Can a QR Code Hack Your Wi-Fi?
A standard URL-type QR code cannot touch your Wi-Fi at all — it only opens a webpage. However, a different type of QR code called a WIFI-scheme code can auto-connect your phone to a network the attacker controls, enabling traffic interception. The risk depends entirely on what kind of QR code you scanned.
Two types of QR codes — two very different Wi-Fi risks
Most QR codes encode a URL (a web address). When you scan one, your camera reads that URL and opens it in your browser. This kind of code has zero interaction with your Wi-Fi settings, your router, or your saved network passwords.
The second type encodes Wi-Fi credentials in a special format: WIFI:S:NetworkName;T:WPA;P:password;;. These WIFI-scheme QR codes are legitimate and widely used — coffee shops, hotels, and conference venues often post them so guests can join the Wi-Fi without typing a password. Scanning one tells your phone to attempt to connect to that network automatically.
The attacker scenario
A scammer posts a fake WIFI-scheme QR code in a café, hotel lobby, or event venue. You scan it thinking it is the official guest Wi-Fi. Your phone joins a network the attacker controls. On that network, the attacker can see all unencrypted traffic passing through it.
Scenario A — a fake WIFI QR code connected you to a rogue network
If you scanned a WIFI-scheme code and your phone joined a network you did not intend to use, here is what the attacker can and cannot do:
What they can see
Unencrypted HTTP traffic — older websites, some IoT device communications, and poorly built apps that send data without encryption. The attacker acts as a “man in the middle” and can read or modify that traffic in transit.
What they cannot see
HTTPS traffic (the padlock in your browser), end-to-end encrypted messages (iMessage, WhatsApp, Signal), and data sent through apps that use certificate pinning. The content of your banking app, Gmail, or social media is encrypted even on a compromised network.
What to do immediately:
- Open Settings → Wi-Fi, find the unfamiliar network, and tap Forget This Network.
- Reconnect to a verified network and scan any QR code for that network from a trusted, physical source — staff-printed signage, not a sticker on a table.
- If you logged into any account while connected, change that password as a precaution.
- Review your accounts for any suspicious activity over the next 24–48 hours.
Scenario B — a URL QR code and your home Wi-Fi
This is the scenario most people worry about: “I scanned a QR code — did it hack my home Wi-Fi?” The answer is no. A URL-type QR code cannot:
- Read your saved Wi-Fi passwords from your phone or computer
- Access your home router's admin panel or settings
- Change your Wi-Fi network name or password
- Disconnect you from your current network
- Send data back to an attacker through your home router
Your home Wi-Fi requires either a physical connection to the router, access to the router's admin interface (protected by a separate password), or your Wi-Fi passphrase — none of which a webpage opened from a QR code can obtain.
How to protect yourself on public Wi-Fi going forward
Verify the network name before joining
After scanning a Wi-Fi QR code, glance at Settings → Wi-Fi and confirm the network name matches what you expect — the venue's name, not a generic string like “FreeGuestWifi.” If it joined something unrecognised, forget it immediately.
Use a VPN on any public network
A VPN encrypts all your traffic before it leaves your device, rendering network-level interception useless even on a rogue access point. Enable it before connecting to any public or guest Wi-Fi.
Look for HTTPS on every site you visit
Before entering any login credentials or payment info while on public Wi-Fi, confirm the address bar shows https:// and a padlock icon. HTTPS encrypts the connection between your browser and the site, regardless of what the underlying network is doing.
Frequently asked questions
Can a QR code steal my Wi-Fi password?
No. A QR code cannot read your saved Wi-Fi passwords from your device or your router. A URL-type QR code only opens a webpage. A WIFI-scheme QR code does the opposite — it supplies new credentials to connect you to a different network. Neither type can extract anything already stored on your device.
What happens if I scanned a fake Wi-Fi QR code?
If a WIFI-scheme QR code connected your phone to an unexpected network, open Settings → Wi-Fi, find the unfamiliar network, and tap Forget This Network immediately. While connected, unencrypted HTTP traffic was visible to the network operator, but HTTPS connections, encrypted messaging apps, and banking apps were protected. Change passwords for any accounts you accessed during the connection as a precaution.
Can a QR code change my home router settings or Wi-Fi password?
No. A QR code — URL-type or WIFI-scheme — cannot access your router's admin interface, alter its configuration, or change your Wi-Fi password. Router admin access requires authentication credentials and is typically restricted to your local network. A QR code has no mechanism to reach or authenticate to your router.
Know what a QR code will do before you scan it.
QRsafer identifies the type of QR code — URL, WIFI, contact card, and more — and checks URL-type codes against real-time threat databases before you tap through. See the destination and the risk rating in one second, before any network connection is made. Download it free for iOS and Android.