Tom explores the history, usage, and possible dangers of QR Codes.
Featuring Tom Merritt.
MP3
Please SUBSCRIBE HERE.
A special thanks to all our supporters–without you, none of this would be possible.
Thanks to Kevin MacLeod of Incompetech.com for the theme music.
Thanks to Garrett Weinzierl for the logo!
Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit
Send us email to feedback@dailytechnewsshow.com
Transcript:
I went to a restaurant and they said their menu was a little box full of boxes.
How am I supposed to read that.?
Someone said point my phone at it?
Confused?
Don’t be, let’s help you Know A Little More about QR Codes.
The “QR” in QR code stands for Quick Response code. It was invented by Masahiro Hara of the Denso Wave subsidiary of Japan’s Denso automotive parts company in 1994. He was inspired by the black and white patterns created when playing the game Go. The original application of the QR code was to identify parts in auto manufacturing at high speed.
The QR code is a type of 2D or matrix barcode, as opposed to the widespread UPC bar code you see a lot of, which is considered a 1D bar code. A 1D bar code is read in one dimension. So with UPC a laser horizontally the series of varying widths of black and white bars. Whereas a 2D barcode is read vertically and horizontally and uses rectangles, dots, hexagons and other patterns.
The big advantage of a 2D bar code is it can hold more information and deliver it quicker than a 1D bar code.
A QR code uses black squares called data modules arranged in a square grid on a white background. The background should extend outside the square in what’s called a “quiet zone” to make it easy to detect what’s actually part of the QR code’s matrix. You can encode four standard types of input data or “encoding modes:” numeric, alphanumeric, byte/binary and kanji.
The maximum amount of information you can encode depends on which of these inputs you’re using as well as your level of error correction and the dimensions of the grid. Grid dimensions are described by a level number from 1- 40. With level 1 having 21 by 21 data modules and each level adding 4 until you get level 40 with 177 x 177 data modules.
Maximum capacity can be found with the 40-L numeric encoding which encodes just numbers at the maximum dimensions of the grid with the lowest error correction. It can hold 7089 characters. The Alphanumeric version of the same thing holds 4,296 characters. Most QR codes you see in everyday life are around versions 2-5 and usually hold between 20 to 100 characters, enough for a shortened URL.
Because a QR code is two dimensional you need an image sensor to detect it. Since almost every phone now has a camera, the phone has become the most familiar way QR codes are scanned.
A Reed-Solomon error correction process is used to interpret the pattern. Reed-Solomon is also used in CDs, Blu-ray Discs, DSL and RAID 6. In QR codes there are four levels of error correction L is the lowest restoring approximately 7% of data, M is the middle at 15%, Q is the next up at 25% and H is the highest at 30%. This is going to offend statisticians and data professionals but you can roughly think of it as if up to 7% of the data is damaged the L error correction will still let you read the data. In practice most QR codes seem to use M. I guess they assume if more than 15% of that sticker is damaged you might as well get a new menu sticker.
But let’s get into how that pattern of blocks gets turned into your restaurant menu or wifi password or name of a conference room or whatever. The whole QR code is made up of just those blocks, called data modules, either black squares or empty white spaces.
You might have noticed there are always three distinctive larger squares in the corners of a QR code, Those are position markers. They are used along with a smaller square or set of squares in the fourth corner to calibrate the size, orientation and angle in which the pattern is being viewed.
Now your QR code reader, likely your phone’s camera, knows where the code is and can adjust for how big it looks in your camera. It can even do these adjustments on the fly as your unsteady hand wavers over the restaurant table.
Next it needs to know some things about what kind of encoding and error corrections and such were used. This way it can interpret the data correctly.
The mode indicator is placed in the bottom right indicating the input type. Other format information like error correction quality and character count is placed near the three squares. These are done as a sequence of 4 bit indicators.
That stuff is always the same and lets the reader know whether to look for numbers, alphabets kanji whatever and how much will be redundant error correction code
Now it’s time to read the whole point of this exercise. The data. The thing. The link to the menu. The kind of auto part this is. The WiFi Password!
In the space remaining after the position markers and format data, the encoded data is placed from right to left in a zigzag pattern until it reaches an end indicator. The amount of bits used for your data varies by the type of input. So numbers can get 3 digits into 10 bits, alphanumeric gets 2 characters into 11 bits and so on. You can even switch encoding types if you need to. Just throw in another 4-bit indicator.
You often need to mix input types because alphanumeric can only do capital case and 8 punctuation marks. So to do anything beyond that you need to use bytes which takes up more bits.
And that’s it, once the reader has interpreted all that it has the data and then the reader goes from there whether that’s showing you a URl you can tap or a wiFi password you can enter or the name “brake pad.”
You may wonder who keeps track of how that all works so that every reader works with every QR code.
QR codes have been standardized multiple times over the years. The first time was in October 1997 issued by the Association for Automatic Identification and Mobility, followed by one in January 1999 from JIS or Japanese Industrial Standards. And then the heavy, the International Standards Organization, or ISO issued its first standard in June 2000 and most recently updated it on February 1st, 2015.
Denso freely licenses QR code tech as long as users follow either the JIS or ISO standards. While Denso holds patents on the technology, it waived its rights for standardized codes and its patents in the US and Japan have already expired.
Denso does still hold the trademark on the name QR code and maintains some proprietary, non-standard implementations. But the ones you mostly see are standards-compliant.
You probably figured this out but QR codes are static. Once they’re printed, they don’t change. Even if you made an animated GIF of a QR code, the reader would just keep trying to show you the latest one. Once you make a QR code it’s meant to stay that way. Which makes them great for permanent information, which is why they were very good at parts identification. This is a shock absorber and we have very little expectation it will suddenly become a brake pad so we can slap a QR code on it so the assembly robots know what it is.
However at some point folks had the bright idea to encode URLs into QR codes. Why not? URL’s are just alphanumeric strings after all. Now, the URLs are still static. But any URL can be made to point to a different thing over time by redirecting it. Knowalittlemore.com for instance points to the ACast site where the podcast lives. I could change that to point to the daily tech news show blog posts about the show instead, if I wanted. So URLs sort of bring in the idea of a dynamic QR code, and so some people refer to static vs. dynamic QR codes. Let’s be clear, they’re all static. So when someone says a QR code is dynamic, it just means it has a URL. The code itself isn’t actually dynamic. But it points to a URL that you know you can redirect to different things. This is helpful for say, a restaurant that changes its menu.
It is also helpful for malicious types who want to do crimes and other malicious behavior.
As I think is clear by now, QR codes themselves are not risky as they only hold static data. QR code readers when working properly would prevent unauthorized executions of that data and there’s not a lot of leeway to make a very capable executable anyway. So the bigger worry is the URL. The practice of encoding URLs in QR codes is widespread, dare we speculate it is the norm, and that means the same risks that come in clicking any URL anywhere come with QR codes. One weakness could be a third party QR code reader that let its permission down a little. But even the most buttoned-down from the OS manufacturer built into the camera app QR code reader –can just take you to a malicious site like any email text message or link on the web.
As such you should only scan QR codes if you’re certain of the source. QR code stickers out in the world might be legitimate or might have been stuck there by someone malicious, possibly over the legitimate code. This doesn’t mean you should never scan a QR code in public but use secure QR code readers and look carefully at the link you’re being sent to before tapping it.
Some malicious links can look to you like they operate normally while engaging in malicious behavior like accessing your browser history or sending text messages without your knowledge.
It’s also good to doublecheck the URL after you tap to make sure it took you where you expected to go. Don’t just look at the graphics or the site layout, those can be faked. And resist the urge to log in, pay for something or download an app from a QR code link. Those are all popular scam vectors. There are legitimate times to use QR codes for that, but you need to be very sure about the legitimacy of the code before you do any of those.
And finally keep in mind that while the actual scanning of a QR code leaks no data, using a QR code to go to a website exposes all the same kinds of data as any visit to a website. Like your IP address, kind of browser and device, etc. This is no worse than browsing the web mind you, but something to keep in mind.
Finally , there are a few variations on the QR code you may encounter.
The Micro QR code holds a very small amount of info but doesn’t take up space so it’s often used on small items. It only has one positioning square in the upper left corner.
Denso Wave has a proprietary version called the IQR code that can be square or rectangular. It works well on cylindrical objects and holds more information than the standard QR Code.
And Frame QR codes take advantage of the error correction process to allow for a canvas area that can be used for logos, graphics etc.
QR codes are just bug dumb links in the world made of squares. Treat them like any big dumb link you’d find anywhere.
In other words, I hope you know a little more about QR codes.