Barcodes’ pervasiveness in retail, health care and other service industries notwithstanding, hackers really haven’t paid much attention to these tiny lines of data.
But like other technologies supporting the so-called Internet of Things, there are bound to be vulnerabilities and there are bound to be white hats and black hats poking about.
Case in point is this week’s PanSec 2015 Conference in Tokyo where researchers with Tencent’s Xuanwu Lab demonstrated a number of attacks using poisoned barcodes scanned by numerous keyboard wedge barcode scanners to open a shell on a machine and virtually type control commands. The attacks, dubbed BadBarcode, are relatively simple to carry out, and the researchers behind the project said it’s difficult to pinpoint whether the scanners or host systems need to be patched, or both—or neither.
“We do not know what the bad guys might do. BadBarcode can execute any commands in the host system, or [implant] a Trojan,” said Yang Yu, who collaborated with colleague Hyperchem Ma. Yu, last year, was rewarded with a $100,000 payout from Microsoft’s Mitigation Bypass Bounty for a trio of ASLR and DEP bypasses. “So basically you can do anything with BadBarcode.”
Yu said his team was able to exploit the fact that most barcodes contain not only numeric and alphanumeric characters, but also full ASCII characters depending on the protocol being used. Barcode scanners, meanwhile, are essentially keyboard emulators and if they support protocols such as Code128 which support ASCII control characters, an attacker could create a barcode that is read and opens a shell on the computer to which the commands are sent.
Yu and Ma said during their presentation that Ctrl+ commands map to ASCII code and can be used to trigger hotkeys, which registered with the Ctrl+ prefix, to launch common dialogues such as OpenFile, SaveFile, PrintDialog. An attacker could use those hotkeys to browse the computer’s file system, launch a browser, or execute programs.
“We designed several different attacks,” Yu told Threatpost. “The key principle is putting special control characters in the barcode, so that the barcode reader will ‘press’ host system hotkeys, and activate a particular function. Making a BadBarcode exploit is easy. You just need to generate some evil barcodes and print them on paper.”
One of the demos of our talk "BadBarcode: How to hack a starship with a piece of paper". See you in PacSec 2015. pic.twitter.com/tu8XZjegHP
— Yang Yu (@tombkeeper) November 9, 2015
Fixing this issue is a vexing one, Yu said, because it’s not limited to particular scanners, for example, which are manufactured by vendors that include Esky, Symbol, Honeywell, and TaoTronics.
“BadBarcode is not a vulnerability of a certain product,” Yu said. “It affects the entire barcode scanner-related industries. It’s even difficult to say that BadBarcode is the problem of scanners or host systems. So when we discovered BadBarcode, we even [did] not know which manufacturer should be reported.”
Yu suggest that barcode scanner manufacturers no enable additional features beyond standard protocols by default, nor should they transmit ASCII control characters to the host device by default. Hosts in IoT environments, meanwhile, should think twice about using barcode scanners that emulate keyboards, and should disable system hotkeys, Yu said.