Scan QR code can give access to all content on phone including financial?

Forums › Mobile handsets › Scan QR code can give access to all content on phone including financial?

rugrat

3106 posts

Uber Geek

Lifetime subscriber

#316212 25-Sep-2024 23:00

https://www.nzherald.co.nz/bay-of-plenty-times/news/parcel-scam-lands-in-tauranga/KZNEVWPQZNHK5IQYQOFWOTDDFA/

“The QR code allows the offenders to then access any and all data on your phone or device you used to scan the code, including financial information such as your bank account login details, and personal data,” a police spokesperson said.

“Police are urging anyone who receives one of these gifts not to scan the QR code; the gift can either be kept or discarded, but do not scan the QR code.”

Surely someone needs to do some sort of interaction with where the link opened to, or is it really this dangerous to scan a QR code?

snj

185 posts

Master Geek

#3286441 25-Sep-2024 23:50

The only thing I can think of that would take over a device via QR like that is MDM via QR Code (example: https://www.manageengine.com/mobile-device-management/help/enrollment/mdm_android_qr_code_enrollment.html), or QR Code with code execution bug (i.e. unpatched devices). Seems very vague as written to what actually is the problem.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3286455 26-Sep-2024 06:45

I think this is another urban legend.

People have been receiving mysterious packages for years, mainly as a way for small retailers to get some positive reviews on sites like Amazon.

The next step to "takeover and own your life" seems like those old urban legends about DnD being satanic rituals.

None of those stories so far have actually shown any evidence about the "takeover".

Unfortunately, police forces around the world sometimes help spread these things.

Oblivian

7296 posts

Uber Geek

ID Verified

#3286462 26-Sep-2024 07:26

I shut down a hunch of social media sharers of that when I saw it.

Nearly exact copy past from a list of super helpful police regions in the US. Or not as the case may be.

But when you query all the reputable tech/cyber pages for details on a one click payload. Nada. It seems it can't.

There seems to need.to be at least a web URL clicked, and likely details entered into a phish site with it. But no way to trigger the OS into anything.

We know how a QR is constructed with headers to trigger.

The Australian example was a fake ring. And a review webpage URL wanting personal details.

rugrat

3106 posts

Uber Geek

Lifetime subscriber

#3286553 26-Sep-2024 12:15

That’s what I thought. You’d have to enter personal details/password or download something from web site for there to be a risk.

The police spokes person has it wrong, or have over simplified it.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3286554 26-Sep-2024 12:19

As above, all these "reports" are incomplete. For example, the article states, "The packages had a QR code and a tracking code that did not reveal any information."

How did the person who received the package find out their information was accessed?

Phones have the option to sideload software disabled by default. Did this person change settings to proceed with the installation of an unknown app?

So many holes.

Everything points to "urban legend".