Barcodes That Hack Devices

[virustracker] has been playing around with barcodes lately, and trying to use them as a vector to gain control of the system that’s reading them. It’s a promising attack — nobody expects a takeover via barcodes. The idea isn’t new, and in fact we’ve seen people trying to drop SQL attacks in barcodes long ago, but [virustracker] put a few different pieces together and came up with a viable attack.

The trick is that many POS terminals and barcode readers support command characters in their programming modes. Through use of these Advanced Data Formatting (ADF) modes, [virustracker] sends Windows-Key-r, and then cmd.exe, ftps a file down, and runs it. Whatever computer is on the other side of the barcode scanner has just been owned. ADF even supports a delay function to allow time for the command window to pop up before running the rest of the input.

The article details how they got their payload from requiring more than ten individual barcodes down to four. Still, it’s a suspicious-looking attack to try to pull off where other people (think cashiers) are looking. However, we have many automated machines in our everyday life that use barcodes. How many of these are vulnerable is an open question. [virustracker] suggests lottery machines, package-delivery automats, and even hospitals.

The defense is simple, and it’s the same as everywhere else: disable the debug and configuration modes in your production systems, and sanitize your input. Yes, even the barcodes.

It’s Alive! — Badge For Hackaday Belgrade

Hackaday Belgrade — our first ever conference in Europe — is coming up fast. One of the really exciting things for me is the hardware badge which [Voja Antonic] designed for the conference. He’s done a great job with hardware choices and I think we’ve hit the sweet spot for badge hacking. Let’s jump into the hardware and firmware details after the break.

Get your ticket now for ten hours of talks and workshops, evening concerts, and of course badge hacking the entire time. Earlybird sales close Monday. We’re still in the process of going through talk proposals but we’ll publish a post next week announcing all of the speakers.

Continue reading “It’s Alive! — Badge For Hackaday Belgrade”