Hacking QR codes

QR codes are becoming quite popular, especially in advertising.

Photo by infovore

But QR codes have a security flaw – it’s not too difficult to turn one QR code into another with just a bit of OHP film and some Tippex.

Obviously I don’t support vandalism so I’ll be using this fake Google poster that I made as an example.

You will need:

  • A mobile phone with a QR code scanning application. I used Barcode Scanner.
  • The free GIMP image manipulation software.
  • Clear overhead projector (OHP) film.
  • Tippex (or some way of printing in white).

Scan your target QR code and use the free QR code generator to generate a copy of the original code. You will also need to generate the QR code that you want to replace it with.


The target QR code is on the left and the replacement QR code is on the right.

Open both images in GIMP. Copy the replacement QR code into a new layer on top of the target QR code and change the layer mode to “Grain Extract”.

The grey areas are the areas where the two images overlap; there’s quite a lot of grey here because a lot of the information contained in the two codes is the same.* Black and white areas indicate differences between the two images; black pixels appear where the original is white and the replacement is black and vice versa.

Select the grey areas and remove them from the image, and then invert the colour so that black pixels appear where the original is white and the replacement is black; and white pixels appear where the original is black and the replacement is white.

The chequered areas indicate that the image is transparent. It is important that all the images you save during this process are saved as PNGs which, unlike JPEGs, are lossless and support transparency.

Now you need to print your overlay (at the same size as the original) onto transparent OHP film. The vast majority of printers are unable to print in white ink, but as it’s only the contrast between black and white that is important, you can replace the white with yellow for printing.

 
The overlay, ready for printing, is on the left, and the result of overlaying on the right.

If you’re using opaque yellow ink (most printers aren’t able to do this) then your overlay is ready. Otherwise you will need to replace the yellow pixels with white by using a correction fluid such as Tippex.

Now all you need to do is place your overlay on top of the original QR code to create your new replacement QR code. If you know what you’re doing you can download the GIMP .XCF file I created in the course of this post.

* Both codes have the same position and alignment indicators, the same version and timing information, and both contain the same “http://www.” data.

29 thoughts on “Hacking QR codes

  1. Turning one QR code into another with OHP film, Tippex and image manipulation software is not a method I have ever seen used. Those indulging in QR Code ‘switching’ or ‘code-jacking’ as it is called in Japan just print a new code of the same size and stick it over the old one. It is very effective, less time consuming and does not involve a reflective film, which on large codes can prevent successful scanning. Nice try but I can’t see this method catching on!

  2. Actually, yea.
    You only need to print it on A4, then go to a printshop to get your A3 copies, some paperglue, a bucket and a big brush.

    Your system rocks, i cant say it doesnt.
    But…
    Same as interconnected distributed Wi-Fi using routers as bridges (not sharing internet, just a big WAN) projects failed incredibly, due to its complicated nature and its excessive effort to get 1-2 lousy mbites constantly disconnected due to obstacles and other waves and bounces..
    Well, paying for dsl or cable was easier.

    This time, Printing glossy A3 Qr codes is way easier.
    You proved you can.
    Move on.

  3. I also agree with Roger, it makes sense. Still, your method is more complicated, hence more beautiful.

  4. For an interesting twist – how about an iPhone app that can tell you the minimum number of bits to add (or delete, depending on whether you happen to carry around a black marker or whiteout) to turn an existing QR code into an “interesting” alternative. Maybe it can show you some of the possible alternatives (e.g. existing web sites), along with how many bits would need to be changed. Much easier for a hit-and-run edit.

    Changing obnoxious advertisement to porn site with a quick stroke of a marker = win!

  5. Pingback: Anderson Dadario
  6. Many QR codes are visible under a protecting glass, for example in my University the QR code of the teachers is under a glass near the door of their office. Sticking a new code over the old one is a trick easily recognizable. Nowadays many qr codes have complex backgrounds and sticking is not a good solution for them… I don’t agree with Roger

Leave a Reply