Barcode as exploit. ASCII characters in barcodes allow an attack on scanning systems



    Barcodes are very widespread, it’s hard to imagine now that once goods were distributed without them. And it is popularity that attracts the attention of attackers to this system. As information security experts have shown , barcodes, when it comes to the entire system, including readers, are quite vulnerable.

    A team of researchers from Xuanwu Lab spoke at the PanSec 2015 conference in Tokyo, showing several types of attacks using poisoned barcodes. Researchers worked with several types of scanners, and all the systems used were vulnerable - with the help of specially generated codes, the scanning system can be forced to perform almost any action, including launching a shell and executing a number of other commands. The attack itself was called BadBarcode.

    The Xuanwu Lab team also showed that this type of attack is quite simple, and it is very difficult to say which models of scanners and scanning systems require updates to close the vulnerability.

    “We don’t know what the bad guys can do. BadBarcode can force the system to execute any command, or even install a trojan, ”says Young Yu, one of the study participants. Last year, Yu and his team received $ 100,000 from Microsoft Mitigation Bypass Bounty.

    Yu said hacking of scanning systems is possible because most barcodes contain not only numbers and letters, but also ASCII characters, depending on which protocol is used. Barcode scanners, in most cases, are a keyboard emulator. And if the scanner supports the Code128 protocol, where ASCII characters are used, an attacker can create a bar code that forces the computer system of the scanner to perform third-party actions, up to and including installing the trojan.

    Barcodes compiled by researchers led to computer actions such as OpenFile, SaveFile, PrintDialog. You can also launch a browser or other programs.

    “We created several types of attacks,” Y. said. “The key principle is to add special control characters to the barcode, so that the reader system will perform third-party actions. Creating an exploit like BadBarcode is easy. It is only necessary to generate the corresponding barcode and print it on paper, ”added Yu.



    It is not so easy to fix the vulnerability, since we are not talking about certain scanners. The entire barcode industry is vulnerable. The research team that developed the “poisoned barcodes” after its discovery did not even know which scanner manufacturer to contact — all of them were (and are) vulnerable.

    According to Yu, manufacturers should not include the work of scanners with ASCII by default. Plus, you need to disable the "hot keys" for systems that work with barcodes.

    Also popular now: