What is Badbarcode?

Hi folks!

Barcodes are used in places such as supermarkets, logistics and we see it in daily life but how safe is it really?  The barcode attack that @Tk described on PacSec with his demo video on twitter has been experimented again.

Barcodes are graphic identifiers used to represent a set of information by varying the widths and spacings of lines.

Common types of barcodes include code39, code128, code93, EAN128, EAN13 QR , etc. Most of them are one-dimensional, except for QR which is two-dimensional. Code 128 is the one that is most widely used and supports most characters and can be exploited by attacks.

A scanner is used to read the information of a barcode. Conventional ones use infrared ray to scan and its embedded chip outputs the result through processing. Some popular scanner brands in the world include Symbol, Honeywell and Datalogic. Amongst Symbol has been acquired by Motorola.

The code of goods is displayed on the screen after scanning. Many scanners rely on keyboard for input, which means it is the equivalent of a keyboard which is a huge risk. This can allow any keyboard data to be entered by manipulating the data in barcodes

code 128 is widely used because it supports ASCII 0-127 characters but Barcode length is adjustable, which may support up to 232 characters.

Code 128 can be categorized into 3 groups:

  1. Code 128A: Standard numbers and uppercase letters, control characters, special characters
  2. Code 128B: Standard numbers and uppercase letters, lowercase letters, special characters
  3. Code 128C/EAN 128: number pair collections from [00] to [99], a total of 100, i.e., can only represent digital length of even numbers.

Code 128 consists of 4 parts: start code, data code, check code (optional) and end code.

According to the above code128 rule, you may write a program that can read and generate barcodes. But to execute some operations, the simplest way is to use control characters. Control characters are non-word characters, such as carriage returns, line feeds and tab characters. In ASCII, 0-31 and 127 are control characters.

Based on the control characters table of ASCII, almost all Ctrl+? Key combinations are included, such as Ctrl+O to open a file. Some of the control characters can be used in some terminals making the program jump out of the sandbox. To  generate a barcode that makes a computer execute Ctrl+O , a program can be written. There are also many small programs that can generate barcodes on the Internet. This post recommends the use of the powerful barcode editor: BarTender.

Check out the full post with instructions and screenshots at: http://en.wooyun.io/2016/01/28/Barcode-attack-technique.html

Source: Akati

Comments are closed.