Slashdot Mirror
The Rising Barcode Security Threat
eldavojohn writes "As more and more businesses become dependent on barcodes, people are pointing out common problems involving the security of one- or two-dimensional barcode software. You might scoff at this as a highly unlikely hacking platform but from the article, 'FX tested the access system of an automatically operated DVD hire shop near his home. This actually demanded a biometric check as well, but he simply refused it. There remained a membership card with barcode, membership number and PIN. After studying the significance of the bar sequences and the linear digit combinations underneath, FX managed to obtain DVDs that other clients had already paid for, but had not yet taken away. Automated attacks on systems were also possible, he claimed. But you had to remember not to use your own membership number.' The article also points out that boarding passes work on this basis — with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations."
> The article also points out that boarding passes work on this basis -- with something
> like GNU Barcode software and a template of printed out tickets, one might be able
> to take some nice vacations."
Yeah, in Guantanamo...
with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations.
you terrorist scum!
I work for the Department of Redundancy Department.
Maybe I'm missing something salient, but all this says is if you change the membership number provided to the system, the system will use that instead of any other. The only difference is that instead of the number being provided via a keyboard, it's provided via a barcode.
Nothing to see here, move along.
I write bullshit
BART tickets in SF are magnetic, not barcodes, but I've been expecting fakes Any Day Now.
Any sufficiently advanced technology is indistinguishable from a rigged demo.
Great, now GNU Barcode will be classified as a terrorist weapon...
It's 2008 in Europe, the year when GSM encryption will be become breakable: Rainbow tables for a5-decryption are currently being calculated on FPGAs.
Darn it, now Acme* is going to read this and put a stop to my fake-discount-card ways. (they'll accept any code with the right length and first three digits... amusingly including other supermarket's cards).
*That's the grocery store, not Roadrunner's coyote-torturing company.
There is nothing special or inherently secure about barcodes. They are just a machine readable number. Security has nothing to do with it- those are measures taken outside the barcodes. Anyone can print any type of barcode on just about anything.
Being able to print 2-dimensional, 3-dimensional, or even n-dimensional barcodes is useless no matter what software you have unless you already possess the inside info of knowing somebody's valid account number, data, etc. If somebody's gotten a hold of enough info to successfully print and use an illicit barcode, your security problem lies NOT with the barcode itself but with the system that allowed this information to get out in the first place.
The same situation exists with magnetic stripes. If you have valid account data you can write it to a magnetic stripe on a card and go to town with it. It's getting the data that's the hard part.
Sounds like the brilliant utility companies of the '60s that trusted the billing and payment amounts that they sent to their customers on punched cards, and expected to trust when the cards were returned with "payment".
Barcodes are pretty much obsolete so far as people's ID goes so the only organisations who might possibly take a hit are those that haven't updated their systems to "modern" mag-strip technlogy.
If you wanted to try and scare people over the holidays - and there hasn't been a good scare for a while, so I suppose someone wants to increase the fear factor - why not go with that?
Someone please put this story back in 1988 where it belongs
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
I remember reading about some guy who was stealing using bar codes. He would go to a store, and put a fake price sticker complete with a fake barcode on some expensive item; then he would take the item to the cash register, where the sales person would scan the bar code, the item would ring up as something less expensive, and he would pay the amount on the cash register. Sell the item at a large profit, then repeat.
He made up the fake stickers at home. I believe he would buy one of the less-expensive item, and at home he would duplicate its sticker. He didn't even need to generate the bar code, he was just copying the one that was on there.
Eventually he did the same trick too many times and they caught up with him.
If anyone remembers details of this story and can post a link to it, please do.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
L33t hackers discovered that with a certain amount of awareness and bravado it is possible to obtain quite tasty sandwiches for free, by hanging around the pickup counter at sub shops and pretending to hold the ticket number that was just called out.
I have not seen the barcode, but this likely could be thwarted by using a simple checksum algorithm to add two digits to the end of the barcode number or somewhere within. This would prevent rudimentary attacks on the barcode by simply changing a few digits. The system could then check the number to see if the number 'checks out' prior to allowing access. This is valid of course, if an attacker does not figure out the checksum number. From reading the article, it sounds as if there is another system flaw.
Link to lecture torrent:
http://thepiratebay.org/tor/3953157/24c3-2273-en-toying_with_barcodes.mkv
Lifted from Hack-A-Day 12-30-2007:
http://www.hackaday.com/2007/12/30/24c3-toying-with-barcodes/
I had to look this up: a DVD hire shop is a movie rental store. Apparently the old-worlders use "hire" to mean "rent".
When self-checkout machines first appeared in groceries I thought of this one.
1) Go to your nearest grocery store that has self checkout machines as well as a weigh station in the produce dept.
2) Pick up an expensive bottle of wine.
3) Go to the produce section and put the wine on the scale and enter the code for a cheap item such as potatoes.
4) Place the printed barcode sticker over the barcode on the wine bottle.
5) Pay for your items using the self checkout. The machine verifies all purchases by checking the weight in the bagging area - which of course will match perfectly.
As an added bonus for those under 21, you will not be carded for your alcohol purchase. Of course I would never do this, but I can't imagine that I am the first person to think of it.
A better way to defeat guessing would be to encrypt the SKU, ID number, etc and decrypted in the terminal... but at the end of the day any security you put on the barcode can be defeated with a photocopier. As others have pointed out the real problem lies with non-geeks not understanding the concept of trusted and untrusted data.
Anyone who has done any work with barcodes knows they are encoding schemes, not encrypting schemes. A barcode is simply a way of representing data (may be alphanumeric or binary), in a way that is easily read by scanning equipment. The commonly used algorithms are well publicized and it is easy to obtain software to read or write them. If security is important, encryption must be applied before the data is encoded in a barcode. I've scanned many barcodes on many things, and if money is involved, such as tickets or postage, I've generally found that they decode to seemingly random binary data, which means that most likely, encryption was applied first.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Blockbuster Online's envelopes that you take back to the store had all kinds of account information on them, including what type of account. However, it occurs to me that all it needs to have is an account key. They should be able to scan that and your store membership card (two-key system to avoid spoofing) to return the DVD and give you credit to rent your free movie. I noticed a recent minor change in their store policy, so they may have actually fixed this?
Voodoo Girl is the bomb!
The talk this Heise article is about (which was held at 24c3 on friday) is actually available as a full-length download in various formats on mirrors (look for "2273-en-toying with barcodes") and on bittorent along with most of the other talks given at this (totally awesome) event. And it's in english, too.
I've done this for kicks just to see if I could do it, but once I brought one of my fake ID's and fake boarding passes to the airport and got through the "security" (security? BAHAHAHA!) and made it into the terminal. Bought some drinks, ate some food and went home.
:P
No one was the wiser.
You see, it's just a billion dollar FARCE and a WASTE OF TAXPAYERS MONEY for the *feeling* of safety when there really isn't any.
Of course I couldn't get on the plane. I couldn't get on a plane in 2001 without a correct ticket anyways. They had the barcode scanners to "check" you into the plane anyhow. At least, I remember them being available back in 1999 -AND- I wasn't too keene on getting onto a plane where there weren't enough seats where I'd get caught
Anyways, just as I said, this is easy to blow a hole through. There's nothing in the world that makes me more mad than being patted down, scanned or searched before boarding PUBLIC TRANSIT. I'm not a criminal, wtf are government agencies doing there?
(posted anon and through a couple anon proxies)
http://ftp.uni-kl.de/24C3/matroska/24c3-2273-en-toying_with_barcodes.mkv
:-D
See this website for mirrors, other video formats and the rest of the videos of the 24C3-conference (some of them are really interesting, videos with a 'de' instead of 'en' in the filename are in german). http://events.ccc.de/congress/2007/Conference_Recordings
Happy new year, gentleman/women
...someone was faster. Sorry for that.
Once, I got on a flight to Hawaii. The plane was about to push off and, like most of the other passengers, I had settled into my seat. Then some other passenger came and said I was sitting in her seat! We compared boarding passes, and lo and behold, both of our passes were for the same seat! We couldn't figure it out, so we asked the flight attendant for assistance. She couldn't figure it out either, so she had to go back to the boarding gate with our passes to ask the ground crew to figure it out.
After a while, someone finally realized what happened. I was on the wrong flight! I was on board a direct flight to Hawaii, but I had actually bought a ticket to fly to San Francisco and from there transfer to a flight to Hawaii. I had always thought of it as "my flight to Hawaii" and had completely forgotten that I would have to transfer. The boarding gate was off by one, but the airport always changes boarding gates at the last minute and I figured this was one of the times. And the flight was scheduled 5 minutes before my actual flight, so I figured that the flight was early. I lined up like everyone else with my Internet-printed boarding pass, the computer scanned it, and I got on board just like everyone else. There was no alarm that I was on the wrong flight or anything like that.
That was with me accidentally getting on the wrong flight. What do you suppose could happen if someone was intentionally trying to pull off a deception? The only redeeming feature is that this happened in 2002, and I hope that airline security has improved somewhat since then. (I can dream, can't I?)
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
I was buying my kid an Xbox wireless controller from Target, the lady was having trouble scanning the UPC so she went looking for other barcodes, scanned the serial number which got a hit in their system as something for $6.99 (she figured out that wasn't right and eventually got the UPC to work).
I was pretty surprised that the S/N (or at least the left or right part of it) matched a UPC.
For some reason I thought about this a little bit the other day and here it is on slashdot.
:)
Some scanner systems use barcodes to program parameters of the readers themselves. It may be possible to use a special scan code to configure the scanning system to your advantage. Change the accepted symbol sets, internal port settings..etc. Along the same lines as old modem +++ sequence or more modern sql injection.
TFA mentions the remaining attacks against poorly designed systems. Use of predictable sequences / unauthenticated account numbers and lower level problems such as sql injection and buffer overflow.
Use of 2d bar codes to store unauthenticatable clear text information in any application that requires trust from possibly untrusted sources gets what it deserves. This includes trusting the 2D data printed on the backs of many of our drivers licenses
Hmm. I boarded a flight on Dec. 24, sitting in seat 27C. As I got on the plane and handed the ticked to the member of cabin crew (having already had this boarding pass scanned at least twice) for her to direct me to my seat, she pointed it to me, and then did a double take.
"Sorry," she said, "I thought your ticked was for December 27, not row 27."
Now, either she was tired, or that's something that happens sometimes. Anybody know?
The article also points out that boarding passes work on this basis -- with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations."
What if the rightful owner shows up with the same ticket number? Unless the tracking software is lame, it should note that a given number had already check in. At that point, an investigation would ensue. The perpetrator is probably caught on camera for non-trivial travel and the time stamp of check-in and the camera would identify the crook.
Table-ized A.I.
Encryption? Why encrypt when you can just use a unique, unguessable ID and store everything of actual interest on a secured server?
Keep dreaming.
My experience with a current construction project for a major airline at a major airport speaks to a discomfortingly confused security situation.
The first time I went to the site with the Architect, who had a badge to escort us into the terminal, we were refused entry at 3 different points, always told to go somewhere else that wouldn't let us in. Then we went to an airline official, who said that the badge the architect had would get us in at a security gate that we tried before, so she escorted us there, and we weren't let in. So she did about a half hour of research, and found that we needed to go to the desk where they check in pets in their crates! There they checked the architect's badge and our IDs and issued us each a ticket-like piece of paper that we took to the security gate. There they took that "ticket" from us (and my co-worker's zippo lighter) and let us through. We then had the run of the place, without any ticket or pass.
We spent over an hour and a half getting in to do 2 hours of work. Then, after suffering through all that security red tape, we at one point got separated from the contractor with the keys, while we were in the non-secure loading dock (accessible from a public roadway). But not to worry, a friendly worker let us back to the secured passenger terminal side.
The second time I went with my boss, who picked up his own badge that he applied for three weeks earlier. He had been told it was ready to pick up. It took a little over an hour wating in lines and watching safety videos to pick up the badge. But when we tried it (it was a swipe and pin number type), it didn't work. So we went back down to the security badging office, only to find a sign on the door saying that they were closed for lunch and would be back at 1:00pm (even though it wasn't noon yet). I went back to the office, and he stayed the rest of the day to get it straightened out and do about an hour of work.
The third time I went, construction was well under way, the walls were knocked down, and the only thing bewteen the public parking and the secure air side was some pastic sheeting.
Did I mention that both the existing layout and the new design include a loading dock that connects the non-secured public roadways with the secure airside through a locked, but un-manned, door? Anyone on the inside (including employees, or sneaky passengers) could open the door, (or man the freight elevator if they had the key), and bring large, explosive things off the truck with a forklift and into the passenger terminal.
I don't see much to be concerned about. "Hacking" them isn't really new, switching UPC stickers has occurred for decades, and as mentioned by another reader, it's considerably small instances. The best place to put security worries is in the bar-codes offshoot, RFID tags.
Or at least not more than at the moment. I just had an international Flight with e-checkin. Would have been trivial to print several boarding passes (you print them yourself) with different names. I don't remember whether it had a barcode, but at boarding they just kept the second printout. Admittedly this was from Switzerland to Austria, but still.
I don't think barcodes are a security risk at all. Reliance on stuff that any modern printer can do is.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
...is the Trojan zebra camouflaged within.
I saw a man who got through security, got onto the plane with a legitimate boarding pass, and then he only had a problem after someone else showed up with the exact same boarding pass. It turns out the guy tried to buy his ticket online, but being not very computer savvy, he never clicked the final "Buy" button. Then he just showed up at the airport, and they couldn't find the ticket under his name, so they printed out the boarding pass for the next closest last name and gave it to him.
This was last week. But maybe airline security has improved somewhat since then.
Implementing a public key infrastructure would allow for signing of printed barcodes. Let's say you used PDF417 as your barcode. You can encode up to 2710 characters of data. This allows for your unguessable ID and also have it signed by the private key of the employee doing the printing. You still need to deal with the problem of preventing forged logins, etc. but incidents of barcode fraud by outsiders will drop to zero and the number of attack vectors for insider fraud is greatly reduced.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I have no doubt that temporary security issues exist. The hard part is turning these temporary situations into real, exploitable, predictable vulnerabilities.
I'm a private pilot. I walk into the local FBO (like an airport terminal, but for private planes) and after a very brief check, I'm able to freely roam the "secure" side of the airport. Not just where the "small" planes are, the whole "other side" of the airport. I can drive a truck out to the plane I'm flying, without any check whatsoever of the truck's contents. I have to remember to stop after passing thru the gate so that only my car passes thru. That's about it. This is normal and typical, but my shoes never come off, and I can certainly have a 12 oz soda (or a 2-liter bottle) in my hand while this happens. A private plane (such as a Cessna 172) is not so different than car, except that it flies. Remember that the building blast in Oklahoma was done with a simple car bomb.
Next time you take off your shoes, remember this tidbit of wisdom: 9/11 might have been prevented if we had then today's general paranoia, but the specific measures out there today would not have stopped it. Today's meaures, if effective from 9/1/2001 forward would not specifically have prevented the horrible attacks on 9/11/2001. It's in large part, a sham, designed to inconvenience tax payers so that they are lulled into thinking that their tax dollars are at work. Except that it kinda works, because it's hard to predict which of the various security measures will be enforced on whatever day.
The truth is that truly effective security is often misunderstood and almost never implemented. What we get instead is a pile of rules, regulations, and "inconveniences" that, combined, make it difficult to organize any kind of grand scheme, even if the individual components are horribly insecure.
In short, it's the random nature of security enforcement that makes it effective, not the universal enforcement. Random enforcement is much cheaper, and is truthfully "good enough". And it will, occasionally, fail. And that the price of the occasional failure will generally be less than the cost of the improve security all along.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I find it a bit surprising that no one's yet mentioned the free 3of9 barcode font .
Back when I had a working scanner / OCR setup, I spent a lot of time trying to reverse-engineer the barcodes on coupons. You might be surprised how lenient cashiers are with those things these days... even after a former co-worker of mine printed up (and handed out) about 1,200 self-made "Free 20oz Coke Product" coupons.
With internet-printable coupons more popular than ever, I wonder how long it'll be before we start seeing larger-scale scams involving reverse-engineered "custom coupons"?
I don't suffer from insanity, I enjoy every minute of it! --Longbottle
Crew returning home are also in the system ("dead-head crew" or "dead-end crew" I never checked). They have special ticket & reservation which are called "ID" ("Industry Discount"). About the only persons to fly without a ticket on a plane are the real crew. good luck impersonating one of them.
I would add that most system the airline uses are old crummy main frame (This is changing as many airline system provider are developing new system) with fancy GUI. Those I know of, are next to impossible to do buffer overflow or any injection tech and even if you did you would have to learn all the specs of the RES and ticketing system (It ain't a simple SQL database , most are proprietary database on flat file. Think old record system from the 60's). An insider would have better chance. And forget hacking yourself at CKI, you need the corresponding CRS/RES+INV record or you won't make it far. true there are incident where people are not on the flight they should, but last I heard was long ago for big airlines.
Not only does this story sound like stupid aviation red-tape, but it's also got some classic Chicago moments (the badging office being closed until 1 pm is a pretty good give-away).
How about this hack? I thought about it some 18 years ago when I wrote some custom 3 of 9 barcode software for a bespoke application.
Take the 5 cent can deposit on soda cans and duplicate it and then place that sticker on any item that will seem like a soda container and then, in turn, place this in a soda deposit return machine for "free" money.
I remember calculating the work effort that it would all entail and the hourly rate on 5 cent returns was not worth it. Maybe for some for 10 cent deposit states it might be different.
Kinda sorry now that I just never tried it. Just too busy now to do so.
I am sure that there is nothing special on the containers that would prevent one from doing this.
> That was with me accidentally getting on the wrong flight.
A similar story happened on a flight from France to Germany in the nineties. Because of overbooking I had been upgraded to business class and no one else claimed the seat, so I was completely unaware of being on the wrong flight. Only during the traditional hostess announcement after take-off did I mention to my neighbor that the wrong destination was announced... Lufthansa nicely took it as their own error and re-routed me on a flight from Stuttgart to my original destination, Hamburg.
What happened is that the planes were on the two branches of an "Y" shaped boarding bridge. When the overhead sign changed from "Stuttgart" to "Hamburg" I leaped from my seat, handed my boarding pass and boarded. But the ground crew had not had time to change the ribbon barrier configuration, so I boarded the wrong plane. I should have been surprised to be first at the gate and then board a full plane.
Anyway, if you forge a boarding pass, do it for a first or business class seat - a collision with another passenger is less likely.
I had to look this up: a DVD hire shop is a movie rental store. Apparently the old-worlders use "hire" to mean "rent".
you mean as opposed to using it as a salutation ?
Now, either she was tired, or that's something that happens sometimes. Anybody know?
I can think of a possible reason...
Blank until
Oh, a good guess, but no.
I don't think I should say specifically.
In my expereince they are very good at that randomness, the rules seem to change arbitrarily every week, if not by the day.
But it's very frustrating when you're just doing your job, and the doesn't-seem-so-secure security doubles the costs of doing it.
Reminds me of a warehouse I had a temporary job in. We temps had no badge to get in, but we couldn't leave the door open, even temporarily, for the sake of perceived "security".
Never mind that the bay doors (where the trucks dock) were wide open.
As for your claim about safety, do you have any doubt that if you take an airliner to fly someplace that you will get to where you are flying to? I fly both commercial and private aircraft. Being blown out of the sky or crashing at the hands of a hijacker isn't even a consideration I bet for anyone in America reading this. I wouldn't even bet on something happening in a given year, unless you want to lose money. You would be better off betting on Lotto. You may think what they are doing is silly, however it is working. Like it or not. I don't like it either, that is why I own my own airplane. It is always there waiting for me, ready to go.
I will say that you do have guts to pull that off. You may make a good CIA or FBI agent one day. You want a thrill, they have it. They need people with guts.
There is the minor difficulty of duplicating government identification showing that you are the person named in the tickets/records--unlike the dvd booth, it is *highly* probable that the person that paid for the ticket is there at the same time trying to board--with id.
hawk
It sounds like he just got lucky or hasn't hit a trap yet. Or that the DVD store is just sucky software.
I can tell you now that any serious system that uses barcodes/magstripes tends to have a number of protections contained to verify the data. For example the obvious ones are modulus/CRC checks. Less obvious are things like serial traps. For example they may take 10 random serial numbers out of a 100 and automatically invalidate them and to trigger an alarm if one is used. bitshifting, xor, and various other tricks can stop someone from easily guessing the sequencing without the hardware.
I work at Kohl's Department Store and their in-store credit line ('Kohl's Charge') uses a barcode on the back of the 'credit card' to charge your account- there is no magnetic stripe. The 'numbers' the barcode represent are clearly printed under it.
All it would take is some clever kohl's employees, get a big list of kohl's charge numbers, make cards with names corresponding to whatever ID you have.. bingo..
Oh, the most hilarious thing is with Kohl's... if you lost your card, you can go into the store and ask them to do a lookup-
Now, with just a social security number you can get a printout of that very same barcode at the register, AND have everything charged to your account.. just by entering your social at the pin pad
Excuse me, I don't mean to impose, but I am the ocean
The problem with barcodes is that they contain *visible* data.
With a mag card you need to know a few things: the database format the card is linked to (same as barcode) _and_ the data encoded on the mag stripe. The last piece of information you need to obtain using a card reader at close range.
With a bar code, you can obtain the data via camera from anywhere line-of-sight with the bar code. Thus, bar codes are more closely related to RFID tags (but with easier readability/forgeability and longer range) than to mag stripe cards.
Perhaps I'm misunderstanding you, but wouldn't securing the cockpit doors have prevented the hijackings that took place on 9/11/2001?
If you can print n-dimensional barcodes with n > 3, I have some string theorists who would love to talk with you.