Understanding QR Code Security Risks in Public Infrastructure
How Warsaw's QR Code Toilet Map Missed the Mark
Municipal services increasingly rely on QR codes to provide fast, frictionless access to information. A recent example is Zarząd Dróg Miejskich (Board of City Roads) placing QR codes on poles and public infrastructure that redirect users to a map showing nearby public toilets.
While this approach improves usability and accessibility, it also introduces non-obvious cybersecurity risks. QR codes are a well-known attack vector in both physical and digital spaces, and when deployed at scale in public areas, they become attractive targets for attackers.
This article explores:
Why QR codes are risky by design
Real-world examples of QR-based attacks
Threat scenarios specific to municipal QR deployments
Practical technical and operational mitigations
Why QR Codes Are a Security Problem
QR codes are opaque by default. Users cannot visually verify what they are scanning, and most mobile devices automatically open the encoded URL.
From a security perspective, QR codes combine:
Implicit trust (“this looks official”)
Physical exposure (easy to replace or overlay)
Mobile endpoints (often less protected than corporate devices)
This makes them ideal for low-effort, high-impact attacks.
Threat Model for Public QR Codes
1. Physical Tampering (Code Replacement)
Attackers can place a malicious sticker over a legitimate QR code in seconds. This has been repeatedly observed in:
Parking meters
Public transport stops
Restaurant menu QR codes
City information boards
In a municipal setting, such attacks are hard to detect without frequent inspections.
2. Quishing (QR-Based Phishing)
Quishing is phishing delivered via QR codes. Instead of clicking a suspicious link, the victim scans a code and is redirected to a malicious website.
Typical payloads:
Fake “city service” pages
Credential harvesting pages (Microsoft 365, Google, municipal portals)
Fake surveys or feedback forms
📌 Why it works: QR codes bypass email filters, link previews, and many user awareness heuristics.
Reference:
- FBI warning on QR-based phishing campaigns
https://www.ic3.gov/Media/Y2023/PSA230118
3. Malicious Redirects and Traffic Hijacking
Even if the original QR code is legitimate, attackers may:
Compromise the redirect domain
Poison DNS records
Abuse URL shorteners
This allows silent redirection from a trusted city service to:
Scam pages
Malvertising
Exploit kits (especially on outdated mobile browsers)
4. Drive-By Malware Downloads
QR codes can point to pages that:
Automatically download APKs (Android)
Abuse browser vulnerabilities
Prompt users to install “required apps” or “map updates”
This is especially dangerous for:
Older Android devices
Users without mobile security software
Reference:
- OWASP Mobile Top 10
https://owasp.org/www-project-mobile-top-10/
5. Privacy Leakage & Tracking
QR codes can embed:
Unique identifiers
Tracking parameters
Fingerprinting scripts
This allows third parties to:
Track user movement patterns
Correlate scans with locations
Build behavioral profiles without user consent
In public infrastructure, this may also raise GDPR and privacy compliance issues.
Real-World QR Code Attacks
🚗 Parking Meter QR Code Scams (US & EU)
Multiple cities reported cases where fake QR codes were placed on parking meters, redirecting users to fraudulent payment pages.
Impact:
Stolen card details
Direct financial losses
Erosion of trust in municipal services
Reference:
https://www.ftc.gov/business-guidance/blog/2023/02/scammers-use-qr-codes-steal-your-money
🍽️ Restaurant Menu QR Attacks
Attackers replaced menu QR codes with phishing links or fake payment portals, especially during COVID-19 when QR menus became common.
Impact:
Credit card theft
Identity fraud
🏢 Corporate QR Phishing Campaigns
Advanced threat actors (including APT-linked groups) have used QR codes in emails to bypass security gateways and steal credentials, including MFA session tokens.
Reference:
https://www.microsoft.com/en-us/security/blog/2023/02/08/qr-code-phishing-attacks/
Risks Specific to City-Deployed QR Codes
For systems like public toilet maps, the main risks are:
High public trust in city branding
Large attack surface (many physical locations)
Limited user verification
Difficult attribution if attacks occur
Even if the content itself is harmless, attackers can exploit the delivery mechanism.
Mitigations: How to Secure Public QR Code Systems
1. Cryptographically Signed URLs
Use signed URLs or tokens that:
Expire
Are validated server-side
Cannot be arbitrarily reused
This prevents simple replacement attacks from working.
2. Dedicated, Short, Verifiable Domains
Avoid URL shorteners.
Use a clear, city-owned domain, e.g.:
https://warszawa19115.pl/-/automatyczne-toalety-miejskie
Users are more likely to notice suspicious redirects if the domain changes.
3. QR Code Validation Layer
Instead of linking directly to content:
QR → validation endpoint
Endpoint verifies signature + timestamp
User is redirected to final content
This allows:
Revocation
Monitoring
Abuse detection
4. Tamper-Evident Physical Design
Printed seals
Holographic elements
Clear instructions like:
“This QR code should redirect only to *.zdm.waw.pl”
This makes replacement more obvious to users and inspectors.
5. Regular Physical Audits
Operational controls matter:
Scheduled inspections
Citizen reporting channels
Fast response procedures for suspected tampering
6. User Awareness (Minimal but Clear)
Without inducing fear, inform users:
What domain to expect
That the city will never ask for logins or payments via these codes
Key Findings
QR codes are not inherently secure and should be treated as untrusted input
Public infrastructure QR codes are vulnerable to physical and digital attacks
Real-world incidents show QR-based fraud is already widespread
Simple mitigations (signed URLs, audits, domain clarity) significantly reduce risk
Security must cover both cyber and physical layers
Conclusion
QR codes are a powerful usability tool, but when deployed in public spaces, they blur the line between physical and digital security. Municipal deployments, like city toilet maps or transport information systems, must assume that QR codes will be tampered with and design accordingly.
Security-by-design — not afterthoughts — is essential if cities want to scale digital public services safely.
Further Reading
OWASP: QR Code Security & QRLJacking
https://owasp.org/www-community/attacks/QrljackingFBI: QR Code Fraud Advisory
https://www.ic3.gov/Media/Y2023/PSA230118Microsoft: QR Code Phishing Attacks
https://www.microsoft.com/security/blogFTC: QR Code Scams
https://www.ftc.gov/business-guidance/blog
