Messing With Barcodes

November 10, 2008 by Eliot 13 Comments

[nico] just received his credentials for an upcoming conference. On each badge, there’s a 2D barcode with the participant’s bio and contact info. These are meant to be scanned by vendors for future contact. [nico] isn’t so interested in that and plans on updating his personal info by generating a new barcode. To this end, he’s collected a number of links to help out barcode hackers. He used the SWIPE toolkit to identify the format and decode (it has an online component too). There are also several online encoders you can use, like this one from [Terry Burton]. If you’re wondering what sort of shenanigans you can get into faking barcodes, check out [fx]’s presentation from 24C3.

[photo: seanbonner]

24C3 Toying With Barcodes

December 30, 2007 by Eliot 24 Comments

[FX] from Phenoelit gave an entertaining talk about barcode security. He covered both how the systems are implemented and how they’ve been exploited. The first example was a parking garage in Dresden that issues non unique barcodes for the unlimited passes that hotels give out. Anyone code print out an image of that particular code and park for free. German grocery stores have automated machines that refund you for your empty beer bottles. The barcode generated just states the refund amount (5 digits) that you’ll get at the register. Just stick the barcode under something like a six pack and it’ll scan even without the cashier seeing it.

Check out the video to find out more silliness involving DVD rentals, boarding passes, asset management, and SQL injection via the scanner. You can even find higher res versions in the 24C3 media archives.