Most ISP put this kind of QR code on the provided "modem" in France with the default Wifi password of the device.
I love QR code. I think it should be everywhere. All legal documents and forms should have one. All supermarket bills should have one.
It's a fantastic way to transition from paper to bits.
Unfortunately most users have no idea what it is. They don't know what a URL is, so a QR code is out of the question.
Plus they don't necessarily have a QR code scanner on their devices: not all phones have one by default, most laptops definitely don't. Not to mention some QRcode readers are sometimes just the regular camera app (E.G: modern iOS), which is very confusing. And even if all that is not a problem, your QRcode scanner may not be able to understand a particular format or will read the Wifi code but just display it while it's supposed to save it as a new access point.
Are you not concerned that QR code’s are just completely opaque URLs asking to be clicked? Do you confidently click on URLs in spam emails? Of course not since we all know URLs can point to malicious payloads. So why should we love QR code’s that could just as easily do the same.
If I’m a spammer trying to get people to click on my bogus links in my email messages, why wouldn’t I also print those same URLs as QR codes and paste them around my city with creatively enticing titles.
Do you never click URLs in emails? Of course you do, when you're confident the sender is reputable.
Parent was referencing trusted contexts: the default password printed on your wifi router, the bill a cashier just handed you for what you just bought, the legal papers you just signed, etc. The QR code just links the trusted document with trustworthy digital versions & extended content.
I'm not worried a spammer is going to get a bogus QR printed on the grocery store receipt I just received. I'm not going to scan QR codes printed & posted on subway walls for no apparent reason.
I was visiting a nature reserve where the trail opened to a resting area with some seats. A tree had a woodcut QR code on it, so I thought I'd scan it to find out more about the area.
Turns out, the QR code linked to some tracking site with a short URL. Even worse, the short URL had since been deleted, so I have no way to know the original URL it went to.
Also, as to something like a javascript exploit in a URL itself, QRs can hold a surprising amount of data, enough to max out most URL browser limits around 2,048 bytes.
At least bitly lets you look before you keep. Add a + to the end of any bitly URL to see where it goes, when it was created, and how many peole clicked it.
The QR scanning app that I use displays the URL so I can check if it looks okay, but most of them are abbreviated using services like bit.ly, so that doesn't help much. You'd have to have a UI that lets the user step through several redirections, but that would probably confuse people.
You're shifting responsibility from developers to the users. If reading a QR code triggers a bank transaction, that's an issue with the QR scanner and the banking application.
Users cannot check if a domain is "ok" by looking at it. You visit websites to discover what's there. A few years ago it was common knowledge that ".to" is shady and ".com" looks more legit. Now we have more TLDs than I can count. How is someone supposed to check that with visual inspection?
The way it should go: you scan a QR code. It gets interpreted into something useful that doesn't cause harm.
"Hey this QR would cause a 5€ transaction to Jon Doe. OK?" That's something the user can decide upon. payment://jon-doe:5€ doesn't help much.
(Edit: reading your post again, I realize it might be exactly what you have in mind)
I was mostly thinking about URLs in untrusted contexts, like maybe from an ad you see on the street, that you want to screen by hand against malicious intent; not so much about things like your banking app example, which should always have some kind of confirmation anyway.
It really shouldn't matter to the browser what URL you enter. Maybe it's not the page you're looking for. But opening a website itself should cause no harm.
Just compare with today's internet advertising. Legit websites are still full of somewhat malicious ads. And users click on it - of course, since that's what a website is for.
What I'm trying to make clear is that there is no such case where QR scanners, browsers or application may consider a safe context where the user implicitly consents with malicious actions by the QR/website/...
> It really shouldn't matter to the browser what URL you enter.
In a world where browsers are vulnerable to remote code execution, and a world where users do not run the latest version of a browser, and in a world where zero days exist in browers, it absolutely does matter.
No more than regular url written in a paper. People write them blindly anyway, they don't know what it means nor how to read it.
But QR code are not just for URL, they can contain up to 7k, which is a lot for text and numbers. And you can have several of them, use compression, etc.
Because urls have letters & words in english that I can read and determine if the website is authentic or not as opposed to QR code that no human can read?
Have you never come across phishing scams that looked eerily authentic only to be clued in by the fake url? I can read the URL before going to the website, and unless QR codes have a step where you have to manually confirm going to the url provided by the code (most don't) then that's a security risk
Qr code readers show you the url, you have push a button to navigate to it. So it's no different than having it copied manually.
Not that it matters much for most users, as I said earlier, they blindly type url. They have no idea what it is.
You could put a warning saying "are you sure, this is going to kill your mother and steal all your money" and people would click on it if it's easy to do.
Microsoft did that research. Well, they didn't propose to kill anybody's mother but the test participants used their real bank credentials and Microsoft tested different behaviours in IE to see what would deter users from giving these credentials to a bogus site having accepted a task to log in and perform some basic operation.
Nothing.
Nothing deterred the users. Warning dialogs were clicked past, obvious problems or mismatched information was ignored. The only way to stop users from giving their credentials to bad guys was what I call Brick Wall UX. The browser has to stubbornly refuse to let you do it. Unable to complete their task the user at last gives up.
This is a teachable moment. Your users are probably not going to be smarter, better informed or more cautious at least on average than in this test.
This sounds like something which should be continuously tested, as a litmus test as to how careful people are. I don't suppose you have a link or pointed search terms for this instance?
Because urls have letters & words in english that I can read and determine if the website is authentic
You must have some super-human ability to read a computer's mind if you can grok the kind of urls that usually come in emails like https://tinyurl.com/uvc58uq
You can see what the tinyurl redirect destination URL is (value of Location response header) without also requesting that URL. Not with a typical browser configuration, but with curl or some hosted solution delivering this functionality.
Of course, if the email actually has a unique URL per recipient, then doing this gives away the fact that you interacted with the email.
Clicking a link can't infect your computer with a virus anymore. As long as any vulnerabilities in QR scanner apps are reliably patched, it should be just as safe as clicking a link. There are zero-days, but that risk exists any time you're connected to the internet anyway.
The cost and risk of putting a sticker on a wall is much greater that that of sending a spam email. Legitimate advertisers already hire people for >$0 to do that. Illegitimate ones risk personal criminal prosecution because they have to be physically present.
plenty of scanners allow you to decode a code & show the url or whatever is encoded in it without opening the link & give you options so I wouldn't be concerned at all.
They can’t be used to encode very much data though. They wouldn’t be suitable for storing documents, but could be used to store the location of a document. I was trying to be clever once and thought I could encode X.509 certificates in QR codes. Even that much data was pushing the hard limits of what they can store, and became very hard to scan (I quickly realised this wasn’t actually very clever).
The largest QR code in the standard, "version 40" - can only store 3 kilobytes at the lowest level of error correction and 1.2 kilobytes at the highest level [1]. And that's a pretty huge QR code [2]
My back-of-the-envelope calculations say you'd need 61 bits per line on a receipt just to encode UPC, quantity and price. So the largest QR code would only allow 19-50 lines. And that's without including data like the store name, special offers, means of payment and so on. Believe me, plenty of people buy more than 50 items in their supermarket christmas shop :)
Standardised digital receipts would be neat but, QR codes encoding the data ain't the way to go about it.
Seems like the obvious thing would be to have the QR code contain a "receipt ID" (UUID?) in a URL.
When the QR code is scanned, the browser opens to the URL, the remote side takes your "receipt ID", and presents you with a list of all the items you purchased.
I can't imagine any decent-sized retailer isn't already maintaining records like this.
See, one of the useful properties of a paper receipt is that, once you receive it, you can be fairly confident about the ~one way you're going to lose it
1.2 kilobytes = 9.6 kilobits. If you need 61 bits per line, you’ve got enough bits for 157 lines. 393 lines if we go with 3 kilobytes. I think you may have used 61 bytes per line in your calculation rather than 61 bits.
4K is around the point where some devices will start to have issues scanning. Also, crypto wallets won’t usually give you the private key, instead they’ll give you the 12 word BIP39 seed phrase which will be around 70-80 bytes.
Even without the key they start to look pretty dense. You can definitely fit one in a QR code, they just start to become less reliable to scan (especially on cheap devices), and they go from looking nice to looking quite ugly. Technically most X.509 certs would have been within the limitations of QR codes (though I don’t think there is an upper bound to how large they can get), but I realized it just wasn’t fit for purpose and moved on to something else.
Are you using 8 bit encoding? An alphanumeric mode QR code containing base 64 encoded data provides less capacity. In binary mode even a 4096 bit RSA secret key fits while ECC keys produce smaller codes.
The qrencode tool has an 8 bit mode but not all decoders can handle binary data. For example, my phone shows me mangled results and I can't redirect them to a file. Like structured append, it doesn't seem to have much support.
Yes.. I had made a form that was scanned and all the metadata for the page was stored in datamatrix at the bottom.. With a laser printer and a good scanner you can reliably put a lot of data in there...
> Not to mention some QRcode readers are sometimes just the regular camera app (E.G: modern iOS), which is very confusing.
You can use that if you wish, however there is an entirely separate and dedicated QR reader built into iOS that is accessible from control center. The icon to launch it is even a QR code which eliminates such “confusion”.
Huh, I had no idea there was a dedicated QR reader "app", since it's not a default icon (you have to add it from within Settings), and there's no actual app. But it's there!
Interesting they added that when the camera app already scans QR codes. I wonder if it's an enterprise thing for devices in the field, where companies want to prevent the camera app (no photos), but need to scan codes.
They are not generic QR codes, but encoded instructions to access specific in-app features in WeChat/AliPay. If you scan those special codes with generic QR readers, you get invalid URLs.
IMO this makes it even worse to use generic QR codes, because if a QR code cannot be parsed by WeChat/AliPay, most Chinese users do not know what to do with it.
Current Android WiFi list has a dedicated QR Code button next to it, so it should become more accessible in half a year when most people are on Android 10
This data [1] from google is a bit old (from May 2019), but shows about 10% on Android 9, and maybe a third on Android 8+; to get 50%+ (the common interpretation of most) you're looking at Android 7+, and that was released three years before the stats. Maybe, if uptake of 10 is as good as 7+, we'll see most people on Android being able to use this in 2022.
Project Trebble made a huge difference, and Android 9, which is one year old, is already at 48% market share. This is so much faster than older Android upgrades before it.
Stats from different places are going to show different trends. Google's stats are a lot closer to all of the Android market than PornHub's. It's unfortunate that Google is slow to update. But it might be interesting to look at trends in PornHub's data, if they provide it over multiple years.
> Unfortunately most users have no idea what it is.
In the west, yes, it's absolutely prolific in Asia though. Even the most technologically illiterate people over there know and use qr codes all the time. A huge divide.
You either use URL or custom app to scan Qrcode. You can't encode arbitrary data and expect universal reader being able to interpret it. And URL is actually good way to store small amounts of data, because you can launch web app to handle it and it's compatible with any device.
I really think manufacturers have really missed out on an opportunity with QR codes by handing them over to marketing. Most of the early QR codes in the US were just links to advertising. I'm not going out of my way to scan a QR code just to be advertised to.
On the other hand it could have been a great way to develop much better relationships with your customers. As a trivial example, I own a snowblower. It would be nice if there had been a QR code on the machine that identified that specific machine. I could have scanned it and immediately registered it with the manufacturer. Scanning the code could take you to a manufacturer page for your specific machine, where you could record routine maintenance like oil changes, get a copy of the manual, and order replacement parts. They could send you periodic reminders like, "it looks like it's been a while since an oil change", or "it's getting cold outside. Now's a good time to make sure everything is in shape".
There is a ton of stuff around the house that I need to record information about but have to have my own system. If the manufacturer provided a way to do that they could offer their expertise with the product and a convenient way for you to record that information. I'd love to have a QR code on the side of my HVAC system, water heater, filtration system, etc.
Did something similar for my roommates recently. We have no printer in our flat, so I grabbed a piece of graph paper, redrew the QR code and taped it onto the fridge. Now our guests can simply scan the picture instead of strenuously rewriting the complicated password.
What's the problem with using a long but humanly readable password, like several concatenated words? It's not like you are trying to protect against large scale attacks.
I have hereby been whooshed, though in my defense I have a guest-only, throttled and isolated wifi network so the potential for misuse didn't occur to me.
I have exactly the same. I don't want the entire world to use it though, as it still uses my broadband connection, which contains my external IPv4 address. I guess I should tunnel it over a VPN instead.
This is interesting, however my main problem with really long Wi-Fi password are devices that have bad ways to input text. Things like media box using a remote controller or a video game console using it's controller.
WPS was born to fix this, however the specification is so broken that it is literally useless from a secure standpoint.
On some devices it may be easier to enter a long password from a restricted character set than to enter a shorter password from a richer set.
For example, I've seen TVs that allow using a numeric keypad on the remote for entering digits in text and password fields, and require use of a clumsy on-screen keyboard for entering letters or punctuation. The on-screen keyboard is navigated with the up/down/left/right/ENTER buttons on the remote, and might have multiple shift states for case and punctuation requiring navigating to and pressing a shift key whenever the password has adjacent characters that need different shift states.
On such a TV, I'd rather enter a 39 character all numeric password than a 22 character alphanumeric password. Entering 39 characters on a hardware numeric keypad is way faster and way less error prone.
if the on-screen keyboard even has all the characters needed.
when we got new internet in our previous home i was forced to change our password that everyone had already set from previous use, because the new configuration interface didn't allow spaces. so i used underscores. then family visited and they had a tablet with a keyboard that didn't have underscores.
Or when you setup a new apple computer, you have to enter the wifi password without being able to see what you type, without being sure it is the right casing, and if you are not in the US without being sure you are using the right keyboard layout in the first place (the is no opportunity to type something else in a clear text box before that step).
When a friend tried to connect to a new network on their MacBook, a second friend with an iPad got a pop-up that such-and-such was attempting to connect to their network, and if they wanted to share connection details. One click and they were in.
If you choose to put a WiFi password up on a sign as a QR code, do not post it in view of a window. Passers-by should not be able to connect to your network from outside your home or office. This advice also applies to plain text passwords posted on signs.
I do this in our house and it works great. I discovered one flaw though. When I say scan the QRCode I am immediately told “i don’t knows how” Or asked “the what?” Or disapproved of with “I hate those things.”
Fun fact no one has ever actually scanned the code... ever! Maybe if I was a cafe but not for house guests.
Instead of "scan" have you tried telling people to point their phone's camera at it?
"Scan" sounds to them like some separate action that they would need to know how to do. But at least on iOS all it takes is opening the camera and pointing it at the code - you get a pop up notification asking you to join the network.
I bet people know how to point the camera at something even if they don't think they know how to scan it.
Once I noticed Android supported QR scanning to connect to WiFi natively, I started implementing this at my hotels - I wish all businesses did the same.
I believe it's only Android 10 onwards that has the QR Code scanning feature [1][2][3] since it was added by Google in order to support the new Wi-Fi Easy Connect standard [4] (the replacement for WPS).
This has been a thing for longer than I can remember. Many many years, it should only depend on what your QR scanner are capable of (and that will vary since most use their default camera app for scanning QR codes and most manufacturers ship their own - but by now I hope even older phones have it).
Android 10 made som more specific features for this, such as automatically generating the QR code for others and scanning QR directly from the wifi settings.
But on other versions, it depends on the 3rd party app you use for QR code scanning. From the screenshots, it seems like certain versions of Android have this available directly from the Wi-Fi password screen, without the need for a 3rd party application.
Are you deliberately trying to be confusing? A "bundled camera" is the exact opposite of a 3rd party app. 3rd party would mean one must install it from the playstore.
I had to install Google Lens first. When I tap join network, the reply is that I have to manually join the network. This is Android 9, and is an Android One phone (yes, still on Android 9 and not even a year old).
Update: Actually it works with the build-in Camera. Point to QR, it decodes it and shows SSID and password, there's a wifi icon button, and pressing that immediately connects.
If, for whatever reason, you wanted to do this with older iOS you had to use a configuration profile[2]. This would be distributed as a PList that you'd link to in the QR code. Which means the device needs to be connected to a network to download it first. A captive portal could help with that, or put it on the internet maybe protected with a geofence so you're not advertising your password to the world.
Oddly the G7 Play camera just stares dumbly at the QR.
When I use a third-party reader it shows that a password containing special characters really confuses this particular notation, since colons and semicolons are also used for field delimiters. Even if I escape them when passing the argument to qrencode, the parser app stumbles on them.
Was wondering the same. The author didn't mention the minimum required version for Android compared to IOS, so I assumed Android must have long supported it and I always just missed it.
On another note I find it quite awkward that the feature is buried in that dialog on Android. You even need to tap on the network you want to connect to when that information is already in the qr code.
I think they added the QR code Wifi URI in Android 6, it's been a while. It's mostly an issue with apps supporting it, and to be honest I can't believe it's still not a standard feature of the camera apps on all Android devices, like the iPhone does.
Very neat! However, IMHO 63 characters is a bit much for the password.
”If you use lower-case, upper-case, and digits, and if you generate it truly randomly, then a 16-character password has 95 bits of entropy. That is more than sufficient.”
A 63 character password with ten dictionary words is on average much easier to type than a 16 character random ASCII printable string, especially on phone keyboards.
Your math is off. Even if you take the 11-bit estimate (if you use something like diceware you get 13 bits), 10 words give you 110 bits. Meanwhile there are 95 ASCII printables, 16 of them give you a maximum of 105 bits, and usually people don’t use the full range (ambiguity, especially painful to type, etc.) & don’t generate a uniformly random string, which means you’re getting fewer than that. Even 95 is an optimistic estimate.
I said "might be", and someone might estimate a word to have 10 bits of entropy. And you previously said dictionary words, not random dictionary words, so a human choosing those words might choose words that relate to each other.
A friend has a ~32 character camel case phrase as his WiFi password.. just a nightmare for people to type on their phones. iOS’s “share pass with contact” helps but every once in awhile someone has to spend 10 minutes trying to get a password to work. So silly.
I have an NFC card that contains the connection information with the QR code and plain text credentials taped to it. Even less devices support that, but when they do you don't even have to open an app. Just tap and you're in.
For this project, on first boot the device creates an AP, then displays a QR code containing SSID and key (along with text version of the same) that the user can connect to. Upon connection a captive portal will redirect the user to the configuration page, allowing the user to select the desired SSD and configure other essential values.
If you have a phone handy, just scan the display, accept the prompt to connect, and the next thing you see if the configuration page popping up as Apple and Android detect it as a login page.
I used this when setting up mesh WiFi for my parents, a few years ago. I set up a guest network and a main network; the guest network had a fairly-long password, and the main network had a very-long password, both WPA2-Personal.
I put together a two-page PDF, page size about 4 inches by 6 inches. One side had the info for the main network; the other side had the info for the guest network. "the info" included the SSID, the password, and a large QR code.
I then sent the PDF to FedEx, printed on card stock, double-sided, and laminated, with instructions to cut the excess paper away before laminating. The result was a nicely-put-together "quick reference" card that my parents can use for whatever needed. If my parents get a new phone, putting it on WiFi is as simple as a QR-code scan.
That's such a better solution for guests too, I've visited many friends where I had to crawl under their desk to see the SSID and password printed on the back of the router... because they haven't changed the factory settings.
For those concerned about entering your network info into an online qr tool, some time ago I attempted a minimal JS and transparent site for generating these codes (https://github.com/jamsinclair/wifiqr).
Or I suppose just use the cli tools, as mentioned, for extra safety...
Arguably it is easier to verify that a webapp is not sending the data to a 3rd party, than it is to verify that the CLI tool doesn't (easy network inspection from the developer tools).
I don't think it is that problematic to put your WiFi credentials to a random website, since the possibility of the creator is a scammer AND lives near enough to you so it can exploits that fact is really small.
However sure, having the piece of mind that this will not happen may still make it more worth it do it yourself.
But it makes rather confusing on how to connect it on an e.g. laptop without having to scan the QR code with the mobile device first. If the password is 63-char length, typing it wouldn't be 'quick'.
There should be a laptop app which can import a QR code picture from a file. Most of the laptops also have a webcam nowadays, perhaps it could be used too.
I can attest to the usefulness of this. I have a similar thing set up on my iPhone via the Shortcuts app and it's been quite nice to share my long password without worrying about the hassle of spelling it out. Here's the Shortcut, in case anyone wants to try it out: https://www.icloud.com/shortcuts/681b4f7b030543b79ab7de6afa3...
Remember to URL encode the SSID en PASSWORD if you have any characters that can't go into a URL. (Also, you have to trust Google to not store that URL anywhere)
A secure random WiFi password in a QR code is great for Android and iOS, and the laptops/desktops that can sync their password database with them over Bluetooth.
But what about all those other random WiFi devices? I don’t relish the thought of entering 63 characters into my printer’s goofy interface, a games console, my car, etc...
Every tesla car has a sim card and data connection that is used to connect to a vpn that high enough level engineers can use to run ssh commands directly on every tesla car at once or even target certain ones.
How do I read it then? My Android camera app only lets me copy the encoded text to the clipboard or share it with another app. What app should I use to use it to actually connect to the wireless network?
But what if you want to connect something other than a phone to your network? I have a lot of laptop's that don't run iOS or Android. I guess I'm old fashioned like that.
The Owlet baby monitor does this. When you need to connect it to WiFi you give the app the creds and then it generates a QR code. Then you hold it in front of the camera to scan.
I so wanted to use this for work, where there is a rotating password scheme, but unfortunately it doesn’t work on iOS if the hotspot has a captive portal :/
If you are going to write an article about this on a website with geek in the domain name, and post it to hacker news, you are going to have to get more technical than that.
Explaining the "WIFI:T:WPA" bit would have been nice to see.
At the bare minimum a link to an article that explains it would be necessary to meet the bar.
In the current state this article is a users level how to document, and fails to met the bar for an article targeted at "hackers".
If you are going to comment on threads on a website, how do you know where the "bar" is?
By reading the "Guidelines" [0], of course!
In fact, the very first item on that page is titled "What to Submit" and explains exactly where that bar is:
> On-Topic: Anything that good hackers would find interesting. That includes more than hacking and startups. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual curiosity.
Apparently enough of us found it "interesting" for it to show up on the front page.
(The time you spent writing your comment would have been better spent banging your head against the wall -- at least you might have something (a bruise) to show for it!)
I think the OP is making a joke about the fact that some guests who get the wifi password, may spend all their time looking at their phones instead of socializing. That happens nowadays when one throws a party or movie night.
Before WPA3 a network with no password offers less security than a network for which everybody knows the password.
In WPA3 finally the no password ("guest") case has randomly chosen keys using RFC 8110 instead of being unencrypted, so it's equivalent security to everybody knowing the password.
I agree no password is the best outcome, and WPA3 makes that finally no more dangerous than it needs to be.
I mean turn if off once guests are gone, yes it's not safe as everything on the network can be sniffed by your nosy neighbors, you can quanrentine this guest network from your ethernet to make it less revealing. It's meant to be a one-off thing to avoid hassle. Good to know they have that in WPA3.
In WPA3 the nosy neighbours can't sniff anything. If there is no password or they know it they can do an active MITM to get between users and your Access Point because it now uses a PAKE, but active attacks can be detected and would be a bit more than "nosy neighbours". If you use anything fancier than a password (including technologies like EduRoam or GovRoam, Active Directory login, whatever) any adversary has to attack that instead.
I love QR code. I think it should be everywhere. All legal documents and forms should have one. All supermarket bills should have one.
It's a fantastic way to transition from paper to bits.
Unfortunately most users have no idea what it is. They don't know what a URL is, so a QR code is out of the question.
Plus they don't necessarily have a QR code scanner on their devices: not all phones have one by default, most laptops definitely don't. Not to mention some QRcode readers are sometimes just the regular camera app (E.G: modern iOS), which is very confusing. And even if all that is not a problem, your QRcode scanner may not be able to understand a particular format or will read the Wifi code but just display it while it's supposed to save it as a new access point.
It's definitely not a solved problem.