BadBarcode Attack Forces Host System To Carry Out Commands

msm1267 writes: Researchers at this week's PacSec 2015 conference in Tokyo demonstrated how they were able to inject special control characters into a barcode, so that a barcode reader will 'press' host system hotkeys, and activate a particular function. The attacks, called BadBarcode, can be used against any keyboard wedge barcode scanner that supports ASCII control characters--many do. An attacker than then use control commands to open or save files, launch a browser or execute commands. Here are the presentation slides.

In other news, SANITIZE YOUR DAMN INPUT.

[jeffb+(2.718)]

Really, it's not that hard. The hard part is convincing developers and managers to remember that barcodes are not stone tablets graven by the Almighty.