BadBarcode Attack Forces Host System To Carry Out Commands

msm1267 writes: Researchers at this week's PacSec 2015 conference in Tokyo demonstrated how they were able to inject special control characters into a barcode, so that a barcode reader will 'press' host system hotkeys, and activate a particular function. The attacks, called BadBarcode, can be used against any keyboard wedge barcode scanner that supports ASCII control characters--many do. An attacker than then use control commands to open or save files, launch a browser or execute commands. Here are the presentation slides.

Derp

[flopsquad]

[STX]
Did you implement all of ASCII in your barcode scanner?
[ACK]
Did you think to scrub out control characters?
[NAK]
Do you know what that means?
[ENQ]
I'll ask the questions, bub.
[BS][BS][BS]
Don't try to BS me.
[SI][SO][ESC]
Where are you going? You can't leave!
[NUL] . . . [DC1]
[BEL][BEL][BEL] Correct. Hackers have control of your device. Now go fix your shit.
[ETX]