283 comments

[ 2.2 ms ] story [ 244 ms ] thread
Call me paranoid, but I've taken to not scanning "public" QR codes any longer [1].

[1] https://www.washingtonpost.com/technology/2021/10/07/are-qr-...

There is way too much human interest to that article and way too little substance on the problems. Tl;dr - there’s no security risk unique to QR codes are that aren’t simply present on the Internet at-large.
Yes, but there are security risks unique to QR code menus at pizza joints that aren't present on pizza joint menus at large. The status quo for restaurant menus is printed text.

Also, QR codes obfuscate the request that is being sent.

The link to the article wasn't intended to be the be-all reason... just a general "something to think about here".

There is an inherent security risk... it is trivial, as the OPs article suggests, to print out a QR code, cover an existing public one, and send people to a phishing site. Unless people are being very careful about what sites they are on, they could easily be scammed.

https://www.qr-code-generator.com/

Works for Text Messages too! (=

I made a QR Code for my contact info in a VCard and set it as the home screen of my phone -- when I go to conventions it makes it really easy to connect with people.

There's a lot of cool stuff you can do with QR Codes now. Most of this stuff is 5-10 years old even, but the pandemic really helped educated people to look for QR Codes. Yay, Covid! =P

It would not use that one, it sends the network name and password to a server. This was easy to verify with browser dev tools.

There are QR code generators that are work entirely client-side, I would trust those much more, or just use a native app.

I've done something similar, but didn't like the static passwords. My guest wifi password is the current date, in YYYY-MM-DD format, it's been a great way to keep my guests (mildly) satisfied. The format changes on occasion
Is this automated or do you need to change every time Guests are expected?
This is automated, with a shell script and DDWRT
So guests who stay overnight have to enter a new password after your script runs at 00:01?
I started with this quite a long back, way before a separate Guest Wi-Fi was commonplace and we were OK just sharing the Wi-Fi. My ideology with guest at home was to offer Water and Wi-Fi. Guest were happy when Mobile Phone signals were bad (slow) and costly.

I've forgotten the tool used but I had a QR-Code for the guest Wi-Fi for a very long time. These days, people don't really care as the Internet speed on their phones are pretty fast enough and the cost is very cheap (India).

I switched to guest networks after I accidentally casted a browsing session to the TV with Chrome and a Chromecast plugged into the TV. Luckily nothing sensitive was shown but it could’ve been embarrassing with other (NSFW) content shown. The guest networks are segmented and use their own VLAN
How do guest networks solve this? You switch wifi networks before you want to use Chromecast?
I do the same thing, I had some little wooden etched boards made up with the ssid and and password on, then on the back is the qrcode for it.

Super easy to hand to a visitor that can either scan or type in.

Making an online wifi QR code generator seems like a nifty way to make a good password dictionary. Just saying.
The one featured seems fairly legit, I believe it pre-dates the wifi spec.
For Wi-Fi though? Seems relatively low risk to me. Concerns over password security can be mitigated by those that care by using unique, randomly-generates strings per service.
People are generally less worried about wifi password quality, so perhaps a DB of the general types of passwords people use would be useful for an attacker? (regardless of the ability to defend oneself -- in any dense population area, the attacker only has to find one person with a poor password)
The random string I use for my IoT devices' wifi password showed up on haveibeenpwned, so some IoT device cared enough about it to leak it.
Don't know... Having an intruder in your home wifi seems pretty high risk to me. And I don't even live in a country with high chance to get killed upon a visit by your friendly neighbourhood SWAT team...
I've done this for years, quite convenient. I also have an NFC tag with the WiFi which works quicker (no need to open a QR scanner and no need to focus on the image for a sec) but I'm not sure if iOS supports it. I've put the tag behind the wifi "frame" so that you can just tap it instead of scanning it.

Android also has the option to "share" wifi via a QR code from the WiFi settings menu. It is quick and much easier than reading out the password to someone else.

iOS lets you share wifi passwords with someone else around you if they are trying to connect. I _think_ it uses your AirDrop privacy settings so for most reasonable people it would only work for people in their contact list.
It is a pretty neat feature.

The only thing I don't love about it is, there's very little user feedback. The person requesting just goes to the wifi password prompt and hopefully this generates the notification for one of their contacts.

Nice when it magically works (you go to wifi, and then someone in the room is like "Hey, dcdc123 wants the wifi password" and you are like "yep," and then it's all sorted), annoying when you are intentionally trying to use it with one particular person.

It would be nice if it showed something like "looking for contacts" "found <NAME>" etc etc.

My wife and I travel together full time so we connect to a lot of new networks. Sadly the feature is so buggy it is almost useless to us. Probably one in three tries it just hangs the receiver's UI making it so they cannot cancel, enter password, etc. We avoid using it now.
What do you need, to produce (or rather program) nfc tags...? I guess they don't have usb ports, lol.
Programming NXP NTAG21x tags works on most recent iPhones too. Two apps I successfully used are "NFC Tools" and "NFC TagWriter by NXP". You can also associate the tags with Shortcuts and with automations in Home Assistant.
That's a great idea!

Of course, it has potential security issues; but no more than your standard sign in a store or boardroom.

The risk is small if you isolate clients from everything on LAN and limit bandwidth.
Someoned posted https://wificard.io/ a while ago... pretty neat
Yeah we use this for our AirBnB, print a page and put it in the guest book. Super convenient and clients like it.
Thanks! This site actually produces attractive output which includes some instructions, as well as the network name and password, something other sites don't offer. It is handy to be able to have the password visible for situations where the QR Code isn't a viable option, like setting up a laptop.
I've suggested this to every AirBnB I have stayed in. Sadly I am up to about 75-100 of them and have come across this a grand total of zero times.
This right here. I've done the same. It's absurd the level of password hoops at some places. I appreciate the secure password, but when it's hand written in marker and faded it can be quite frustrating.
Idea: make one for each AirBnB you stay in. If you don’t have access to a printer while you’re there email them a PDF.
It might have to be setup by an Airbnb host but the past few places I've stayed at had the ability to press a button inside the Airbnb app to automatically connect to their WiFi. Definitely saves some of the less tech-savvy hosts from having to figure out how to create a WiFi QR Code and print it out
Bit of a self-plug I know, but this reminds me of something I had made a while back (https://github.com/kmanc/wifi_qr). Nice work! Always fun to see others' take on neat projects
Amazing. I literally did this and then decided it was overkill. Almost with the same hardware!
Lol that's awesome

EDIT - I had an idea that I'm currently working through that I like but am a little stuck so taking a break before I revisit. TLDR is to use an ATTINY85 to auto-"type" the password in for folks who bring a laptop and can't scan the QR code. I wrote the Python code to generate the .ino script that would actually do the writing, but I'm having a little bit of trouble getting micronucleus to write the script to the ATTINY without an un/re plug. You can see the WIP on my digispark branch in that repo

Wouldn’t it be easier/maybe more practical to print the password to the e-ink screen as well?

(QR code error correction is usually enough to let you just knock out part of it and put the text right there.)

Maybe! The problem I was trying to solve was that a 30 character password randomly generated is a pain to type out by hand haha. That said I think having the text would be a step in the right direction
Bootstrap it with a shorter password:

1. Have the display show a 5-digit PIN (TOTP or something that changes every minute or few)

2. Let anyone connect to your network, if they go to a browser window it will show the capture portal

3. Enter the 5-digit PIN and press "enter" and the page will show the 30-digit password so the user can copy+paste

4. User pastes password into WiFi screen and logs in

Make sure to rate-limit this endpoint to prevent random PIN attacks.

Yeah that's certainly another solution. I haven't played around much with the captive portal capabilities of my networking gear but maybe I should
Just use diceware; 3-4 randomly selected words is enough entropy but still easy to type.
It took me a second to understand what this does, but wow what a neat project!

Thanks for sharing, this sort of overkill is my favorite kind~ Cheers @koins!

Lol thanks! I strive to bring more nerd-value than real-value :P
Here's what I do in my home: I've had the same easy-to-type WiFi password (it's a name and a four-digit year) since 2005 and I just tell my guests. It's not even a guest network. It's just my network. Free hugs in my house too.
That seems fine until someone's compromised device joins your network, sniffs for open ports, and starts uploading or ransomware-encrypting your NAS.
Secure the NAS.

I.e., treat the network as an extension of the Internet, that is, assume it's compromised. Since … it basically is, given the crap hardware ISPs foist upon people.

My NAS is more likely to melt down into slag in a house fire. I have offsite backups of critical data.
Please do not only offer qr codes. Some people might not have (working) cameras.
If you want to 3D Print your QR code, this site generates an STL: https://printer.tools/qrcode2stl/

If you add the key tag, you can hang it on the wall. Works well with a light-color background, and a dark foreground.

I made an iOS Shortcut for this so I can ask Siri for the QR code when needed. There's a built in "Generate QR Code" action that can take a text action containing the wifi string.

Only issue is hard coding the password in the shortcut.

I print wifi QR codes on wood signs and on cork coasters for Airbnb/VRBO hosts. It's a good little side business.

https://www.etsy.com/shop/ligninandlight?section_id=28828952

Nice, but I don't like such being forced to be a static PSK.

Instead, could also make an e-paper device for this. Perhaps it would work on badgerOS?

Isn't there qr codes that can automatically update their values? That could work.

Otherwise just buying those picture viewers and setting a qr image would be easiest.

A picture of a QR code will always be the same QR code. There are QR code generators that purport to let you update the value... but they're basically just hosting a link shortener service, giving you a QR code encoding that link, and letting you change where the link redirects to. That wouldn't work with a QR code for wifi, since the QR code does not point to a link, it directly encodes the SSID and password for a wifi network.
Can the http link not be directed to other protocols like FTP, or WIFI:T:WPA;S:{ssid};P:{password};; in this case? I guess this might have some security implication. And, some clients can block such redirection.

I tried with HTML href on my mac. It didn't work. Maybe it'd work on phones.

The dynamic vs static is also one of the criticisms to NFTs. They're just links to dynamic content in a distributed database. The content itself could change any time, or go down. But it looks like it works (there's a word for this: scam).

How would you use a dynamic link like HTTPS URL shortener if you're trying to achieve internet access? You could overcomplicate it with another AP which only works with QR code.

A colleague once painted a QR code, kinda cool its possible and it worked, but its no magic. Its just static content. If you want it to be dynamic, e-ink is perfect for this purpose. It doesn't require electricity, only if you change the content. So if it is say a Raspberry Pi Zero, it could be powered off, and only get powered on when required (even the e-ink screen itself could be detached).

I know they use captive portals a lot for this purpose but I don't see how say WPA2/3 Enterprise could not work for this.

How is your guest going to visit the link when they're not yet connected to the wifi?
I 3D printed a QR code puck for my house wi-fi. It's an easy demonstration of at-home fabrication that elicits some conversation, without having to hand over a password.
> without having to hand over a password.

I mean, you're still giving them the password, just in machine readable format.

You can also do this with NFC tags, though I've had mixed success with iPhones.
It uses the form of:

  WIFI:T:WPA;S:{ssid};P:{password};;
Can generate these on Linux with the qrencode program.

Wikipedia has information on this https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...

Section of the Wikipedia article:

Joining a Wi‑Fi network

By specifying the SSID, encryption type, password/passphrase, and if the SSID is hidden or not, mobile device users can quickly scan and join networks without having to manually enter the data. Note that this technique is valid for specifying only static SSID passwords (i.e. PSK); dynamic user credentials (i.e. Enterprise/802.1x) cannot be encoded in this manner.

The format of the encoded string is:

  WIFI:S:<SSID>;T:<WPA|WEP|>;P:<password>;H:<true|false|>;
Order of fields does not matter. Special characters """ (quotation mark), ";" (semicolon), "," (comma), ":" (colon) and "\" (backslash) should be escaped with a backslash ("\") as in MECARD encoding. For example, if an SSID were "foo;bar\baz", with quotation marks part of the literal SSID name itself, this would be encoded as: WIFI:S:\"foo\;bar\\baz\";;
(comment deleted)
why couldn't they just use normal URL query param escaping? Always reinventing the wheel, badly.

WIFI:t=wpa&s=My%20Network&p=secret%20word

would have been much better.

Data is expensive in QR land or your resulting QR code becomes larger in size, requiring more physical space to display. URL encoding has a lot of overhead. Also '\' escaping has preceded the existence of URLs. I'm not sure who is doing the reinventing here.
Only encoded characters take up more space and you don't have to escape: quotation mark, semicolon, comma, colon or backslash.

So I think the difference is small. QR codes can contain quite a bit more information than what's needed for WIFI name and password.

In countries that do not use English as the main language, it is fairly common to have non-English SSIDs. URL encoding is incredibly inefficient when encoding those characters.
At equal printed sizes, QR codes with less information are much easier/more forgiving to scan.
QR code is not particularly dense (like compared to something like a hard drive) - why waste space that could not be put towards more redundancy (error correction)?
Can you encode a BSSID (MAC-based) or just the ESSID (assigned name)? The formatting isn't very pleasant I imagine for putting a MAC in with all those backslashes..
You would use "H" for BSSID or a hidden network I assume
> Can generate these on Linux with the qrencode program.

If you're using Network Manager, you can also just run this command!

  nmcli dev wifi show-password
You get the password as text, and a nice in-terminal QR code.
Wow! Had no clue this was possible! Thank you!
Recent Plasma Desktop lets you show a network QR code right from the right-click context menu.
I actually lied, if you click the NetworkManager applet in Plasma, there's a direct QR code button visible without having to use the context menu at all.
That is actually quite cool. I wonder how many command line tools could take advantage of such a feature. Like, I don't know, upload a file somewhere and show a one-time QR code to transfer that file into your phone or something.
Can I also put my networks with Emoji SSIDs into the QR code?
Yes, I've been doing this for years with QR codes for WiFi.

Works for emoji in both the SSID and Password.

What a weird design. Alphanumeric QR code encoding includes [0-9A-Z $%*+-./:]. So many characters to choose from and they decided to choose ';' ruining the possibility of using compact alphanumeric encoding. Perfectionist inside me is angry!
Especially weird considering SSIDs are allowed to have : and ; in their name. Should have gone with something like $
(comment deleted)
A QR code by itself is completely unreadable to a human. Can't this have the SSID / password too? All too often you see what should be simple textual data wrapped in this obtuse form which only specific machines can read. Text and a QR code can be read by everyone.

See: <https://twitter.com/adambowie/status/1521078234057695233> for context

>Can't this have the SSID/password too?

Already linked by people in this topic https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...

>All too often you see what should be simple textual data wrapped in this obtuse form which only specific machines can read.

>See: <https://twitter.com/adambowie/status/1521078234057695233> for context

This is misuse of QR code; QR codes should be used to encode large data or some other clunky data that is hard for people to process that's why it is easier to look up such data/information with QR code and process/read it digitally. After all you have a camera in your pocket and a preinstalled QR code scanner(at least all new Android phones have). The main use case of QR codes that I see is simply linking you to a website. For example your favorite food brand links you to their website to explore their offering.

>Text and a QR code can be read by everyone.

Yea I agree with you that both plain text and a QR code should be shared so people can use what suits them the best at that particular moment.

Agreed. Where I used to work, IT started replacing the guest wifi (password changes monthly) with QR code instead of printing out the password on a piece of paper. It's really cumbersome when I want to join on my laptop.
I print out a sheet with some text (including the network SSID and password) and a QR code to connect to the guest wifi using libre office writer. It has a built in qr code generator. The QR code text for a wifi password is here: https://en.m.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%9....

No need for any special third party tools.

There's also the LaTeX qrcode package, bundled with distributions like TeX Live. Minimal working example reduced from my own template:

  \newcommand*{\SSID}[0]{NETWORK}
  \newcommand*{\PASS}[0]{PASSWORD}
  \documentclass{letter}
  \usepackage{qrcode}
  \begin{document}
  \begin{center}
  \LARGE{``\SSID'' WiFi QR code}
  \qrcode[height=5cm]{WIFI:S:\SSID;T:WPA;P:\PASS;H:false;}
  \end{center}
  \end{document}
I did a set of 3D printed QR codes with integrated NFC stickers used as drink coasters for a friend and myself. They're pretty neat and always a talking point.
I'd love a CLI version that just produces an image or pdf file
Such a cute idea! Definitely wouldn't work when my parents come over though