When it comes to hackers, it seems they’ve taken every avenue, everything from car hacking, to sniper rifle hacking, even artificial organ hacking, but no were not done yet. A new group of researchers have begun manipulating little tiny lines of data we all know as barcodes, to easily manipulate computers to execute their every command.
During this weeks PanSec 2015 Conference in Tokoyo, researchers with Tencent’s Xuanwu Lab debuted a number of attacks using poisoned barcodes scanned by any number of average barcode scanners, where they were able to open a shell and easily execute commands on a machine. The attacks, dubbed BadBarcode, are relatively simple to execute and the researchers behind the attack said it’s difficult to pinpoint where the vulnerability stems from, if it’s the host system that needs to be patched, or both or the possibility of a total different avenue.
“We do not know what the bad guys might do. BadBarcode can execute any commands in the host system, or [implant] a Trojan,” said Yang Yu, a key researcher who collaborated with his fellow colleague Hyperchem Ma. Yu is an extremely skilled researchers, last year being rewarded with a $100,000 payout from Microsoft for a trio of ASLR and DEP bypasses. “So basically you can do anything with BadBarcode,” Yu explained.
Yu said his team was able to exploit the fact that a majority of barcodes contain not only numeric and alphanumeric characters, but also full ASCII characters depending on the protocol being utilized. Barcode scanners are essentially keyboard emulators and if they support protocols such as Code128 which support ASCII control characters, an attacker could craft a barcode that once scanned opens a shell on the computer to which commands can be sent.
During their presentation, Yu and Ma said that Ctrl+ commands map to ASCII code and can be used to trigger hotkeys, which registered with the Ctrl+ prefix, to launch common dialogues such as OpenFile, SaveFile and PrintDialog. Attackers can leverage hotkeys to browse the computer’s file system, launch browsers and even execute programs.
BadBarcode is able to to execute a wide range of attacks, with the key being adding special control characters to the barcode that will tell the barcode reader to activate host system hotkeys, that will then allow you to begin activating desired functions. BadBarcode is simple, you can print the poisoned barcodes yourself on average paper.
One of the demos of our talk “BadBarcode: How to hack a starship with a piece of paper”. See you in PacSec 2015. pic.twitter.com/tu8XZjegHP
— Yang Yu (@tombkeeper) November 9, 2015
Fixing the issue is a tricky one, Yu said, due to the fact that it’s not limited to particular set scanners so no sole manufacture or vendor can be at direct fault. Vendors affected by BadBarcode include Esky, Symbol, Honeywell, and TaoTronics.
“BadBarcode is not a vulnerability of a certain product,” Yu explained. “It affects the entire barcode scanner-related industries. It’s even difficult to say that BadBarcode is the problem of scanners or host systems. So when we discovered BadBarcode, we even [did] not know which manufacturer should be reported.”
One potential fix suggested by Yu is forcing barcode scanner manufacturers to not enable additional features beyond standard scanning protocols by default, nor should they be allowed to transmit ASCII control characters to the host device by default. Another solution is to think twice about using barcode scanners that emulate keyboards, and always ensure you disable hotkeys.
Simple vulnerabilities this like could prove critical in the real world, posing as a potentially huge issue on the rise.