Barcode Infiltrator

Whenever someone manages to expose vulnerabilities in everyday devices, we love to root for them. [Adrian] over at Irongeek has been inspired to exploit barcodes as a means to attack a POS database. Based on an idea from a Pauldotcom episode, he set out to make a rapid attack device, using an LED to spoof the signals that would be received by scanning a barcode. By exposing the POS to a set of generic database attacks, including XSS, SQL Injection, and other errors easily solved by input sanitation, he has created the first version of an automated system penetration device. In this case the hardware is simple, but the concept is impressive.

With the hardware explained and the source code provided, as well as a basic un-sanitized input cheat sheet, the would-be barcode hackers have a great place to start if they feel compelled to provide a revision two.

[Thanks Robert W.]

Comments

  1. That’s beautiful. Looks like a hack out of a movie :D

  2. Durgo says:

    Is that a typo on the battery? because 24AH is all but impossible for something that size. (unless it has a car battery attached)

  3. nave.notnilc says:

    beastly; one would be interested in seeing a survey of machines and their vulnerabilities discovered via this method, simply to see if the manufacturers are at all prepared for this sort of stuff.

  4. Miles says:

    @ Durgo, not if it had two A123 cells at 11,000-13,000 mAh apiece. I doubt it, but it is possible.

    I wonder what you can get with this, maybe find a secret discount coupon to save money?

    Self checkout with things of high value that weigh the same as things of low value? In which case you wouldn’t need this, just the UPC of the less expensive product.

    it would be interesting to see the potential application for this. Apologies if there is a discussion on the link, I am going to read it now.

  5. zerth says:

    @Miles

    This is mainly to check if they are sanitizing their inputs. You could potentially insert data or change prices if they are vulnerable.

    The newer systems might be easily manipulable if the designers were lazy and just slapped together an SQL database(IE it was made by the store owner’s nephew), but older systems don’t even use relational DBs.

    Odds are you could only crash the POS terminal.

    If they wanted to rip-off the store, they’d have better luck generating random barcodes that weren’t valid UPCs, eventually they’d generate a manager ID barcode.

  6. Andr0id says:

    Well, if you really wanted to just rip off a store from the self checkout line (not suggested) simply take a picture of a cheaper item’s barcode with your cellphone and then display the barcode when you check out instead of the more expensive item.

  7. Jeff says:

    @Andr0id They have scales that you put everything on to confirm you haven’t put anything in that you didn’t scan and to confirm that the product has been bagged. The barcode would have to match something very close to the weight that you were buying. It could still be done, but you’d have to be a little more tricky than what you imply.

  8. doc oct says:

    I wonder if the LED could be replaced with a laser diode? Something I was thinking about trying several years ago and never got around to it was building a hand held device with a laser diode. I always wondered if it would be possible to remotely inject a barcode into someone’s order at the grocery store.

    “Why does KY Jelly and Condoms keep coming up?!”

  9. Andr0id says:

    @jeff Yes, that was implied by Miles’ comment earlier, I left it out as it was less technical and more of a discussion type of commet; However, that being said, I have noticed at least at some stores (usually food stores) that the weight of an item does not really seem to matter much, especially if you are in the market to steal produce! hehe

  10. Sonylization says:

    Yeah, that is beautiful! Now i cant wait for the car dealers to start using the bar code system ;)

  11. @doc oct, yes, you can use a laser diode :) I’ve got that working in a newer version, but I have not posted it yet. So far, even though the range seems to be there, the reliability of the laser has not been as good as the LED.

  12. Clueless_Being says:

    in the walmart close to my house the weigh wouldnt matter because most of the scales are broken

  13. Mike says:

    @Durgo: You’re right, 24AH is startlingly high. 2.4AH is a more reasonable figure (which is what’s on the label).

  14. Mike says:

    Ha, wow. And here I thought Durgo missed the “milli” on the label, but I missed a zero. 24AH, indeed!

  15. Grazz256 says:

    @Android,
    I’m sure if you really wanted to rip off the store the easiest way would be to “forget” a large item under your cart.

  16. speedy628 says:

    @Andr0id Unless they have an odd camera setup rather than your standard laser scanner, this won’t work. Barcode scanners work on reflected laser light, which reflects evenly on an LCD regardless of what the pixels under the surface are doing.

  17. Robert W. says:

    this link is not for stealing produce and groceries, as some of you are missing the point of the article.
    this tests for injection techniques in the db that the barcode is sending it’s read information too.

  18. Kalleguld says:

    @Mike: What you can’t see is that it’s a 20mV battery :)

  19. DB says:

    I wonder if an infra-red LED would work. The device could be made far brighter, yet invisible to humans.

  20. Tomasito says:

    You can make a visit to the store, read the numbers under the barcode of some cheap items, go to your house, open barcodemagic on your pc and put the numbers, print the barcode, go back to the store and glue the new barcode to something expensive.

    I’ve done it and it works. If you want to buy apples cheaper, that’s a simple method that works.

    BTW, that’s called steal.

    On the other hand, the article does not talk about stealing, but exploiting vulnerabilities in those machines I think.

  21. Jess says:

    the KY idea is hilarious, if infrared LEDs work you should combine it with that LED suit, walk through the checkout area and suddenly all the machines start going nuts with condom and junior mint purchases. XD

  22. anon says:

    Way to go Adrian! Another awesome hack! Everyone should check out irongeek.

  23. dolphinhunter says:

    I had a “friend” who would paste over the barcode labels on canned/jar goods because the weights are uniform. A can of cheap tuna weighs the same as a can of premium white albacore, you know.

    I was… I mean he was a typical broke college student at the time, but of course there’s no excuse for thievery. But it did work.

  24. Hoax says:

    @ those mentioning weigh scales: I used to work for a major self-checkout manufacturer and many of our clients requested the anti-theft scales disabled. Too many false positives from kids climbing on them and abuse. When they were first deployed, we had a store that kept breaking a particular scale on a specific SCO suring the overnight shift. After replacing several load cells we had a tech in the store at just the right time to find a large checkout manager using it for a bench. Apparently she was about 4 times the max load for the cells.

  25. Tested the IR idea. It works. :) Thanks DB.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,322 other followers