DEFCON 16. “Barcode Games” Conference. Felix Lindner, Head of Security Labs

    In this presentation, we will talk about barcodes - one-dimensional and two-dimensional barcodes, or matrix codes. Coding, decoding, some tricks, auxiliary things, unresolved problems. Unlike a one-dimensional linear bar code, where the information is encoded in the sequence and thickness of the vertical stripes, a two-dimensional barcode, or 2D code, contains information both vertically and horizontally.

    My report consists of the following points:

    • quick introduction to the essence of barcodes;
    • Barcode encoding and reading;
    • scanners
    • simple tricks with barcodes;
    • hidden attacks;
    • reading selected samples;
    • unsolved problems and challenges;
    • principles of safe use of barcode.

    Barcode was invented in 1948 by Silver and Woodland from the Drexel Institute of Technology. The first attempt to use the barcode was made in 1950 - the Association of American Railways decided to use it to identify wagons and it took more than 17 years to mark 95% of the trains and after that the system never worked. At this time, people considered barcodes worthless.



    But already in 1966, the National Association of Food Products proposed to apply barcodes on products in order to speed up the process of identifying them at the checkout and earn more money. In 1969, the same Association created the industry standard Universal Product Identification Code (later UPC), which has been used since 1970.

    In 1981, the US Department of Defense demanded that all products supplied to the army be labeled with Code 39, a barcode that encodes large Latin letters, numbers, and symbols, and you will see why this was a bad idea.

    Barcodes are divided into one-dimensional and two-dimensional. This is how one-dimensional barcodes of a different standard look:



    Some of them contain only numbers, some both numbers and letters. There are several standards for displaying barcode information.



    They differ in the interval between the strips, the resolution for printing, and so on. In the next picture you see a special barcode, which is often found on mail envelopes. This is the Postnet code, instead in the UK they use a similar BPO 4 code. They contain routing information for emails.



    This is what two-dimensional codes look like - tell me which of these codes is printed on your badges? That's right, it's called the Data Matrix. It differs from others in a peculiar cross, which divides the label into 4 equal parts. They encoded 4 blocks of different information.



    MAXICOD and Aztec code are rarely used in the USA, I once saw MAXICOD on a package from Cisco. PDF417 is widely distributed in Europe, for example, for ticket systems.

    In order to decrypt a barcode, 2 methods are used. You can take the scanner, bring it to the label, the scanner will emit a signal, after which the read information will appear on the screen of your computer. Hand-held scanners are inexpensive and customizable for reading various types of barcodes.

    The second way is to use decryption software. This is what I use. Some programs are free, others cost several hundred dollars, although they are easy to crack. I am a lazy person, therefore, as a real capitalist, I use the paid Omniplanar SwiftDecoder program, it is quite expensive, but it is very good.

    Most scanners connect to the computer via USB and contain a decryption module inside themselves. Therefore, you do not need to use special software for the scanner.



    There are also various software for creating barcodes. With the help of free GNU programs, you can only create one-dimensional barcodes, and in unlimited quantities. You can use various online barcode generators that create it using PHP scripts, and the number of commercial programs is infinite. Writing barcode generators is not difficult, usually you only pay for scripts, or specifications, most of which cost less than $ 20. For example, I bought specifications for Aztec code to write my own program.



    Barcodes are mainly used for three purposes, and let the Germans forgive me, but I can’t put it in a different light, using other words to describe:

    • for identification, as a label;
    • for fast data transfer from a visual medium (business card) to a physical device, for example, to a smartphone;
    • for all kinds of hooliganism, for example, for exchanging encrypted curses, I call it GGU, Ganz Grober Unfug, which means “very rude act” in German.



    Almost any scanner can be configured to read different barcodes - you need to connect it to a computer, then read the Enter Configuration passcode, scan a sample of the desired code and then scan the Save Configaration save code.

    What should you do to configure a scanner? You need to go to the seller’s page of your scanner model, or to the manufacturer’s website, or to the technical support website, or, in the end, call them and get a configuration table. In order to reconfigure the scanner to read other code, you need to change the type of compatible barcode, change the CRLF or the character of decryption. Most scanners support keyboard codes, such as “Exit” ESC, “page up” PageUp, “page down” PageDown, “delete” DEL, and so on, so you can use the ESC command on the scanner as if you pressed this key on a computer keyboard. Some scanners allow you to update your own firmware by reading the appropriate barcode. Therefore, it can be quite simple to hack the system of an entire shopping center.



    You should know that any scanner supports absolutely any barcode, and you do not need to buy separate scanners to read different types of barcodes.

    The easiest way to crack a barcode is to copy it. You do not need to decrypt the code if you know what it gives you. To copy, you need a good digital camera and printer.



    You photograph the barcode on someone else’s badge, business card or invitation, print it on the printer and get a copy. You can use such a copy where you need it. For example, a barcode on the badge of one of the hotel guests allows you to enjoy free drinks. You take a picture of it, print yourself a badge with the same barcode and drink beer for free, as if you “uploaded” money to your badge, that's why chip cards are at our conference :) The copied barcode will help you get to the right place, if You do not have access, but someone has it. It is enough to photograph this barcode and appropriate it.



    Last year in Europe, in Germany, I spent some time in a hotel in Dresden. So, in the underground parking of the hotel the machine does not see the difference between the entry and exit ticket. They have the same barcodes. You can use the parking lot for free if you copy such a ticket. In addition, they have perpetual parking tickets, they give you one when you stay at the hotel. I don’t need to recognize the code on such a ticket - I just copy it, print a bunch of such tickets and give them out as a right to free parking in the city center, which I did, and you can use free parking forever.



    And there are also machines that accept empty containers, for example, plastic bottles, for subsequent processing. Making such a machine was a bad idea. As a rule, you need more time to put the bottles one at a time in the receiving compartment than it takes to drink a bottle of beer. You put a bottle in it, it disappears inside and it all happens extremely slowly, and in return the machine will give you a barcode voucher. This voucher can be exchanged for money or used when buying products in a supermarket. So, just copy one voucher and print a hundred, present them at the checkout and receive money.



    This became possible due to the fact that the machines are not connected to each other and to cash registers, there is no exchange of information, so people just copy vouchers. However, the correct voucher is printed on watermarked paper and a copy may be noticed.

    Consider how to use a copied barcode to pay for a beer. Let's try to decipher the EAN13 barcode, which starts with the code of the country of origin of the product, and the number 2 means that the label is used only for use inside the store.



    The next 6 digits are a cash back command for the cash register, another 5 digits indicate the volume or quantity of products. The last digit is the verification code EAN13 (checksum), it is equal to 10 minus the sum of all previous digits. In general, this allows you to return up to 999 euros, which is very decent.



    Knowing this, you can generate your own barcode and stick it on the desired product. I note that in Berlin there are many people who do not really like to work, but love to drink. If you give them this idea, they will be very grateful to you and will run to the store to get free money.

    To prevent such fraud, stores use their own paper, which is easy to recognize. But if you stick a fake label with a barcode on the bottom of a heavy package of 6 cans or bottles and are not too greedy (the amount will not attract attention), the girl at the checkout will not want to turn it over to examine the paper on which it is printed. The cashier will simply lift it and pass the scanner below to read the information.

    The next area of ​​application for barcodes is access control. Many companies use a barcode to control physical access. However, not everyone knows that usually the control system simply checks whether the data structure is correctly formed. Simply put, it checks to see if it is a barcode or just a collection of random graphic elements. A simple test: it’s enough to show the scanner instead of the barcode on the pass the barcode on the pack of cigarettes, and the door will open.



    Consider a thing called desynchronization. On the pass, people read the number located above the bar code, and scanners and identification systems read what is encrypted in the barcode itself, and this data should not match. Therefore, you must replace either these numbers or the barcode itself.



    Consider this operation on the example of a ticket to the Berlin Zoo. Only numbers are printed under the barcode, for example, 3711679, and decryption of the code itself gives such numbers - 49864088922304. Therefore, if you copy such a ticket, remember that these sequences of numbers must be different from each other.



    How to use desynchronization to take over another's property? Suppose you work in a company and a guy is sitting next to you whose laptop is much cooler than yours and you want to take his laptop to yourself. The fact is that for the use of state-owned equipment, an employee working under a contract receives a barcode. This code is pasted on the laptop, and the same code is on the badge or badge. If the codes match, you can take and use this technique. The right to use the equipment is checked when the employee enters the office building.



    To do this, you copy the barcode from the badge of the rightful owner, it is the barcode, not the number, and place it on your badge. You wait until the guy finishes work, take his computer out of the building, then return back, change the code on the badge to your own and calmly go home.

    In exactly the same way, you can access the network or data that you do not have. Suppose you use the MAC address of a computer that belongs to another employee or its inventory number to enter the network. The MAC address is usually printed on the device itself, here is the serial number and the owner’s sticker with a bar code. After copying the barcode from the badge of the rightful owner, you can take over the information of a colleague or put on this barcode the MAC Broadcast, which contains only F, and put the network.



    What other tricks can I do with barcodes? In Germany, you can use the Video24 round-the-clock automatic DVD rental system, which is located in my house without supervision, for free, and I was interested to deal with it. What does an ordinary user need to watch a movie on DVD for money? Barcode membership card, PIN, or even biometric fingerprint authentication. The rental procedure is as follows: you scan a card, enter a PIN, select a movie, exit the session, and then watch the movie on a computer or TV. So you can order a movie through the website.



    If you want to take a film on physical media, a DVD-ROM for hire from a vending machine, just scan the card and pick it up. To return the disk, you need to “roll” the card again, enter the PIN code and put the disk back into the machine. What is the problem here? You do not need to enter a PIN code.



    So, on the map there is a barcode, indicated by a letter and four digits. The letter matches the first letter of the customer's last name. You just need to scan this barcode from your friend, changing only the numbers, and when he orders the film on the Internet, you will get it! Naturally, a friend will not see this film, but it will be impossible to prove it, so he will be forced to pay for the viewing. So you can watch the DVD and even get it in the machine. The site keeps track of pre-orders, so you can select the drive that no one has yet ordered, and is guaranteed to view it.

    The next trick is called Injection and Multi-Decryption. Most barcode scanners come with factory settings. Even if the settings are changed, you can always reconfigure them. Embedded decryption applications in most cases use the type of barcode for which they were written, usually EAN13 or 2o5.



    Using the more powerful Code 128 encoding, you can enter random data into a barcode reader, such as SQL scripts, separate encryption, or string formatting. The newer the system application, the better this technology works. Take medical research as an example. You can change the software “stuffing” of the scanner so that the real barcode printed on the test tubes will be read as completely different data. That is, you can replace the test results, and no one will notice.

    The next trick is reading QR codes. These codes work like hyperlinks. Suppose you have a newspaper. A real newspaper, one that we hackers have not seen for years! You can photograph a two-dimensional barcode from her page. Commercial software decoders convert it to an HTTP link, and then the program forces the browser of your mobile device to open the page located at this address.



    This is actually a very bad idea, and I will explain why.



    The fact is that usually this barcode does not directly go to the Die Welt newspaper website, where the article is located, but first sends your browser to the commercial website, as shown in the picture.
    When decrypting this barcode, it turns out that it is possible to type random content into the newspaper barcode, and this is called advertising. However, most business people trust their newspapers, at least they consider them safe.

    But the browser of a mobile device, following this link, can pick up viruses or third-party cookies. It automatically, without your will, picks up an advertisement or something worse. That is, reading such a barcode makes your browser vulnerable. As a result, you get:

    • XSS threat, or cross-site scripting, that is, when you open the specified page on your device, a malicious script may be executed;
    • a link can take control of your inbox;
    • the link may direct you to a site with viruses;
    • following the link can download binary codes from a malicious site to your phone.

    You need it? Of course not! Therefore, never read the barcode from the pages of newspapers, it is dangerous!

    Barcodes have another great ability. This is the density of the strips of the one-dimensional barcode. The length of the barcode and its readability depend on it. You can print a barcode of any length by encoding a lot of information in it. However, scanners and identifiers work with barcodes of a certain length; they are designed to read a limited number of digits. Thus, choosing the density of the stripes, you can print much more information within the same physical space. To do this, you need to use a laser printer with high resolution printing, otherwise the stripes of code will merge and it will become unreadable. By the way, have you noticed that getting a scanner with more information than expected is the goal of those people who are usually called hackers?

    So, so that reading the barcode causes the scanner buffer to overflow and cause problems, select a higher print density. Your favorite code for creating barcodes should be Code 128, because it has a full-fledged 7-bit set of ASCII codes and uses the control function code FC4.



    Back to the barcodes that are printed in the newspaper and which direct your browser to the link. Using the disassembler, we will see that the QR code can also contain the number of the application used, the company’s phone number, username and password of the user, and the address of the third-party site to which you log in.

    Consider another thing that is in Germany and which could not be broken. These are packing stations, or Pack Station. You come here with your mailing envelope or parcel, and this station prints you a barcode sticker that you paste on your mailing. And then a UPS employee comes here who cannot always find the door to pick up your mail.



    So, I copied a lot of barcodes into my notebook and tried to crack the scanner of the packing station with them, to deceive him, but I could not do anything with it. This is probably because this scanner reads any one-dimensional barcodes, uses only 2o5 digital encoding and its software is generally “none”.

    Another useful note: if we can unravel the purpose of the barcode, then we can create our own code. It is quite simple.

    Our next goal is postal codes. Postal services are increasingly using a two-dimensional matrix barcode instead of conventional brands. They no longer need to glue stamps, they just print barcodes on envelopes and save themselves time. The advantage of this solution is the automatic creation of such code and its automatic recognition. Some mails use their own types of barcodes, which not all scanners work with.



    What exactly do mail scanners check, what data do they verify? It depends on the purpose of the barcode. Consider the envelope of a letter that I received from an Australian company. There is an ASCII code consisting of only zeros. The cost of the letter is zero, because the company did not pay for sending it, it sends letters for free. If I print the same code on the envelope and send a letter to Australia, then I also will not have to pay for it.



    Two more digital codes encoded 2o5 indicate the postal information and have no relation to the cost of departure.

    Postal codes in the USA are different. The system for applying barcodes is called "Intelligent Mail". Code 128 is used here, and its scripts, or specifications, can be easily found on the Internet as a file in .doc format. That is, all barcode information is easily decrypted.



    However, this information does not contain any indication that you are the recipient of this letter, that is, that it is addressed to you. It only indicates that the sender of the letter is assigned a unique code. And it can be found by this code within 30-45 days, because after this period the information about the person who sent you the letter is deleted from the mail service database. This uniqueness is not protected in any way, because it is in a common barcode. That is, the numbers 10 to 18 can be changed so that the sender could not be tracked. Let's look at the recommendations of the Pentagon, which describe how to recognize dangerous mail, or how to protect yourself from the bomb in a letter. It says here that dangerous letters include:

    • departures from abroad;
    • special notes such as "confidential", "personally for ...";
    • handwritten or poorly typed address;
    • no sender address;
    • the weight of the letter is more than indicated;
    • visible wiring or metal foil, etc.

    At the same time, the credibility of the sender's identification number is not in doubt. If the barcode of the letter contains the sender ID, then everything is in order with it. It turns out that you can send anything to anyone, anywhere, and absolutely free if you specify in the barcode ID that the sender is the Pentagon, the US Department of Defense, because you trust him.

    Consider now plane tickets. Now the fashion trend is to order tickets on the Internet and print on a home printer. Frankfurt Airport Airport Security requires that all tickets booked online or purchased at the box office must have a bar code. I often fly, so I want to show you my tickets with barcodes.



    This is what my program for decoding barcodes on tickets looks like. It is made in different colors for a better perception. Here I found all the information: passenger’s name, number, booking code, departure date, where he flies, flight number, class, place, ticket number. The last digit is the security code used to identify the passenger. However, it is static, that is, it does not change. Thus, we can print our own ticket with our own barcode, writing everything we need there, including a security code. This is bad, because it does not protect dangerous people from boarding an aircraft.



    I marked in red the data for the security code that you receive when ordering a ticket over the Internet. The second column contains data that the scanner checks during landing, and there is no code there. That is, he checks your name, place, date, but does not identify you. There is no confirmation that the person who ordered the ticket and the person who went aboard the plane are the same person.



    Consider luggage bags. They are also equipped with a one-dimensional barcode and are attached to your boarding pass, with which you go on the plane. The barcode on the ticket provides routing, as it indicates where to send luggage. That is, there is no evidence that the baggage belongs to you, except for this coupon attached to the ticket. You show it upon receipt and pick up your luggage.
    Consider this scenario. There is a man, Abdul Ben Shuzal, a potential terrorist, just because he wears blankets. He has a boarding pass. And there is a second man, an agent, Ernst Agent, who wants to make Abdul look like a real terrorist. He copies his luggage ticket, sticks it to the suitcase with the bomb, hands the suitcase into the luggage, it is illuminated by X-ray and find the bomb. It is further clear that Abdul is being detained as a terrorist, because the luggage ticket belongs to him. Thus, any baggage can be made illegal. Even a water bottle. If you buy it outside the airport for $ 1, you will not be allowed to carry it on board. But if you buy exactly the same bottle at the airport for $ 5 - everything is in order, you can take it with you.

    And now I’ll tell you about barcodes that cannot be faked. I found out that there are only three of them, and cracking them is an insoluble task.



    This is the German Post barcode, the German toll road barcode and the U.S. immigration visa barcode. They are fully encrypted and do not contain individual elements that are subject to decryption.

    Here are the principles that enable secure barcode generation using software:

    • consider that barcodes are like browser cookies: they can be intercepted, copied, modified, lost, etc.
    • if you create only one-dimensional barcodes, you must be sure that they contain only random ID codes, and do not try to “push” as much information as possible there;
    • if you are creating two-dimensional codes, use real encryption - this is not expensive and ensures that such a code will not be rejected by the scanner during decryption;
    • make sure that your creation works: if the scanner recognizes your barcode as real, you won! Make sure there is a connection between the sticker and the thing marked with it. There is no browser that could verify this.
    • never trust printed numbers!

    I hope the report was in some ways interesting.

    If you want to “play around” with writing barcodes, or decrypting existing ones and everything related to this, you can visit lagune.cyphertext.de/twiki .



    Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analogue of entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

    Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to Build Infrastructure Bldg. class using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?

    Also popular now: