BadBarcode Attack Forces Host System To Carry Out Commands

msm1267 writes: Researchers at this week's PacSec 2015 conference in Tokyo demonstrated how they were able to inject special control characters into a barcode, so that a barcode reader will 'press' host system hotkeys, and activate a particular function. The attacks, called BadBarcode, can be used against any keyboard wedge barcode scanner that supports ASCII control characters--many do. An attacker than then use control commands to open or save files, launch a browser or execute commands. Here are the presentation slides.

Derp

[flopsquad]

[STX]
Did you implement all of ASCII in your barcode scanner?
[ACK]
Did you think to scrub out control characters?
[NAK]
Do you know what that means?
[ENQ]
I'll ask the questions, bub.
[BS][BS][BS]
Don't try to BS me.
[SI][SO][ESC]
Where are you going? You can't leave!
[NUL] . . . [DC1]
[BEL][BEL][BEL] Correct. Hackers have control of your device. Now go fix your shit.
[ETX]

Re:Derp

[cfalcon]

God I hope you can spam 0x0C [Form Feed], and then the receipt printer throws a goddamned ticker tape parade.

Re:Will this work in the ticket in ticket out syst

[Lehk228]

it's really just causing the barcode reader to do what it was built for, the problem is the software is trusting uncontrolled user input (the barcode) without sanitizing it first, and also most of these units are set up with the barcode reader connected as a keyboard with access to do things it should not be allowed to do (i.e. if you unplug the scaner and hook a keyboard up you can do the same "BAD STUFF"

In other news, SANITIZE YOUR DAMN INPUT.

[jeffb+(2.718)]

Really, it's not that hard. The hard part is convincing developers and managers to remember that barcodes are not stone tablets graven by the Almighty.

Re:In other news, SANITIZE YOUR DAMN INPUT.

[jeffb+(2.718)]

Oh, and to whomever modded this "off-topic" -- don't you have some barcode input logic you're supposed to be working on?

Re:In other news, SANITIZE YOUR DAMN INPUT.

[jeffb+(2.718)]

Of course they don't. The stone tablets say so.

Re:In other news, SANITIZE YOUR DAMN INPUT.

You're an idiot. The computer receives the barcode command as keyboard input. The attackers figured out how to send control characters down the line as well. So a specially crafted barcode could carry the payload Win+Rmaliciouscommand, or anything else. This is a hardware problem that affects the vast majority of existing barcode readers. There's really nothing any of the software can do to "sanitize" the input.

Re:In other news, SANITIZE YOUR DAMN INPUT.

"There's really nothing any of the software can do to "sanitize" the input."

Why does the software need to re-transmit a Windows key button press unmolested? It seems like Barcodes should only contain A-Z a-z 0-9 and `~!@#$%^&*(){}|:"?[]\;'./" characters. Anything else should get dropped in transit by the embedded chip decoding the barcode don't you think?

Re:In other news, SANITIZE YOUR DAMN INPUT.

[YukariHirai]

Well, maybe. Evidently there is some case to be made for it being possible to use control characters in a barcode, else the standards wouldn't include them. It must be useful to someone, somewhere. So it shouldn't really be up to the scanner hardware to say "yeah nah, not passing that on, ever".

And as others point out, it's not really within the scope of applications to decide whether or not certain keypresses go through to the OS. So what does that leave us? Really just the device driver for the barcode reader. If it were possible to set as an option in the device driver "ignore control characters from this 'keyboard'", that'd do it.

Re:In other news, SANITIZE YOUR DAMN INPUT.

[BitterOak]

Why does the software need to re-transmit a Windows key button press unmolested?

The software doesn't need to re-transmit anything at all. In a keyboard wedge barcode reader, the OS will interpret these keypresses and run the malicious code before your software even sees it. Just like if you push the calculator key on your fancy keyboard, the calculator pops up. It doesn't require that the running application interpret that keypress and launch the calculator app for you. This is why sanitization won't help you at all: the damage is done before your software even gets any of the data.

Re:In other news, SANITIZE YOUR DAMN INPUT.

[sumdumass]

Its because the barcode reader is really a fancy keyboard (when attaches via keyboard wedge). Software has nothing to do with it at that point. The software is more or less like a word processor in this sense. It recieved input from the keyboard but hit win+r cmd "enter" would open a command line and focus all input in it instead of the open document.

In other words, The barcode simply inputs keystrokes and everything you can do with a keyboard can be done with a barcode if not limited by hardware or a keyboard map

Re: In other news, SANITIZE YOUR DAMN INPUT.

[guruevi]

There thing is that these scanners can be programmed to accept only a number of characters but nobody bothers to do so. At my local grocery store they use Bluetooth scanners which are all using the same pin codes. The security in most of these places is laughable, the reason that nobody bothers to mess with the system and even if they did, the technical expertise would make it such a minority that it doesn't matter if one geek shoplifts their cart of groceries compared to the number of people that already just walk out the door with their groceries.

Re: In other news, SANITIZE YOUR DAMN INPUT.

[YukariHirai]

There thing is that these scanners can be programmed to accept only a number of characters but nobody bothers to do so.

It probably wouldn't make that much difference anyway. Typically the only way to program barcode readers is by using special barcodes from the manual or printed out from the manufacturer's software. An attack would just need to start with the special barcode for 'enable these characters'.

Re: In other news, SANITIZE YOUR DAMN INPUT.

[guruevi]

I have a barcode reader from a more professional place. It needs to be put in a programming mode to do that. Then you indeed use bar codes to program it. The point still is that these attacks are niche. It's cheaper and easier and less criminal to just walk out of the store with your groceries than to use technology to do it. If you get caught hacking it, you do 25y of time because you used a computer, walking out of the store nets you community service at best.

Re: In other news, SANITIZE YOUR DAMN INPUT.

[YukariHirai]

Well, that assumes a supermarket self-checkout. (Which, admittedly, is the most likely possible use for this kind of attack.) But there are other places where barcode readers are there for the general public to use.

As an aside, the barcode readers I've encountered at work do not need to be put into a programming mode. But on the other hand, my employer tends to go for inexpensive equipment...

Re:Will this work in the ticket in ticket out syst

[gmack]

The problem is that in most cases there is no possible way to sanitize the input since Windows takes control of it.

Barcode scanner = keyboard

[Dusthead+Jr.]

If I'm not mistaken, most barcode readers, as far as a computer is concerned is just a keyboard. I have had limited time messing around with one that plugged in via a PS/2 port, although most, these days, plug in through USB. If you open a blank text doc and scan something, what would usually show up is the number that appeared below the barcode. I'm not sure if this would work on all retail POS, maybe those that run on some variant of Windows. But would it work on Linux, or proprietary systems?

Re:Barcode scanner = keyboard

[freeze128]

One word: CueCat.

Re:Barcode scanner = keyboard

[_merlin]

It will work on anything that supports a standard USB keyboard, assuming the keyboard layout selected on the host device matches what the barcode reader is generating key-presses for (e.g. if you have French keyboard but the barcode reader generates US key-presses selected you'll get A instead of Q).

Re:Barcode scanner = keyboard

If I'm not mistaken, most barcode readers, as far as a computer is concerned is just a keyboard.

Nope. Barcode readers are generally programmable to act as multiple different devices, requiring different cables depending on the mode selected. The barcode readers we use at work ZebraScan (Now part of Motorola, IIRC) come out of the box with USB cables and HID keyboard "wedge"*, but we reprogram them with the vendors control codes to work as USB ACM (serial) devices. The reason we do this, is not for security, but because UIs that rely on the correct text entry field being selected for a scan to perform the right action are shit. Wedge mode is useful for data entry, where you need to record barcodes in a spreadsheet or documentation, but sensibly designed POS and process automation systems ought to use the barcode reader in some type of serial emulation or real serial mode. Real RS-232 mode is also useful, because a RS-232 scanner can run off 100m or more of Cat5 cable, where-as it is expensive and introduces reliability problems trying to extend a USB cable anywhere near that far. The datarates are such that even at 9600 baud the transmit time is irrelevant for 2D (line scan) barcodes, and not that important even for large 3D datamatrix codes. I haven't seen a scanner yet that directly speaks ethernet and TCP, but I would readily consider buying one if it was available on the market.

*Wedges were used on the old-school PS/2 and AT barcode scanners so that you could "wedge" the barcode scanner in between the keyboard and the system, so you could use both with just the single keyboard port available on an AT or PS/2 system.

Re:Barcode scanner = keyboard

[Osgeld]

most are setup as keyboards, others are ports that lead directly into software, which you wont see that much unless your using it in some industrial setting with automation

Re:Barcode scanner = keyboard

[billcopc]

we reprogram them with the vendors control codes to work as USB ACM (serial)

Yes, you do that, and I do that, because you're absolutely right: wedge mode is a kludge. Problem is, lots of existing deployments do have them set in dumb keyboard mode. Why ? Because the development of that POS appliance or software was farmed out to the lowest bidder (meaning China/India), where the product was made to "work", and the project manager(s) have no idea how barcode readers even work nor why wedge mode is a bad idea.

The same is true of mag-stripe readers. I have seen countless setups in restaurants and movie theatres where the mag reader was in wedge mode. In at least one case the software hid this by enabling/disabling the device when it was expecting a swipe (using an NT filter driver) - but once enabled it would accept any input and pass it through the OS. Now the "good" thing about mag cards is the encoding does not typically support control characters, so you won't be rooting an ATM by that route. I mean... not unless the ATM has a pretty colossal backdoor triggered by a particular string of alphanumeric data.

Re:Barcode scanner = keyboard

[plover]

The problem is that scanners support multiple communications protocols so they can be sold to a wide variety of clients, and the scanners' configurations can be changed via barcode without first asking for permission.

Your attacker can see that you're using a DS-6878 scanner with a USB cable, so he opens his phone's browser to this page of the manual, http://www.manualslib.com/manu... and displays the barcode to configure a North American keyboard. Once scanned, as far as Windows knows someone just plugged in a new USB HID Keyboard device. None of the old configuration settings matter any more, and your bulletproof application may not even be notified that its scanner has been hijacked.

He then scans a few more configuration codes so that he knows his codes will be properly effective, perhaps something like Send Barcodes with Unknown Characters (page 67), and finally a control sequence to open a URL to downloadevilvirus.com/infect.htm. Pwnage ensues.

Re:Go to bars to drink

[ShanghaiBill]

I was thinking free groceries

That won't work. Grocery store scanners are not keyboard wedges, and they are programmed to only read numeric barcodes, such as UPC, EIN, coupon codes, etc. They will ignore any Code128, Code39, or any other barcode that could contain non-numeric data.

Re:Go to bars to drink

[darkain]

https://xkcd.com/285/

Reboot

[penguinoid]

Time to print up some nice CTRL-ALT-Del barcodes for the local evil-mart.

Re:Go to bars to drink

[Nabeel_co]

Um, that's totally not true. Most barcode scanners just show up as USB keyboards, and most places don't bother to change them out of their default config.

Also, most discount cards, if they aren't 2D barcodes, are 1D Code128 codes.

Why so long?

[AndyKron]

They just thought of this now?

Re:Why so long?

[xeno]

No, this report is silly. We used this kind of vector as standard structured attack fare at @stake and foundstone a decade+ ago. It was in our basic reports to explore alt input -- you know, feeding stop-A in barcode to a manufacturing robot, or feeding a break and shellcode to a POS station, one re-labelled product at a time on the belt.

Re:Go to bars to drink

[Technician]

Since many are USB devices, and programmed by special barcodes to enable and disable various symbologies, with enough info on the target scanner, you can reprogram the scanner with a barcode to enable a full ascii symbology, then scan in the attack code. Like many thumb drives, BIOS, etc, there is no write protect to prevent unauthorised alteration of the configuration.

This has been known in the industry for decades.

I remember fiddling around with exactly this back when we had barcode scanners that hooked up over an AT style 5 pin DIN connector.

Traditionally, this has never been an issue because you've always had a cashier manning the point of sale terminal. If they want to do something nefarious, they'll just enter in the commands through the keyboard instead. If a customer was ever in a position to scan multiple barcodes to try and exploit the underlying system (99% of which are custom jobs, running on AIX, AS/400, SCO Unix, and implemented in a variety of different languages), then they could just use the keyboard since there's obviously nobody there to stop them.

This exploit is only really an issue with the newer self checkout machines. These all implement various "hidden" menus for clerks and managers that let you override things like discount prices or zero out the weight on the bagging area sensor. Those menus are invoked by scanning a custom card with a barcode on the back, which causes the barcode scanner to press a specific key combination (this varies depending on the manufacture of the terminal and any site specific customizations).

I have yet to hear about anyone successfully using these kinds of exploits in the wild, though. The moment you enter any of these menus, the menu usually takes over the whole LCD of the checkout terminal. It's very obvious to see someone doing something they shouldn't. So you still need to avoid the security cameras which are usually pointing at the checkout isle, as well as the gaze of whomever is operating the control booth (up here in Canada, we've always got one individual standing around who can help you with the self checkout machine should you have any troubles).

That's not to say that I haven't heard of these machines being exploited, because I have.

About a year ago there was an incident involving a particularly crafty fellow and a smart phone. Some of the "cutting edge" checkout terminals actually use CCD cameras to read barcodes, rather then a laser based system. Those cameras are quite capable of reading a barcode off an LCD screen, like a cell phone. Apparently the guy in question figured out an exploit similar to this one- he rigged up a series of barcodes that opened a command prompt, dumped some text to a VBS file, ran the resulting VBS file, dumped a whole bunch of hex data into that, then the VBS file converted the hex into a binary blob, dumped it to disk, and executed it.

He encoded all these barcodes as a movie that he could play back on his cellphone. It took about 20 seconds to play through the entire movie and load up the executable code on the terminal. The same guy demonstrated some fairly scary exploits that could detect a sequence of scanned barcodes and override the payment subroutines so that you paid $0. That way your buddies could go and checkout, say, two boxes of Tic Tacs, one Oh Henry chocolate bar, and an avocado, and walk away paying nothing no matter how big the final bill was.

As far as I know, that exploit was never made public knowledge because the companies who were experimenting with CCD based scanners decided to switch to an actual USB powered capture device so they could process the barcode data in software (rather then using an ASIC tied directly to the CCD sensor). That same software was integrated into the point of sale software so that it wasn't really emulating a keyboard per say, there was no way for the scanner input to escape the checkout software and interact with the actual operating system.

Little bobby tables...

[slazzy]

https://xkcd.com/327/

Re:Will this work in the ticket in ticket out syst

[davester666]

Windows! Cash tills are more likely to be running DOS. Thankfully, it's so old, nobody knows how to hack it anymore.

Re:Will this work in the ticket in ticket out syst

In this case you are mistaken. Most bar code scanners represent ASCII control characters as a sequence of ‘press control’, ‘press X’, ‘release X’, ‘release control’, where X is in the set 2, A...Z, [, \, ], 6 and -. None of these get any special treatment from the operating system and they all get sent to control with the input focus.
Now, I gather there are bar code scanners which allow arbitrary keys to be sent, but chances are your cashier station isn't using one of those and you can still disable that attack by editing the Windows scan code map (the same thing that you can use to change your Caps Lock into an F13).
There are also bar code scanners that can be reprogrammed by scanning bar codes (ADF enabled scanners) to send keys at scan time, but also to make it interpret future bar codes differently. If you cannot turn ADF off after you're done configuring it, you're hosed because then this becomes a DoS attack channel.

SCADA, Bardcodes, Medical systems

All weak point with no validation and so on.

This is what annoys me, these so called "security experts" are NOT what they pretend to be, they are just picking OBVIOUSLY WEAK systems with OBVIOUS attacks that were NOT DESIGNED to be secure.

No news here, we have known this for decades.

keyboard wedge?

[skastrik]

Meaning that it connects through the ps/2 keyboard port of a computer. I had to google that.

Re:Go to bars to drink

[michelcolman]

I was wondering how someone could possibly screw up such a dead simple task, reading a number from a barcode and then passing it on to a computer. You would think there's no way that could go wrong, right? But then I underestimated the creativity of engineers going "hey, that's too boring, let's see what else we can add. Yeah, let's include functionality that lets you read and send any characters you like, including control characters, and let's include that into every friggin barcode reader on the off-chance that maybe somebody might one day want to use it, that will be so cool!".

I know, there might be a few, very few isolated cases where this kind of stuff is useful (as an ugly hack to work around some technical issue that would better be solved in a different way), but then let them use a special reader and leave the millions of cash register barcode readers alone, for crying out loud.

Re:Go to bars to drink

[Hognoxious]

Right. And aircrew all know how to convert from gallons to litres.

Re:Will this work in the ticket in ticket out syst

[sumdumass]

No - not really.

Programs like quiken point of sale and many others run on Windows and use the Windows driver. Usually they require winxp or better but i know of several win95 and 98 pos still in use.

Re:Go to bars to drink

[michelcolman]

Actually, we use Google calculator for that.

Re:Go to bars to drink

[Lennie]

Actually, they used to work like keyboards.

I don't know if they still do.

But I remember a talk at a CCC conference in Germany where they took a sixpack of beer and put a different barcode on the bottom (the reason the sixpack is a good target is because it's heavier so cashier doesn't look at the bottom). The barcode instead of adding to the bill did the exact opposite: subtracted from the bill the same amount.

But to make these kinds of hack work at your local supermarket you first need to know at least a little bit about what systems they use and how the system work.

Re:This has been known in the industry for decades

[KGIII]

I love Slashdot. Thanks for taking the time to type that out. Nobody else said thanks so, I will. I suppose some would be like TL;DR but I appreciated it.

My own 'complaint' isn't really a complaint but just an FYI. It's "per se" and not "per say." Why do I know this? Someone on Slashdot corrected me.

SNOW CRASH

[TheRealHocusLocus]

Nam-shub.
Don't look at it!

Science fiction of yesterday is the science fact of today.

Re:This has been known in the industry for decades

[Rob+Lister]

And to think I wasted my last Mod Point on something humorous. Thanks for that.

Re:Go to bars to drink

[JustAnotherOldGuy]

Like many thumb drives, BIOS, etc, there is no write protect to prevent unauthorised alteration of the configuration.

100% true. I worked for a barcode company for quite a few years and there was never any write-protect switch or password needed to alter the device config. We simply had a book of barcodes that we scanned to set the device up however we wanted.

And now looking back on it, it seems we were all astoundingly naive not to realize that someone somewhere would take advantage of that. Of course at the time there wasn't anything terribly interesting you could get away with by fiddling with the config, but that's no longer true.

If nothing else one could do some very malicious things by mucking about with the configuration, in some cases possibly leading to injury and/or death. (For example, altering a printed "Max Pressure Allowed" label to read "500lbs" instead of "20lbs" or a hospital label printer to output "Recommended Dosage: 500mg" instead of "Recommended Dosage: 30mg".)

Re:X-Files did it first

[rainer_d]

Hah!
Was thinking of this right at the moment I read the word bar-code in the headline.

Re:Will this work in the ticket in ticket out syst

[peragrin]

businesses switched to windows XP. about the time windows 7 came out.

Re:This has been known in the industry for decades

[ljw1004]

The same guy demonstrated some fairly scary exploits that could detect a sequence of scanned barcodes and override the payment subroutines so that you paid $0. That way your buddies could go and checkout, say, two boxes of Tic Tacs, one Oh Henry chocolate bar, and an avocado, and walk away paying nothing no matter how big the final bill was.

The final bill was $2.52 for the tic-tacs, $1.29 for the Oh Henry, $2 for the avocado -- $5.81 in total.

If I could get stuff for free no matter the size of the final bill I'd get WAY more than that! Like, maybe five Oh Henry bars!

Re:Will this work in the ticket in ticket out syst

[davester666]

No, that's WAY too new. Think regular till, where you punch in amounts, maybe scan in items, and the display is a single or couple of lines of text. Prints out a paper tape.

Re:Will this work in the ticket in ticket out syst

[Blaskowicz]

I'm seeing modern systems where you scan items, maybe punch in amounts, with a display that has a single or a couple lines of text, that prints out a paper tape (thermal paper) but there is a color flat panel display and some Windows XP running underneath too.

Re:Will this work in the ticket in ticket out syst

[eric_harris_76]

So, is "barcode injection" jargon now? Apparently. https://duckduckgo.com/?q=barc...