made a QR Code for my contact info in a VCard and set it as the home screen of my phone -- when I go to conventions it makes it really easy to connect with people.
There's a lot of cool stuff you can do with QR Codes now. Most of this stuff is 5-10 years old even, but the pandemic really helped educated people to look for QR Codes. Yay, Covid! =P
I've done something similar, but didn't like the static passwords. My guest wifi password is the current date, in YYYY-MM-DD format, it's been a great way to keep my guests (mildly) satisfied. The format changes on occasion
I started with this quite a long back, way before a separate Guest Wi-Fi was commonplace and we were OK just sharing the Wi-Fi. My ideology with guest at home was to offer Water and Wi-Fi. Guest were happy when Mobile Phone signals were bad (slow) and costly.
I've forgotten the tool used but I had a QR-Code for the guest Wi-Fi for a very long time. These days, people don't really care as the Internet speed on their phones are pretty fast enough and the cost is very cheap (India).
I switched to guest networks after I accidentally casted a browsing session to the TV with Chrome and a Chromecast plugged into the TV. Luckily nothing sensitive was shown but it could’ve been embarrassing with other (NSFW) content shown. The guest networks are segmented and use their own VLAN
For Wi-Fi though? Seems relatively low risk to me. Concerns over password security can be mitigated by those that care by using unique, randomly-generates strings per service.
People are generally less worried about wifi password quality, so perhaps a DB of the general types of passwords people use would be useful for an attacker? (regardless of the ability to defend oneself -- in any dense population area, the attacker only has to find one person with a poor password)
Don't know... Having an intruder in your home wifi seems pretty high risk to me. And I don't even live in a country with high chance to get killed upon a visit by your friendly neighbourhood SWAT team...
I've done this for years, quite convenient. I also have an NFC tag with the WiFi which works quicker (no need to open a QR scanner and no need to focus on the image for a sec) but I'm not sure if iOS supports it. I've put the tag behind the wifi "frame" so that you can just tap it instead of scanning it.
Android also has the option to "share" wifi via a QR code from the WiFi settings menu. It is quick and much easier than reading out the password to someone else.
iOS lets you share wifi passwords with someone else around you if they are trying to connect. I _think_ it uses your AirDrop privacy settings so for most reasonable people it would only work for people in their contact list.
The only thing I don't love about it is, there's very little user feedback. The person requesting just goes to the wifi password prompt and hopefully this generates the notification for one of their contacts.
Nice when it magically works (you go to wifi, and then someone in the room is like "Hey, dcdc123 wants the wifi password" and you are like "yep," and then it's all sorted), annoying when you are intentionally trying to use it with one particular person.
It would be nice if it showed something like "looking for contacts" "found <NAME>" etc etc.
My wife and I travel together full time so we connect to a lot of new networks. Sadly the feature is so buggy it is almost useless to us. Probably one in three tries it just hangs the receiver's UI making it so they cannot cancel, enter password, etc. We avoid using it now.
Programming NXP NTAG21x tags works on most recent iPhones too. Two apps I successfully used are "NFC Tools" and "NFC TagWriter by NXP". You can also associate the tags with Shortcuts and with automations in Home Assistant.
Thanks! This site actually produces attractive output which includes some instructions, as well as the network name and password, something other sites don't offer. It is handy to be able to have the password visible for situations where the QR Code isn't a viable option, like setting up a laptop.
This right here. I've done the same. It's absurd the level of password hoops at some places. I appreciate the secure password, but when it's hand written in marker and faded it can be quite frustrating.
It might have to be setup by an Airbnb host but the past few places I've stayed at had the ability to press a button inside the Airbnb app to automatically connect to their WiFi. Definitely saves some of the less tech-savvy hosts from having to figure out how to create a WiFi QR Code and print it out
Bit of a self-plug I know, but this reminds me of something I had made a while back (https://github.com/kmanc/wifi_qr). Nice work! Always fun to see others' take on neat projects
EDIT - I had an idea that I'm currently working through that I like but am a little stuck so taking a break before I revisit. TLDR is to use an ATTINY85 to auto-"type" the password in for folks who bring a laptop and can't scan the QR code. I wrote the Python code to generate the .ino script that would actually do the writing, but I'm having a little bit of trouble getting micronucleus to write the script to the ATTINY without an un/re plug. You can see the WIP on my digispark branch in that repo
Maybe! The problem I was trying to solve was that a 30 character password randomly generated is a pain to type out by hand haha. That said I think having the text would be a step in the right direction
Here's what I do in my home: I've had the same easy-to-type WiFi password (it's a name and a four-digit year) since 2005 and I just tell my guests. It's not even a guest network. It's just my network. Free hugs in my house too.
I.e., treat the network as an extension of the Internet, that is, assume it's compromised. Since … it basically is, given the crap hardware ISPs foist upon people.
Or they could just be trying to connect from a laptop! Or a mobile device that doesn't understand how to parse this sort of WIFI connection code. Is this any sort of standard? Do Kindle devices support it?
I made an iOS Shortcut for this so I can ask Siri for the QR code when needed.
There's a built in "Generate QR Code" action that can take a text action containing the wifi string.
Only issue is hard coding the password in the shortcut.
A picture of a QR code will always be the same QR code. There are QR code generators that purport to let you update the value... but they're basically just hosting a link shortener service, giving you a QR code encoding that link, and letting you change where the link redirects to. That wouldn't work with a QR code for wifi, since the QR code does not point to a link, it directly encodes the SSID and password for a wifi network.
Can the http link not be directed to other protocols like FTP, or WIFI:T:WPA;S:{ssid};P:{password};; in this case? I guess this might have some security implication. And, some clients can block such redirection.
I tried with HTML href on my mac. It didn't work. Maybe it'd work on phones.
The dynamic vs static is also one of the criticisms to NFTs. They're just links to dynamic content in a distributed database. The content itself could change any time, or go down. But it looks like it works (there's a word for this: scam).
How would you use a dynamic link like HTTPS URL shortener if you're trying to achieve internet access? You could overcomplicate it with another AP which only works with QR code.
A colleague once painted a QR code, kinda cool its possible and it worked, but its no magic. Its just static content. If you want it to be dynamic, e-ink is perfect for this purpose. It doesn't require electricity, only if you change the content. So if it is say a Raspberry Pi Zero, it could be powered off, and only get powered on when required (even the e-ink screen itself could be detached).
I know they use captive portals a lot for this purpose but I don't see how say WPA2/3 Enterprise could not work for this.
I 3D printed a QR code puck for my house wi-fi. It's an easy demonstration of at-home fabrication that elicits some conversation, without having to hand over a password.
By specifying the SSID, encryption type, password/passphrase, and if the SSID is hidden or not, mobile device users can quickly scan and join networks without having to manually enter the data. Note that this technique is valid for specifying only static SSID passwords (i.e. PSK); dynamic user credentials (i.e. Enterprise/802.1x) cannot be encoded in this manner.
Order of fields does not matter. Special characters """ (quotation mark), ";" (semicolon), "," (comma), ":" (colon) and "\" (backslash) should be escaped with a backslash ("\") as in MECARD encoding. For example, if an SSID were "foo;bar\baz", with quotation marks part of the literal SSID name itself, this would be encoded as: WIFI:S:\"foo\;bar\\baz\";;
Data is expensive in QR land or your resulting QR code becomes larger in size, requiring more physical space to display. URL encoding has a lot of overhead. Also '\' escaping has preceded the existence of URLs. I'm not sure who is doing the reinventing here.
In countries that do not use English as the main language, it is fairly common to have non-English SSIDs. URL encoding is incredibly inefficient when encoding those characters.
QR code is not particularly dense (like compared to something like a hard drive) - why waste space that could not be put towards more redundancy (error correction)?
Can you encode a BSSID (MAC-based) or just the ESSID (assigned name)? The formatting isn't very pleasant I imagine for putting a MAC in with all those backslashes..
I actually lied, if you click the NetworkManager applet in Plasma, there's a direct QR code button visible without having to use the context menu at all.
That is actually quite cool. I wonder how many command line tools could take advantage of such a feature. Like, I don't know, upload a file somewhere and show a one-time QR code to transfer that file into your phone or something.
What a weird design. Alphanumeric QR code encoding includes [0-9A-Z $%*+-./:]. So many characters to choose from and they decided to choose ';' ruining the possibility of using compact alphanumeric encoding. Perfectionist inside me is angry!
A QR code by itself is completely unreadable to a human. Can't this have the SSID / password too? All too often you see what should be simple textual data wrapped in this obtuse form which only specific machines can read. Text and a QR code can be read by everyone.
This is misuse of QR code; QR codes should be used to encode large data or some other clunky data that is hard for people to process that's why it is easier to look up such data/information with QR code and process/read it digitally. After all you have a camera in your pocket and a preinstalled QR code scanner(at least all new Android phones have). The main use case of QR codes that I see is simply linking you to a website. For example your favorite food brand links you to their website to explore their offering.
>Text and a QR code can be read by everyone.
Yea I agree with you that both plain text and a QR code should be shared so people can use what suits them the best at that particular moment.
Agreed. Where I used to work, IT started replacing the guest wifi (password changes monthly) with QR code instead of printing out the password on a piece of paper. It's really cumbersome when I want to join on my laptop.
I print out a sheet with some text (including the network SSID and password) and a QR code to connect to the guest wifi using libre office writer. It has a built in qr code generator. The QR code text for a wifi password is here: https://en.m.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%9....
I did a set of 3D printed QR codes with integrated NFC stickers used as drink coasters for a friend and myself. They're pretty neat and always a talking point.
283 comments
[ 2.2 ms ] story [ 244 ms ] thread[1] https://www.washingtonpost.com/technology/2021/10/07/are-qr-...
Also, QR codes obfuscate the request that is being sent.
There is an inherent security risk... it is trivial, as the OPs article suggests, to print out a QR code, cover an existing public one, and send people to a phishing site. Unless people are being very careful about what sites they are on, they could easily be scammed.
Works for Text Messages too! (=
I made a QR Code for my contact info in a VCard and set it as the home screen of my phone -- when I go to conventions it makes it really easy to connect with people.
There's a lot of cool stuff you can do with QR Codes now. Most of this stuff is 5-10 years old even, but the pandemic really helped educated people to look for QR Codes. Yay, Covid! =P
There are QR code generators that are work entirely client-side, I would trust those much more, or just use a native app.
I've forgotten the tool used but I had a QR-Code for the guest Wi-Fi for a very long time. These days, people don't really care as the Internet speed on their phones are pretty fast enough and the cost is very cheap (India).
Super easy to hand to a visitor that can either scan or type in.
Android also has the option to "share" wifi via a QR code from the WiFi settings menu. It is quick and much easier than reading out the password to someone else.
The only thing I don't love about it is, there's very little user feedback. The person requesting just goes to the wifi password prompt and hopefully this generates the notification for one of their contacts.
Nice when it magically works (you go to wifi, and then someone in the room is like "Hey, dcdc123 wants the wifi password" and you are like "yep," and then it's all sorted), annoying when you are intentionally trying to use it with one particular person.
It would be nice if it showed something like "looking for contacts" "found <NAME>" etc etc.
Of course, it has potential security issues; but no more than your standard sign in a store or boardroom.
EDIT - I had an idea that I'm currently working through that I like but am a little stuck so taking a break before I revisit. TLDR is to use an ATTINY85 to auto-"type" the password in for folks who bring a laptop and can't scan the QR code. I wrote the Python code to generate the .ino script that would actually do the writing, but I'm having a little bit of trouble getting micronucleus to write the script to the ATTINY without an un/re plug. You can see the WIP on my digispark branch in that repo
(QR code error correction is usually enough to let you just knock out part of it and put the text right there.)
1. Have the display show a 5-digit PIN (TOTP or something that changes every minute or few)
2. Let anyone connect to your network, if they go to a browser window it will show the capture portal
3. Enter the 5-digit PIN and press "enter" and the page will show the 30-digit password so the user can copy+paste
4. User pastes password into WiFi screen and logs in
Make sure to rate-limit this endpoint to prevent random PIN attacks.
Thanks for sharing, this sort of overkill is my favorite kind~ Cheers @koins!
I.e., treat the network as an extension of the Internet, that is, assume it's compromised. Since … it basically is, given the crap hardware ISPs foist upon people.
If you add the key tag, you can hang it on the wall. Works well with a light-color background, and a dark foreground.
Only issue is hard coding the password in the shortcut.
https://avm.de/ratgeber/wlan-zugang-teilen-mit-qr-codes-geht...
Edit: English: https://en.avm.de/guide/how-to-share-your-wi-fi-access-with-...
https://www.etsy.com/shop/ligninandlight?section_id=28828952
Instead, could also make an e-paper device for this. Perhaps it would work on badgerOS?
Otherwise just buying those picture viewers and setting a qr image would be easiest.
I tried with HTML href on my mac. It didn't work. Maybe it'd work on phones.
How would you use a dynamic link like HTTPS URL shortener if you're trying to achieve internet access? You could overcomplicate it with another AP which only works with QR code.
A colleague once painted a QR code, kinda cool its possible and it worked, but its no magic. Its just static content. If you want it to be dynamic, e-ink is perfect for this purpose. It doesn't require electricity, only if you change the content. So if it is say a Raspberry Pi Zero, it could be powered off, and only get powered on when required (even the e-ink screen itself could be detached).
I know they use captive portals a lot for this purpose but I don't see how say WPA2/3 Enterprise could not work for this.
I mean, you're still giving them the password, just in machine readable format.
Wikipedia has information on this https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...
Section of the Wikipedia article:
Joining a Wi‑Fi network
By specifying the SSID, encryption type, password/passphrase, and if the SSID is hidden or not, mobile device users can quickly scan and join networks without having to manually enter the data. Note that this technique is valid for specifying only static SSID passwords (i.e. PSK); dynamic user credentials (i.e. Enterprise/802.1x) cannot be encoded in this manner.
The format of the encoded string is:
Order of fields does not matter. Special characters """ (quotation mark), ";" (semicolon), "," (comma), ":" (colon) and "\" (backslash) should be escaped with a backslash ("\") as in MECARD encoding. For example, if an SSID were "foo;bar\baz", with quotation marks part of the literal SSID name itself, this would be encoded as: WIFI:S:\"foo\;bar\\baz\";;WIFI:t=wpa&s=My%20Network&p=secret%20word
would have been much better.
So I think the difference is small. QR codes can contain quite a bit more information than what's needed for WIFI name and password.
If you're using Network Manager, you can also just run this command!
You get the password as text, and a nice in-terminal QR code.Works for emoji in both the SSID and Password.
See: <https://twitter.com/adambowie/status/1521078234057695233> for context
Already linked by people in this topic https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...
>All too often you see what should be simple textual data wrapped in this obtuse form which only specific machines can read.
>See: <https://twitter.com/adambowie/status/1521078234057695233> for context
This is misuse of QR code; QR codes should be used to encode large data or some other clunky data that is hard for people to process that's why it is easier to look up such data/information with QR code and process/read it digitally. After all you have a camera in your pocket and a preinstalled QR code scanner(at least all new Android phones have). The main use case of QR codes that I see is simply linking you to a website. For example your favorite food brand links you to their website to explore their offering.
>Text and a QR code can be read by everyone.
Yea I agree with you that both plain text and a QR code should be shared so people can use what suits them the best at that particular moment.
No need for any special third party tools.