What's encoded in a Wi-Fi QR code?

A Wi-Fi QR uses the WIFI: URI scheme (originally a ZXing convention, since standardized by the Wi-Fi Alliance). It encodes the network name (SSID), security type (WPA / WPA2 / WPA3 / WEP / nopass for open), the password, and a hidden-network flag. WPA2-Enterprise networks also carry an EAP method, an identity, an anonymous identity, and a phase-2 method.

Is it safe to scan a Wi-Fi QR at a café or hotel?

Usually, but verify two things: (1) the network name (SSID) matches what the venue advertises, and (2) the security type is WPA2 or WPA3, not WEP (broken) or 'nopass' (open). A fake QR can advertise a network name like 'Starbucks-WiFi-Free' that looks plausible but routes you to an attacker's hotspot.

What's the 'evil twin' attack?

An attacker sets up a Wi-Fi hotspot with a name that matches or closely mimics the legitimate venue's network. They print or sticker a QR code containing that SSID. Customers scan, connect, and route their traffic through the attacker. Common in airports, hotels, and conference centres. Our scanner flags lookalike SSIDs against a list of known high-value targets (Starbucks, McDonald's, airport-free-wifi patterns, hotel chain names).

Are open Wi-Fi QRs (no password) dangerous?

Open networks aren't dangerous to join, your phone uses HTTPS to encrypt traffic anyway, but they ARE highly impersonable. Anyone with a Wi-Fi router and 10 minutes can stand up a fake 'Coffee Shop Free WiFi' next to a real coffee shop. If you must use open Wi-Fi, double-check that the SSID matches what the venue posts, and consider a VPN. Or just use your mobile data, modern plans usually have it.

Standards · Wi-Fi credential QR

Is this Wi-Fi QR code safe to scan?

A Wi-Fi QR joins your phone to whatever network name is inside the code, full stop. The danger isn't the QR format (it's standardized and harmless on its own), it's the SSID. A QR with a name like "Starbucks-WiFi-Free" plausibly routes you to a fake hotspot in the parking lot. The defense is reading the network name BEFORE you tap Connect.

Inspect a Wi-Fi QR → All standards →

What's the format

The standard is the WIFI: URI scheme, originally introduced by the ZXing project and adopted by the Wi-Fi Alliance. A complete payload looks like:

WIFI:T:WPA2;S:CafeWiFi;P:hunter2;H:false;;

The fields are key-value pairs separated by semicolons. Every modern smartphone camera app recognizes this format and prompts to join the network.

For WPA2-Enterprise (corporate or campus Wi-Fi), the format extends with three more fields, EAP method (PEAP / TLS / TTLS), identity (your username), anonymous identity (the outer EAP identity), and phase-2 authentication method.

Field-by-field

T, security type

WPA, WPA2, WPA3, WEP, or nopass (open). WEP is broken, modern phones may refuse to connect. nopass means the network is open with no encryption at the link layer.

S, SSID (network name)

The network name your phone displays after connecting. The most important field to verify. Compare against what the venue advertises in print or on signage.

P, password

The pre-shared key for WPA-class networks. Absent for nopass.

H, hidden network

true if the network doesn't broadcast its SSID. Hidden networks need to be searched for; not inherently more secure, often less.

E, EAP method (Enterprise)

For WPA2/3-Enterprise networks: PEAP, TLS, TTLS, PWD. Determines how your phone authenticates to the network's auth server.

I, Identity (Enterprise)

Your username on the Enterprise network. Some venues encode a guest identity here; corporate networks expect your real username.

A, Anonymous Identity (Enterprise)

The outer identity visible during the EAP handshake. Used for privacy, the real identity is encrypted inside the tunnel.

PH2, Phase 2 method (Enterprise)

For TTLS / PEAP: the inner-tunnel authentication method, usually MSCHAPV2.

The evil-twin attack

The recipe:

Attacker sets up a Wi-Fi router (or a phone in hotspot mode) near a target venue, a coffee shop, airport gate, hotel lobby, conference centre.
They configure the SSID to match or mimic the venue's network: Starbucks_WiFi_2, FREE_AIRPORT_WIFI, HotelGuests_5G.
They print a QR for that fake network and stick it somewhere plausible, under a table edge, next to a power outlet, on a window.
You scan, your phone joins their hotspot. The attacker proxies your traffic to the real internet so nothing feels broken, but they see every HTTPS handshake's SNI hostname (which sites you visit), every DNS query, and any unencrypted traffic.

Modern apps use HTTPS so credentials and content are encrypted. But:

SNI leaks which sites you visit (under encrypted ClientHello it doesn't, but few clients enforce it).
DNS over the attacker's network reveals your queries unless you use DoH / DoT.
Apps that fall back to HTTP for any reason (legacy APIs, certificate-pinning bugs, captive-portal probes) leak data.
The attacker can serve fake captive-portal pages prompting for credentials you'd normally type elsewhere.

Our scanner flags SSIDs that look like high-mimicry targets, well-known brand names with confusables decoded, as suspicious so you double-check the network name before joining.

What our scanner shows you

Drop a Wi-Fi QR (image, paste, or camera) into our scanner. The verdict shows:

Network (SSID), read it carefully and compare to what the venue advertises.
Security type, WPA2 / WPA3 / WEP / Open. Open or WEP networks get a heads-up.
Password, tap-to-reveal (sensitive field). Useful for adding to a password manager.
Hidden flag, Yes / No.
EAP method + identity + phase-2, for Enterprise networks, shown so you can confirm the auth method matches what IT told you to expect.
Embedded URLs in SSID or password, some attackers stuff phishing URLs into the password field; we flag those.

The scanner runs in your browser; only the decoded text reaches our server for the safety check, not the image.

Before you tap Connect

Does the SSID match exactly what the venue advertises? Lookalikes (extra characters, swapped letters, "Starbucks_2") are the attack signature.
Is the security WPA2 or WPA3? Open and WEP networks aren't inherently dangerous but they ARE impersonable.
If it's an Enterprise network, did IT tell you to expect this exact EAP method and identity?
Are you on mobile data anyway? If yes, consider just using that. Modern mobile plans usually beat venue Wi-Fi for both speed and privacy.
Is the venue's password rotated regularly? Many cafés print the password on a chalkboard; an old QR sticker on a window might be a password that's been rotated since.

Inspect a Wi-Fi QR

Drop the QR image, paste the WIFI: string, or use the camera. Verdict shows network name, security type, masked password, and flags lookalikes against high-mimicry brand SSIDs.

Open scanner →