[virustracker] has been playing around with barcodes lately, and trying to use them as a vector to gain control of the system that’s reading them. It’s a promising attack — nobody expects a takeover via barcodes. The idea isn’t new, and in fact we’ve seen people trying to drop SQL attacks in barcodes long ago, but [virustracker] put a few different pieces together and came up with a viable attack.
The trick is that many POS terminals and barcode readers support command characters in their programming modes. Through use of these Advanced Data Formatting (ADF) modes, [virustracker] sends Windows-Key-r, and then cmd.exe, ftps a file down, and runs it. Whatever computer is on the other side of the barcode scanner has just been owned. ADF even supports a delay function to allow time for the command window to pop up before running the rest of the input.
The article details how they got their payload from requiring more than ten individual barcodes down to four. Still, it’s a suspicious-looking attack to try to pull off where other people (think cashiers) are looking. However, we have many automated machines in our everyday life that use barcodes. How many of these are vulnerable is an open question. [virustracker] suggests lottery machines, package-delivery automats, and even hospitals.
The defense is simple, and it’s the same as everywhere else: disable the debug and configuration modes in your production systems, and sanitize your input. Yes, even the barcodes.
Beep. You hear it every time you buy a product in a retail store. The checkout person slides your purchase over a scanner embedded in their checkout stand, or shoots it with a handheld scanner. The familiar series of bars and spaces on the label is digitized, decoded to digits, and then used as a query to a database of every product that particular store sells. It happens so often that we take it for granted. Modern barcodes have been around for 41 years now. The first product purchased with a barcode was a 10 pack of Juicy Fruit gum, scanned on June 26, 1974 at Marsh supermarket in Troy, Ohio. The code scanned that day was UPC-A, the same barcode used today on just about every retail product you can buy.
The history of the barcode is not as cut and dry as one would think. More than one group has been credited with inventing the technology. How does one encode data on a machine, store it on a physical media, then read it at some later date? Punch cards and paper tape have been doing that for centuries. The problem was storing that data without cutting holes in the carrier. The overall issue was common enough that efforts were launched in several different industries.
Continue reading “The Eloquence of the Barcode”
If you don’t have a niece or nephew we encourage you to get one because they provide a great excuse to take apart kids’ toys.
[Sam] had just bought some animal-themed trading cards. These particular cards accompany a card-reader that uses barcodes to play some audio specific to each animal when swiped. So [Sam] convinces her niece that they should draw their own bar codes. Of course it’s not that easy: the barcodes end up having even and odd parity bits tacked on to verify a valid read. But after some solid reasoning plus trial-and-error, [Sam] convinces her niece that the world runs on science rather than magic.
But it can’t end there; [Sam] wants to hear all the animals. Printing out a bunch of cards is tedious, so [Sam] opens up the card reader and programs and Arduino to press a button and blink an IR LED to simulate a card swipe. (Kudos!) Now she can easily go through all 1023 possible values for the animal cards and play all the audio tracks, and her niece gets to hear more animal sounds than any child could desire.
Along the way, [Sam] found some interesting non-animal sounds that she thinks are Easter eggs but we would wager are for future use in a contest or promotional drawing or something similar. Either way, its great fun to get to listen in on more than you’re supposed to. And what better way to educate the next generation of little hackers than by spending some quality time together spoofing bar codes with pen and paper?
[Dan] has come up with a novel solution to the age old problem of keeping your grocery list up to date. He’s added a bar code scanner and a Raspberry Pi under a kitchen cabinet. He calls the system “Oscar”, though we don’t see any grouchiness in his trash can. When [Dan] runs out of a product, he simply throws it away. Just above his garbage and recycling bin is a low cost barcode scanner. [Dan] holds the item until the scanner reads, then sends it on it’s way to recycling or the landfill. The decoded bar code is processed by a Raspberry Pi also hiding under the cabinet. The Raspberry Pi sends the data to Trello.comusing the Trello api.
If a product isn’t recognized by Trello’s database, trello dispatches a text message to [Dan’s] phone. He can then add the product information via a web interface. We think the user interface is what’s great here. Once products are in the database, the only thing that has to be done day to day is pause for a moment before throwing a package away. [Dan] has all his code up on github, and has also created a reddit thread for Oscar.
Either through QR codes, RFID, or near field communication, there seems to be some desire to share tiny pieces of data in a more physical and accessible form. [Chris Harrison], [Robert Xiao], and [Scott E. Hudson] of the HCI Institute at Carnegie Mellon have come up with a fairly interesting solution of making data more physical. They call it Acoustic Barcodes, and it’s able to store over a billion unique IDs in a small strip of plastic.
By engraving a barcode pattern into a piece of wood, stone, glass, or plastic, the guys then attached a microphone to the barcode and ran their fingernails across their invention. A computer interprets the sounds of a finger scraping against the acoustic barcode and produces a series of 1s and 0s.
This binary code can be used to look up various items in a database, or perform actions on a computer. In the video after the break, you can see these acoustic barcodes attached to a whiteboard to provide real tactile control of a video projector.
You can check out a PDF of the Acoustic Barcode paper here.
Continue reading “Acoustic barcodes deliver data with a fingernail and microphone”
This bar code tattoo was sent into us by [Lifespan]. Before going under the needle, [Lifespan] didn’t care much for tattoos. After seeing this video he realized that a tattoo could have dynamic content through domain redirection.
[Lifespan] spent a lot of time going over the different styles of 2D bar codes. QR codes were deemed ugly because of the three large squares in the corners. An EZ Code, like the one in his YouTube inspiration, are a proprietary format that must be read with a ScanLife app. He eventually settled on a Data Matrix bar code because of its open format and ubiquity in business and industry. To make the tattoo dynamic, [Lifespan] made the tattoo point to 5id5.com. With a little bit of smart phone wizardry, that domain can be redirected to any URL in a moments notice.
Like all well-planned tattoos, he found himself a very good artist to do the piece. [Connor Moore] managed to ink some skin at 15 dpi, which was a little risky, but the results came out great. While it’s not scarification via a laser cutter, barring fading this tattoo is technologically future proof.
[Scott Harden] came across a few posts about QR code matrix barcodes coming through on the 40m baud radio band. A few operators had captured the signals and assembled them into the code block seen above but they weren’t able to get a clear enough shot for a smartphone to decode the image. [Scott] took on the challenge and decoded the mysterious message himself. He tried some graphic editing to separate and enhance the color channels in order to up the contrasts of the image. This helped, but still couldn’t be read automatically. In a move similar to those seen in Hackaday’s own barcode challenges he dropped the image into Inkscape so that he could manually clean it up. Once it was overlaid on a grid the job was pretty simple. the left side did require some more image manipulation and precision”squinting” to eliminate interference from the vertical banding, but he managed to get the message. We won’t spoil it here in case you want to take on the challenge yourself. Good luck!