Who am I ? Security Researcher @ – Embedded Device Security – Firmware Reverse-Engineering – Big Fan of IoT
Wait, hack a starship?
Though often be ignored, barcode is the most ancient technology of IoT.
What is barcode? • Barcode is an optical machine-readable representation of data relating to the object to which it is attached; • Originally barcodes(1D) systematically represented data by varying the widths and spacings of parallel lines.
Barcode Symbology • Every barcode includes: – Quiet Zone: Blank margin, No Information, Tel where barcode starts and stops; – Start character(s): Special pattern for barcode starts; – Data: Includes Numeric, Alpha-Numeric, Full ASCII chars depending on different barcode protocols; – Stop character(s): Special pattern for barcode ends. • Some barcode have checksum bits/character(s)
How Barcode Scanner Work Capturing Decoding Transferring LED Code 39 RS232 Laser Code 128 PS/2 CCD QR Code USB HID CMOS … … …
Code 128 • Full ASCII Encode Ability, Effictive and High-Density • 4 Function Codes Availiable For Manufacture • Three Character Sets: CodeA,CodeB,CodeC – Unprintable ASCII can be encoded by CodeA – CodeC encodes only two-digit numbers – CharSets are chosen automatical y – Encoder can hybridize three code sets
In addition to supporting standard protocols, many manufacturers also typical y implement some of their unique features in scanners.
Other Scenarios • Predict and recreate barcodes • Duplicate barcodes • Phishing attacks by QR code However, most of previous research focused on the application that do not properly process data from barcodes
What is BadBarcode？ • Many barcode scanners are keyboard emulation device • Some barcode protocols, like Code 128, supports ASCII control characters • Almost every barcode scanner support Code 128 • Almost every barcode scanner has its own additional keyboard emulation features So, is it possible to open a shel and “type” commands by barcodes like a keyboard?
ASCII Control Characters • Combination key, like "Ctrl+ ", is mapped to a single ASCII code • Encode these chars with Code 128 ,scan it with scanner, and finally a combination key was sent to computer • No Win keys, Alt keys, or other function keys support • Though only “Ctrl+*” keys can be sent, it stil poses threat to kiosks! WHY?
Dialog Attack • Common Hotkeys are registered by many programs, like: CTRL+O, CTRL+P • Hotkeys can launch common dialogs, like OpenFile, SaveFile, PrintDialog and etc • These dialogs offer us opportunity to browse file system, launch browsers and execute program • And the most essential thing is "Besides barcode scanner, touch screen is often available as input device in kiosks."
Demo 1: Dialog Attack
If there is no touch screen, is it possible to make a blind attack? What about Win+R?
ADF(Advanced Data Formatting) • Symbol Technologies Invent this • Scanned data can be edited to suit particular requirements before transmitted to host device • Specified Key can be sent to computer • Set up ONLY by scanning barcodes！
ADF Actions Examples Send data Send all or part of data Setup fields Move cursor Modify data Remove spaces and others Data padding Pad data with space or zero Beep Beep 1,2,3 times Send Keystrokes Send ctrl+, alt+,shft+ etc keys. Send GUI Keys Send GUI+ keys. Send Right Control Send right contrl stroke.
Demo 2: ADF Attack
Can this attack be cooler ? Can we do it automatical y？ What about making an android APP? Unfortunately, not al scanners support read barcodes from LCD/LED screen.
Though scanners which read barcodes from LCD/LED screen exist, many of them read barcodes from materials which can absorb and reflect light of certain wavelength. However, LCD/LED screen display images by modulating backlight rather absorbing and reflecting lights, which means total black for barcode scanners.
The answer is Kindle • Kindle use E-ink technology • It display words and images based on absorb and reflect light, just like a paper • High Resolution, Up to 300 PPI • Programmable, of course after Jailbreak. Kindle is perfect BadBarcode tool !
Demo 3: Ful y-automated ADF Attack
Can we execute a command by only one single barcode？ Yes, for some products, it is possible
But, the product in the next demo is widely used in many real y serious places, like airports, so we would not disclose details this time
Let’s just see the demo
Demo 4: A Piece of Paper Attack
Summary BadBarcode is not a vulnerability of a certain product. It’s even difficult to say that BadBarcode is the problem of scanners or host systems. So when we discovered BadBarcode, we even do not know which manufacturer should be reported. Although our demos is based on Windows, but in fact it can attack any system as long as there is appropriate hotkey.
Summary • BadBarcode is real y a serious problem • Host system using keyboard emulation barcode scanner is potential y vulnerable • Kiosks with touch screen and barcode scanner are easy to be compromised • Barcode scanner that support ADF or some special keyboard emulation features can be utilized to achieve automatic and advanced attack • Other device via keyboard emulation connection might suffer from the same problem • Keyboard Wedge RFID/NFC Reader ?
Security Suggestions • For barcode scanner manufactures – Do NOT enable ADF or other additional features by default – Do NOT transmit ASCII control characters to host device by default • For host system manufactures – Do NOT use keyboard emulation barcode scanner as far as possible – Do NOT implement hotkeys in application, and disable system hotkeys
• My leader : tombkeeper • All team members in Xuanwu Lab