Barcodes that Hack Devices

[virustracker] has been playing around with barcodes lately, and trying to use them as a vector to gain control of the system that’s reading them. It’s a promising attack — nobody expects a takeover via barcodes. The idea isn’t new, and in fact we’ve seen people trying to drop SQL attacks in barcodes long ago, but [virustracker] put a few different pieces together and came up with a viable attack.

The trick is that many POS terminals and barcode readers support command characters in their programming modes. Through use of these Advanced Data Formatting (ADF) modes, [virustracker] sends Windows-Key-r, and then cmd.exe, ftps a file down, and runs it. Whatever computer is on the other side of the barcode scanner has just been owned. ADF even supports a delay function to allow time for the command window to pop up before running the rest of the input.

The article details how they got their payload from requiring more than ten individual barcodes down to four. Still, it’s a suspicious-looking attack to try to pull off where other people (think cashiers) are looking. However, we have many automated machines in our everyday life that use barcodes. How many of these are vulnerable is an open question. [virustracker] suggests lottery machines, package-delivery automats, and even hospitals.

The defense is simple, and it’s the same as everywhere else: disable the debug and configuration modes in your production systems, and sanitize your input. Yes, even the barcodes.

75 thoughts on “Barcodes that Hack Devices

  1. > Still, it’s a suspicious-looking attack to try to pull off where other people (think cashiers) are looking

    How to do it less suspiciously: Print stickers of your exploit barcodes. Go into store and get some goods. Put exploit stickers over original barcodes. Arrange your goods in the order required to exploit system. Add some products before and after your exploit products. Watch as cashier scans the barcodes.

    If you’re lucky, the cashier will be one just waiting for a beep of the scanning system and will not notice the error (or no information at all) on the display in front of him/her, which was supposed to say which product just got scanned.

    1. @Phrewfuf
      In my experience, barcodes have weird issues often enough that the cashier is usually watching for signs of fuckery; they just expect the issue to be with the system.

      Now about self checkout…

    2. The biggest problem is P.O.S. software is some of the worst software out there. I have dealt with small company stuff all the way to IBM systems and they all are written by people that should not be allowed to program. Most USB barcode readers simply fill in a text field on the screen and act like the keyboard. This makes it so the programmer does not have to actually do any work to support a barcode scanner. So sanitation of the input is 100% impossible with all current systems as they show up as keyboards. so you will have to modify the underlying OS or change the device firmware to stop acting as a USB keyboard and go back to acting as a RS232 device and force the POS software programmer to look for the serial port and grab the data.

      But it get’s worse, These barcode readers are configured by barcodes, so “locking down” the barcode scanner is useless as you can scan a special barcode that will enter configuration mode no matter how locked down you set it because the scanner’s module has this as a default function from the manufacturer to make it easy for POS software makers to be lazy.

      magstripe readers are even worse, The typical USB magstripe reader also just dumps the info as if it was entered by the keyboard, but you can easily have one card programmed to enter config and send configuration parameters. The better network enabled ones with the signature pad are only a little more secure. but if you are on the network you can get inside of them easily as there are plenty of known exploits to gain root on the linux they are running. All of this is coupled with the fact that retails stores typically have the WORST network security and general overall security on the planet means nobody should ever be surprised of any kind of data theft or break-in at any retailer no matter the size.

      Let’s put it this way, after a few years of looking at POS system security and some side hacking of gear bought at auctions, I refuse to use anything but CASH or a credit card at any store. I will never EVER use a debit card where my savings and checking can be emptied.

        1. Over here those things have linux running on them. Well, at least that one model used by several supermarket chains that i’ve seen boot once. So the whole barcode hacking won’t work on them..

          1. Actually this would work with the Linux systems as keyboard vectors have already been used. Lest you forget, there are keyboard shortcuts to execute a single command in Linux.

      1. And that’s why they call it P.O.S. software.

        Actually, seriously, knowing about technology as I do, I’m generally reluctant to use it where possible. Sometimes people think it’s weird, if they do I mention that I know enough about them to be aware of what can go wrong. Or technically go right, but against my own interest. I don’t give a full lecture, just a quick mention.

        Buying my phone a while ago, drone in shop wanted my address. “Why?” “What if it breaks?” “If it breaks, I’ll have it on me, that proves it’s mine”. He decided I was stuck in the past, and all this endless corporate data-gathering is fine and normal. I’ve been on the Internet since before the little twat had pubes, but I didn’t say that to him. Would’ve, but I’d already left. Stuck in the past! “What about insurance?”. I don’t want it, my last phone died from a small amount of water, which isn’t covered, my other phones all lasted 5 or so years before I got a new one. They’re fine. Assuming you don’t absent-mindedly leave them in pubs, there’s not much can go wrong with a phone.

        In the end he got an address, but not mine. Next time I’ll make one up, Google it beforehand, just to satisfy the little fucker. Companies acting like they’ve a right to know stuff about you really annoys me. In the past they showed respect and treated the customer with dignity (well, at least more than they do now). And the little twat’s gobsmacked-ness that I might not want to be on some arbitrary phone vendor’s database annoyed me even more.

        1. Don’t blame the kid though, he’s just doing what his boss tells him. Where I work (a retail store) we have to ask for customers emails, and they post each employees number of emails acquired for all employees to see. So while I agree, it isn’t necessary, the kid is probably just trying to do his job.

          1. It wasn’t a kid, it was a guy in his mid / late 20s. I’ve been online more than 20 years, which is a phenomenal amount of time to waste!

            Sure, it’s his job, but he didn’t have to be so bloody enthusiastic about it. That’s what bothered me, his incredulity that someone might not want give their life story to any machine who asks.

        2. Ugh, I had a similar experience trying to buy a replacement fuse for my microwave. I was picking it up in person from the service depot, paying cash, and the guy starts asking for my address and mobile number. I’m just buying a friggin fuse! He was really taken aback when I wouldn’t give him all my details.

      2. That (keyboard emulation + configuration via barcode) is basically this attack in a nutshell.

        You’re right that it’s hard to sanitize, but you could totally disable the ADF/config codes unless a secret is presented, for instance. Leaving it constantly in “configure me!” mode is asking for trouble.

        1. What everyone is missing here is that they assume the POS systems should trust the cashiers.

          According to PCI DSS rules, if the registers take credit cards, they are supposed to be connected to a secure network, isolated from other systems. That means they shouldn’t even allow the cashiers be able to hit Win+R; or if they do, a browser or ftp shouldn’t even be able to get to the internet.

          It’s a small risk to trust a cashier with a few hundred or a few thousand dollars, but you shouldn’t deploy a system that trusts anyone with unfettered and unaudited access to a system inside your most restricted network.

          Now, do most retailers actually deploy systems this way? The biggest ones do, but the smaller chains, and independents? Here’s a tip: look at the screen while the cashier is idle. If the cashier can get to the Windows Desktop, switch applications, surf the web, or play solitaire on the POS terminal, they’re vulnerable.

      3. Credit card is even more risky because then they can spend as much as they want and then somebody (in most cases, you) has to pay.

        A better idea is to open a separate savings/checking account that you tie to the debit card, and then this savings/checking account don’t have so much money. For example, you have your “CARD” savings/checking account filled with lets say 50$. If a fraudster or criminal gets to the card, theres only 50$ to spend. If they try to spend more, it will display “Rejected by issuer” in the display.
        And as you shop, you just refill your “CARD” savings/checking from your regular by wiring money between the accounts.

        Think like a mobile prepaid card.

    3. I’m in Japan and here we have some networked POS systems in convenience stores. They don’t just keep track of how sales are going nationwide, but they also process online payments using kiosk terminals. It involves printing a set of barcodes that customers either print in home or print at store kiosk terminal. So the store staffs probably scan whatever code a random guy show to him and see what happens. That can be more dangerous attack vectors.

    4. You just put 4 barcodes on 4 sides of a box designed to look like they should be there, scan code 1, oh it didn’t work? rotate box (what a helpful customer you are!) scan code 2… etc. until the system is owned.

      Add code 5 to the bottom of the box to have a working code to stop anyone even noticing more than the usual problematic item that scans eventually.

      1. Oh and incidentally, you can just stick it on a product and let some other customer spread your hack without you getting involved.
        Mind you, every supermarket is full of cameras these days. So you’d have to hope they aren’t watching until you made your getaway.

        My advise is t if you use it to give yourself indefinite employee discounts, that way they might never detect it and you get a nice discount. And when the anomaly is caught you pretend you have no idea how it happened :)

  2. Or, as has been done before, print a pile of barcodes for a similar but cheaper product and paste them over the barcode for the product you actually want. From memory, someone managed to swipe £50,000 worth of lego in this way before they were caught.

      1. Doesn’t to me, but I’ve grown up in the UK where lego is a non-countable noun. It sounds like saying someone made off with £50,000 of sand at a builders merchant; you’d never think that meant “one Sand”, or one grain of sand, etc.

  3. Tesco pay-at-the-pump fuel stations have a barcode scanner to read your clubcard, and it’s always fiddly to get your card in the right place for it to read so you always spend ages stood at the barcode scanner. Seems the right sort of place for this to work, if not exactly a good idea to try it…

      1. Yeah, a local grocery also has gas pumps… When your spending goes over a specific amount, you start getting discounts at the pump. We often get $.60 discount on gas. so the real exploit would be to get gas at $.01 per gallon.

  4. I wonder if this could be coupled with the reprogramming exploit we saw on here a year or two back, where you could re-program the barcode reader itself (not just the POS terminal) to read more ranges of barcodes. Could be used to deliver more data in a single barcode making the attack easier and quicker…

    1. this is certainly possible with most popular barcode readers. if they’ve got fairly recent firmware they can even read those new-fangled “3D” codes like QR that contain a lot of bits.

    2. Yes! and not just new ones. I used to program POS barcode readers and it’s done with – guess what – barcodes. Everything is programmable – even the protocol used to communicate to the host.

  5. This wouldn’t work with the PoS terminals at at least one major retailer. They may run Windows, but the system is provisioned to disable… well just about everything. You can scan the Win+R barcode all you want, it’ll do diddly. It’s set up to assume an attacker has unfettered access to the terminal anyway and locked down accordingly.

    1. To stop anyone who might manage to get into a properly locked down Windows install, delete cmd.exe Common practice was to delete all files not essential for running Windows and the program you want the system restricted to. For 95 and later, also delete SFC and the folder with the backup copies of system files. Would be real dumb to neuter the system then leave the method to have Windows able to restore the deleted files.

      Since Windows 3.1, Microsoft has had various methods of locking up an installation so it cannot be altered. Even without the software to put Win 3.1 into “kiosk mode” an easy hack was to replace progman.exe with another program capable of running as the shell. Then when launching Windows, that one program was all that would run. IIRC, Win 3.1x couldn’t run programs from a file open/save dialog box like 95 and later can. *googles* I see they’re calling it “Assigned Access” now.

      Another simple kiosk security tactic is to have a keyboard without the Ctrl and/or Alt keys. Can’t do Ctrl Alt Del if one of those keys is gone.

      1. To anyone who has ever had to fix POS equipment – “piece of shit” is probably the most desired description.

        POS / EFTPOS and ATMs where the most loathed jobs as POS equipment tends to be 20 years older than your grandfather.

        For me it got to the point that I wouldn’t service POS equipment unless the cash draw was removed by a manager first. So many young ones thought they could pocket money and blame the service person.

        And those old old dot matrix printers. I’m sure dot-matrix printers did something bad in a former life because instead of going to printer heaven when they died – the had to go to POS. One very large chain store had dot matrix printers that were older than me.

  6. This is just such a vast cock-up. I’m amazed. Back in the DOS days when a quick interrupt service routine could give you complete control over the keyboard, it made sense. Or even if you used the DOS / BIOS keyboard drivers, it would be OK, since where else are the keypresses gonna go?

    But since this whole multi-tasking fad, it’s insane! ESPECIALLY letting them emulate the Windows key! What possible legitimate use could there be for that!?!? Good job the public can’t buy printers, and black vertical lines are so hard to make.

    Years ago, the only possible defence would’ve been impracticality, “what would be the point of hacking it?”. Now everything’s online, a few characters let you download any old payload. Which is another hazard of everything being online, of course.

    Like the article mentions, this isn’t new. So why hasn’t anyone done anything? Does it require an attack? One that, should it hit the mainstream media, will be “Those fiendish, genius hackers, with their mutant brains, using cutting-edge technology to attack ordinary household barcode readers. As a precaution we should stop teaching kids to read”. Rather than “Guy reads manual, notices bleeding obvious, and suppliers do nothing about it for years”.

    Since we have USB, there’s no need for keyboard emulation. As someone here mentioned, an emulated serial port will do just fine, very well in fact. Thats if nobody wants to bother inventing a USB HID barcode reader class.

    1. A USB keyboard is a valid use for a scanner. Not every app is going to support specialty scanner input for everything someone would like to input. Heck, half the app devs out there can barely figure out screen resolution; you don’t believe they’ll know to add support for scanners, do you?

    2. In fields like POS / EFTPOS / ATMs, decisions are made by accountants and the tight asses won’t spend an extra cent so you have software that is expected to last longer than the working years of the programmer. By the time there is a software upgrade the original author has been dead for ten years or at least retired for just as long.

      I have a friend who has company software so old that he has to run in in a virtual machine with DOS 3.3 and use Java to link input / output via TCP/IP to the real server. He asked me if I could re-write it (it’s COBOL), I just said try the grave yard – I hear that’s where you will find most COBOL programmers.

      This is what happened with Y2K – the original programmers were dead so newer programmers don’t dare to re-write code (the accountants wont budget this) so they write a shell and wrap the original code it in that . The next coders do the same and so forth.

      This leads to an endless number of security vulnerabilities. And that – my friend – is how your internet works.

      1. In 1997 I worked at a student loan processing company. The software that processed the loan database was ported from COBOL to… MS-DOS batch files. I’ve no idea how the frell they made that work, but it did – until shortly before I was hired to replace the woman who FUBARed it up real bad.

        The company had sent her to Salt Lake City for Novell’s two week Netware course. They just recently installed a new server with Netware 4.0, with the old Netware 3.12 server still stuck in there, attached to the 10 Base-T LAN (recently upgraded from ARC-net) doing nothing.

        Part of the bennies of taking the Netware course was getting sent beta software. Novell sent her a beta CD of Netware 4.11 with NOT FOR USE IN A PRODUCTION ENVIRONMENT printed on it.

        I give you one guess what she did with that CD.

  7. The department store I work at sometimes gets bad barcodes on items. I know we once had to take a bunch of t-shirts down to be retagged because the ones from the distribution center would crash the register when it was scanned. It made me wonder if you could use barcodes in the way this article describes but I didn’t know enough about the system to be sure. It doesn’t supprise me that someone figured it out.

  8. Someone print me a code that instructs those POS to start Solitaire game so I can play while waiting for cashier to finish scanning stuff. Assuming the business POS edition of Windows do have Solitaire like Home and Pro edition.

  9. I am an engineer at a barcode scanner maker in Japan and just wanted to add this:

    if you think those USB scanners are unsafe you should see what the networked attached industrial scanners are capable of!!

  10. Looks like this exploit depends on the reader supporting a barcode that can generate control codes. If the reader is configured to support only more specialized codes like UPC (modest length number only) this attack fails. Pitfalls of support enabled for umpteen features you don’t expect to use.

  11. Of course there is stuff like NINJHAX for the 3DS that uses 2D bar codes; aka QR codes. I did think of this a while ago, but alas I don’t have the resources to try this kind of thing.

  12. And this is why most retail scanners should be setup to only support EAN13/EAN8 barcodes (some come like this by default). It is not easy to do an SQL injection attacked when you can only use less than 13 numbers.
    Still not going to protect you if someone sticks a few programming barcodes to an item to mis-configure your scanner but they have to know which model scanner you have have have the matching barcodes for that model.

  13. If you think barcode readers are scare, then you really should have known about all the secrets involved in payment terminals. Without disclosing too much there are several “magic” magnet stripe codes that brings it into configuration mode, resets to default, test codes, codes to simulate various errors etc (and all activated on production terminals). Chip readers are way less hacky, partially because it required a complete rewrite of the old cruft controlling the magstripe readers, but also (just in part) because of much more stringent regulations. Before regulations the banks would throw all kinds of cruft in there, apparently it was easier cleaning up the mess afterwards than ensuring it didn’t happen.

  14. This isn’t much of an exploit. I used to install POS systems. I have never seen one that gives admin control to the cashier. If I did, I wouldn’t work with that company, but I never did. So even if you launch a cli, you wouldn’t be able to do anything interesting anyways.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s