Hackers could use BadBarcode to launch attacks on systems

Malicious barcodes could be used to infiltrate security infrastructure, according to security researchers who found they could send ASCII characters and open command shells via the barcode scanner.

barcode scanner
barcode scanner

Security researchers have discovered a method of creating malicious barcodes that could trigger shell commands on vulnerable systems.

The new style of attack was found by a security researcher work at Tencent's Xuanwu Lab in China. The malicious barcode can be distributed on paper, or uploaded as an image to internet-based barcode scanning systems.

Founder and head of Tencent's Xuanwu Lab, Yang Yu, dubbed the attack BadBarcode. The attack relies on the way that barcode standards have been developed to handle a variety of different situations as well as improperly-configured scanners themselves.

In a demo posted on Twitter, Yu showed how a fake boarding pass printed with a carefully crafted barcode could open a shell in a Windows machine.

“The scanner in that demo is widely used in airports, so we made a fake boarding pass to do that demo,” Yu told Motherboard magazine. “BadBarcode is not a vulnerability of a certain product. It affects the entire barcode scanner-related industries.”

Another video showed how using a Kindle to display a number of barcodes could open up several apps and run a series of commands.

Yu added that such an automated attack could make a scanner type anything to a target system.

Yu added that he is unaware of any malicious application that has or would use this form of attack. He said that barcode scanners are everywhere, “so BadBarcode is really a serious problem, not just a bug people could use to get free beer”.

Yu demonstrated a number of attacks using the flaw at last week's PanSec 2015 Conference in Tokyo.

Yu added in the demo that BadBarcode is “not a vulnerability of a certain product. It's even difficult to say that BadBarcode is the problem of scanners or hosts systems”. He added that when the problem was discovered his team didn't know which manufacturer should be made aware of the problem.

He added that while the demo was based on Windows, it can also be carried out on any system “as long as there is [an] appropriate hot key”.

He added that scanner manufacturers should not enable ADF or other additional features by default and disallow the transmission of ASCII control characters to a host device.

He also warned system manufacturers to not use keyboard emulation barcode scanners and not to implement hotkeys in applications.

Tim Erlin, director of security and product management at Tripwire, told SCMagazineUK.com that while this is unlikely to become a widespread problem, it does possess the potential to be used in very targeted attacks.

“A barcode is something that's often considered secure and might be used on systems connected to a secure network,” he said.

“Barcodes are essentially a part of the supply chain that's difficult to secure. When a system is designed to have a consumer provide the barcode for scanning, then it's basically open to nearly infinite input.”

He added that while others have demonstrated attacks that break the barcode protocols, this research focuses on working within the barcode system, using features that are fully supported.

“Despite the novel infection vector, the systems behind these scanners can still be protected from malware and other unauthorised changes. If you're running barcode scanners in your organisation, analyse how a compromise might surface on the servers to which they're connected and build protections based on those behaviours.”

Craig Young, security researcher at Tripwire told SC, “POS vendors could have easily fixed this by now with a simple regular expression to allow only expected character sets and the fact that they have not would seem to indicate that this is still not being used as a widespread attack vector.”

Tod Beardsley, security research manager at Rapid7, said barcode scanners act essentially as optical keyboards, which means that the system is failing one of the core tenants of information security: “Thou shalt not trust user-supplied data.”

He said: “If the operator of the terminal would not give a stranger access to a full keyboard without monitoring what they typed in, they should not give them access to these wedge barcode scanners.”

Beardsley added that manufacturers should implement hardware controls that disable extended functionality of the affected readers, limiting the characters they can recognise and transmit.

“A fix would be akin to popping the control and meta keys off a normal keyboard. Unfortunately, hardware fixes for widely used, inexpensive technologies are a huge hassle to deploy. Just look at all the magstripe readers still in use today,” he said.

He said that this kind of analysis on input devices that "just work" and haven't been designed with fundamental principles of security in mind is incredibly important now, as the Internet of Things is coming online.

“We place a ton of trust in these systems precisely because they're convenient and appear familiar, but that's the IoT security trap: these devices resemble older technologies, and specifically don't resemble ‘real' computers,” said Beardsley. “However, IoT gadgets really are parts of a networked, general computing system, and therefore need to be designed in a way that assumes the end user is both malicious and clever.”