Security Threats and Solutions for Two-Dimensional Barcodes: A Comparative Study

  • Riccardo FocardiEmail author
  • Flaminia L. Luccio
  • Heider A. M. Wahsheh


A barcode is a graphical image that stores data in special patterns of vertical spaced lines (linear or 1D barcode), or special patterns of vertical and horizontal squares (2D barcode). The encoded data can be retrieved using imaging devices such as barcode scanner machines and smartphones with specific reader applications. 2D barcodes are considered inexpensive tools in business marketing, and several companies are using them to facilitate the post-sale follow-up procedure of their products. Many previous studies discussed the potential risks in using 2D barcodes and proposed different security solutions against barcode threats. In this paper, we present a comparative study of various attacks to 2D barcodes and of the available protection mechanisms. We highlight the limitations and weaknesses of these mechanisms and explore their security capabilities. According to our analysis, although many of the available barcode security systems offer cryptographic solutions, they can still have weak points such as the adoption of insecure cryptographic mechanisms. In some cases, cryptographic solutions do not even provide enough detail to evaluate their effective security. We revise potential weaknesses and suggest remedies based on the recommendations from the European Union Agency for Network and Information Security (ENISA).


  1. 1.
    2D Technology Group Inc. (2016). Barcode security suite.
  2. 2.
    Dabrowski, A., Krombholz, K., Ullrich, J., & Weippl, E. (2014). QR inception: Barcode-in-barcode attacks. In Proceedings of the 4th ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’14), November 7, Scottsdale, Arizona, USA (pp. 3–10).Google Scholar
  3. 3.
    Denso Wave Inc. (2017). SQRC®; Secret-function-equipped QR Code.
  4. 4.
    European Union Agency for Network and Information Security (ENISA) (2014). Algorithms, key size and parameters report 2014.
  5. 5.
    Gao, J., Kulkarni, V., Ranavat, H., Chang, L., & Mei, H. (2009). A 2D barcode-based mobile payment system. In Third International Conference on Multimedia and Ubiquitous Engineering (MUE’09), Qingdao, China, June 4–6 (pp. 320–329)Google Scholar
  6. 6.
    GitHub. Official ZXing “Zebra Crossing” project home (website).
  7. 7.
    GitHub. Short Payment Descriptor project home (website).
  8. 8.
    Google. Google Safe Browsing API (website).
  9. 9.
    Ishihara, T., & Niimi, M. (2014). Compatible 2D-code Having tamper detection system with QR-code. In Proceedings of the Tenth International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIHMSP’14), Kitakyushu, Japan, August 27–29 (pp. 493–496). Piscataway, NJ: IEEE.CrossRefGoogle Scholar
  10. 10.
    ISO/IEC Standard (2006). ISO/IEC 16022:2006, Information technology – Automatic identification and data capture techniques – Data Matrix Bar code Symbology Specification.Google Scholar
  11. 11.
    ISO/IEC Standard (2008). ISO/IEC 16022:2008, Information technology – Automatic identification and data capture techniques – Aztec Bar code Symbology Specification.Google Scholar
  12. 12.
    ISO/IEC Standard (2015). ISO/IEC 15438:2015, Information technology – Automatic identification and data capture techniques – PDF417 Bar code Symbology Specification.Google Scholar
  13. 13.
    ISO/IEC Standard (2015). ISO/IEC 18004:2015, Information technology – Automatic identification and data capture techniques – QR code 2005 Bar code Symbology Specification.Google Scholar
  14. 14.
    Jin, X., Hu, X., Ying, K., Du, W., Yin, H., & Peri, G. (2014). Code injection attacks on HTML5-based mobile for apps: characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14) (pp. 66–77).Google Scholar
  15. 15.
    Kaspersky Lab (2011). Malicious QR Codes: Attack Methods & Techniques Infographic.
  16. 16.
    Kharraz, A., Kirda, E., Robertson, W., Balzarotti, D., & Francillon, A. (2014). Optical delusions: A study of malicious QR codes in the wild. In 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’14), 23–26 June, Atlanta, GA, USA (pp. 192–203)Google Scholar
  17. 17.
    Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., & Weippl, E. (2010). QR code security. In Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (MoMM’10), Paris, France, November 8–10 (pp. 430–435)Google Scholar
  18. 18.
    Kieseberg, P., Schrittwieser, S., Leithner, M., Mulazzani, M., Weippl, E., Munroe, L., & Sinha, M. (2012). Malicious pixels using QR codes as attack vector. In Trustworthy ubiquitous computing. Atlantis Ambient and Pervasive Intelligence (Vol. 6, pp. 21–38).Google Scholar
  19. 19.
    Krombholz, K., Fruhwirt, P., Kieseberg, P., Kapsalis, I., Huber, M., & Weippl, E. (2014). QR code security: A survey of attacks and challenges for usable security. In Proceedings of the Second International Conference on Human Aspects of Information Security, Privacy, and Trust (HAS’14), 8533 (pp. 79–90).Google Scholar
  20. 20.
    Peng, K., Sanabria, H., Wu, D., & Zhu, C. (2014). Security overview of QR codes. MIT Student Project:
  21. 21.
    Phishtank: Phishtank API (website).
  22. 22.
    Razzak, F. (2012). Spamming the Internet of Things: A possibility and its probable solution. In Proceeding of the 9th International Conference on Mobile Web Information Systems (MobiWIS’12), Niagara Falls, Canada, August 27–29 (pp. 658–665).Google Scholar
  23. 23.
    Red Dodo. (2014). QR & barcode reader (secure). Scholar
  24. 24.
    Soon, T. J. (2008). QR code. Synthesis Journal, 59–78.
  25. 25.
    Starnberger, G., Froihofer, L., & Goschka, K. (2009). QR-TAN: Secure mobile transaction authentication. In International Conference On Availability, Reliability and Security (Ares ’09), Fukuoka, Japan, March 16th–19th (pp. 16–19).Google Scholar
  26. 26.
  27. 27.
  28. 28.
    Vidas, T., Owusu, E., Wang, S., Zeng, C., Cranor, L., & Christin, N. (2013). QRishing: The susceptibility of smartphone users to QR code phishing attacks. In 17th International Conference on Financial Cryptology and Data Security (FC’13), Okinawa, Japan, April 1, LNCS, 7862 (pp. 52–69). Berlin: Springer.Google Scholar
  29. 29.
    Wang, P., Yu, X., Chen, S., Duggisetty, P., Guo, S., & Wolf, T. (2015). CryptoPaper: Digital information security for physical documents. In Proceedings of the 30th Annual ACM Symposium on Applied Computing (SAC’15), Salamanca, Spain, April 13–17 (pp. 2157–2164).Google Scholar
  30. 30.
    Yakshtes, V., & Shishkin, A. (2012). Mathematical method of 2-D barcode authentication and protection for embedded processing. Scholar
  31. 31.
    Yao, H., & Shin, D. (2013). Towards preventing QR code based for detecting QR code based attacks on android phone using security warnings. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIA CCS’13), Hangzhou, China, May 8–10 (pp. 341–346)Google Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Riccardo Focardi
    • 1
    Email author
  • Flaminia L. Luccio
    • 1
  • Heider A. M. Wahsheh
    • 1
  1. 1.Department of Environmental Sciences, Informatics and Statistics (DAIS)Ca’ Foscari University of VeniceVeneziaItaly

Personalised recommendations