- Oct 23, 2012
- 12,527
Yang Yu, founder of Tencent’s Xuanwu Lab, presented a new attack scenario at the PacSec security conference in Tokyo, one that uses maliciously crafted barcodes to trigger shell commands on infected systems.
This new attack type works with barcodes delivered on paper, or with those supplied in electronic format, uploaded as images to Web-based barcode scanning systems.
The attack was named BadBarcode and relies on the presence of over-reaching barcode standards and on improperly configured barcode scanning terminals.
This new attack type works with barcodes delivered on paper, or with those supplied in electronic format, uploaded as images to Web-based barcode scanning systems.
The attack was named BadBarcode and relies on the presence of over-reaching barcode standards and on improperly configured barcode scanning terminals.
Malicious instructions conveyed via barcode-encoded ASCII characters
Mr. Yu said that, because some barcode formats allow ASCII characters to be added to the code, he can easily mimic the CTRL key on a keyboard.
So instead of the barcode terminal reading text, as it would do most of the time, it is fooled into launching more dangerous instructions on its host system, like a shell window, for example.
Mr. Yu was able to launch several attacks during his demo, where, by scanning a simple barcode, or multiple barcodes, he was able to launch exploits on the target machine, download malware, or carry out other unwanted operations.
An industry-wide problem
Since the retail industry is laden with barcode scanners in every store, criminals might find this attack scenario extremely attractive.
Fixing the issue is a little bit tricky, since the barcode standards that allow ASCII characters have been created for a particular valid reason, and have their purpose and place in the retail business.
The best way to stop BadBarcode attacks, as Mr. Yu puts it, is to prevent barcodes from having keyboard emulation features, and especially the ability to read system hotkeys.
This is the second time Mr. Yu returns to the PacSec conference. Last year, he presented a way to bypass Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) in Windows, for which Microsoft paid $100,000 / €930,000,
Mr. Yu provided some BadBarcode proof-of-concept videos on his Twitter page. See them below.
One of the demos of our talk "BadBarcode: How to hack a starship with a piece of paper". See you in PacSec 2015. pic.twitter.com/tu8XZjegHP — Yang Yu (@tombkeeper) November 9, 2015 Another demo of our talk "BadBarcode" in PacSec 2015: start a shell by one single boarding pass. pic.twitter.com/7ssmyYJsIo — Yang Yu (@tombkeeper) November 12, 2015 Just another BadBarcode demo, using kindle to make an automatic attack. Seems cooler than turning a dozen paper. pic.twitter.com/0vIIQ98EeU — Yang Yu (@tombkeeper) November 12, 2015
