Unlocking Doors with Unique QR Codes
QR codes range in size from 21x21 (rows and columns) to 177x177. Each square in that grid represents a bit, with position, alignment, and error correction squares subtracted. Ignoring those subtractions, this means that QR codes can store between 441 bits to 31,329 bits (about 3.9 kB). So even the smallest QR code can represent a unique 256-bit encryption key. TheIoTProject engineers took advantage of that fact to build a unique door lock system that relies on QR codes.
In practice, this system would work a lot like the RFID card scanners many people use to get into their offices. The problem with those systems is that the RFID card’s unique ID is static and that introduces a security vulnerability. If a bad actor can clone an authorized RFID card, they can unlock the door. This QR code system is different, because it can generate a new temporary QR code for every use. Anytime someone needs to unlock the door, they would use an app or website to generate the necessary QR code. Those could require two-factor authentication for additional security. After the user unlocks the door with a QR code or a set amount of time passes, the system invalidates that QR code so it can’t be copied and used by a bad actor.
A valid QR code would represent an access code encrypted as SHA256, making it nearly impossible to brute force or reverse-engineer through cryptographic techniques. A possible vulnerability is the transmission of the code from the server to the user’s app. But standard wireless encryption and the proper IT practices would prevent that and the limited lifespan of a valid QR code would limit the utility of such an attack.
To demonstrate this system, the team put together a simple implementation consisting of a Raspberry Pi single-board computer, a USB QR code scanner, and a relay module that could toggle an electronic lock. This is an open source system, so you can explore the code and details on TheIoTProject GitHub page.