BadBarcode Attack Forces Host System To Carry Out Commands

msm1267 writes: Researchers at this week's PacSec 2015 conference in Tokyo demonstrated how they were able to inject special control characters into a barcode, so that a barcode reader will 'press' host system hotkeys, and activate a particular function. The attacks, called BadBarcode, can be used against any keyboard wedge barcode scanner that supports ASCII control characters--many do. An attacker than then use control commands to open or save files, launch a browser or execute commands. Here are the presentation slides.

Re:Go to bars to drink

[michelcolman]

I was wondering how someone could possibly screw up such a dead simple task, reading a number from a barcode and then passing it on to a computer. You would think there's no way that could go wrong, right? But then I underestimated the creativity of engineers going "hey, that's too boring, let's see what else we can add. Yeah, let's include functionality that lets you read and send any characters you like, including control characters, and let's include that into every friggin barcode reader on the off-chance that maybe somebody might one day want to use it, that will be so cool!".

I know, there might be a few, very few isolated cases where this kind of stuff is useful (as an ugly hack to work around some technical issue that would better be solved in a different way), but then let them use a special reader and leave the millions of cash register barcode readers alone, for crying out loud.