Quick-response (QR) codes used by a COVID-19 contact-tracing program were hijacked by a man who simply slapped up scam QR codes on top to redirect users to an anti-vaccination website, according to local police in South Australia. The perpetrator, who has been arrested, now faces two counts of “obstructing operations carried out relative to COVID-19 under the Emergency Management Act”. However, some reports of similar activity suggest that this arrest may just be a drop in the bucket. While no personal data was breached in this particular incident, it highlights the ease of QR code scams: all an attacker needs is a printer and a pack of labels to do real damage. In this case, the QR codes were being used by the South Australian government’s official CovidSafe app to access a device’s camera, scan the code and collect real-time location data to be used for contact tracing in case of a COVID-19 outbreak.
Despite the apparent ease with which they can be abused, QR code use is on the rise. Earlier this month, Ivanti released a report that found 57 percent of survey respondents across China, France, Germany, Japan, the U.K. and the U.S. had increased their QR code usage since March 2020.