I have come across a number of companion mobile applications which use QR codes on hardware to associate that hardware with the users account.
How does this work from a security perspective? I assume it's not just a UUID of the device or someone could just brute force all possible combinations to associate multiple hardware units to an account.
Is there a best practice that allows QR codes to be used as sort of GUIDS without them being lacking in security?
First, QR codes are not encrypted, so you can just scan one and see what its data is.
That said, I would absolutely expect it to include a "big, sparse number" like a UUID. You cannot brute force the UUID space for the same reason you cannot brute force AES-128. It's too big a space. The UUID space is a little smaller than the AES-128 space, but there are still 10^36 of them. You're not going to brute force it.
That said, if I were building one of these, I would probably want to add something that ensures that the value being registered is a valid number and wasn't picked randomly. This is really more about data hygiene than security in most cases. I don't want people registering devices that don't exist. Even if it wouldn't have any security impact, it messes up my database.
So I'd probably do something like:
But if you told me that most of these devices just slap an unencrypted UUID or a serial number (hopefully a smart and sparse one) in the field and call it a day, that wouldn't surprise me at all. In my experience, many consumer products (and especially IOT products, which you may be thinking of) spend almost no time considering security.