13 comments

[ 2.8 ms ] story [ 40.4 ms ] thread
What is special about this?
>“General speaking, we can make [a barcode scanner] to 'type' any keys to the host system, not only the 0-9 and a-z,” Yu said. He claims this lets someone create a boarding pass to “execute any command on computer.”

At a guess, they encoded Win+R cmd <enter> into a barcode. It's a neat trick with big potential.

I'm still confused. This seems completely trivial.
The point being that it assuredly is trivial, but also potentially a gaping hole left open across a wide array of software.

In these sorts of situations, as with the Y2K bug, the problem is more often the product of social circumstances than technical circumstances.

Nonetheless, this doesn't prevent technical adversaries from preying upon the flaw, and taking advantage of social patterns of behavior, such as the casual tendency to presume barcodes are intrinsically safe.

Agreed. I used to work in a library, and was able to do something similar with our scanners.

The only thing "new" might be the recognition of being able to pass "alt-?" key combos through PDF-417 barcodes, which are becoming more and more ubiquitous, while the scanners still just pretend to be keyboards.

Am is missing something or is the presented "attack" really trivial? They use a barcode scanner connected as a virtual keyboard to directly enter keystrokes into the windows shell - I imagine the barcode simply reads "CTRL, T, S, O, M, E, C, O, M, M, A, N, D".

It's not surprising that it works to me -- I think it's the intended behaviour.

The article suggests the fact that barcodes can contain arbitrary (non-printable) ascii characters is the discovery of a new vulnerability which can be used to attack a large number of real-world POS/airport check-in systems, but doesn't give a single example or proof for that. This seems like complete speculation on the presence of input handling bugs in systems connected to barcode scanners presented as a fact.

How do you know that FooBar (TM) Barcode Scanner isn't presenting as a HID to the underlying system? The keyboard's not accessible so the kiosk mode probably isn't protected against alt-F4, ctrl-alt-delete etc.
I could only speculate how specific applications (e.g. at airports) are built.

However, if some specific vendor was susceptible to this attack, it would just be a stupid, obvious and easily fixable input handling bug in their product.

But the linked article doesn't even demonstrate such an attack against an actual application ("BadBarcode is not a vulnerability of a certain product"). Just a trivial "demo" where they use a virtual keyboard device to enter commands directly into a windows shell and then get excited that it works...

Well yes, but it's a new application of a HID attack, and it's nicely wrapped up for the media/public (who just got done watching CSI Cyber and Mr Robot)

Also, just because it's trivial doesn't mean it'll get patched quickly (wasn't it France's airports that were still running Windows 3.11?) or even be acknowledged by the vendor.

I'd try this on my local self-serve supermarket checkout if I were feeling brave...

Agreed on all points.

Still the "airports can be hacked using this ninja barcode trick" spin that they put on the story pushes my buttons. -- The "trick" is absolutely trivial and they haven't even bothered to try and confirm it on _any_ real world device.

This doesn't stop them from framing it in a way that makes it look like a significant discovery of a new vulnerability which "affects the entire barcode scanner-related industries" and then try to insinuate fear of the possible consequences of that "new discovery": "[It's] really a serious problem, not just a bug people could use to get free beer". Even though it's all based on complete speculation in the first place.

In all likelihood, the people building those systems have thought of and closed the attack vector a long time ago (if it was ever there). But of course vice apparently hasn't even asked a single vendor for comment -- maybe the answer would've been "no, it's not a problem in our product".

I find it a typical case of vice reporting. They take something that isn't exactly true/new to begin with and then blow it extremely out of proportion. This creates the illusion that only vice has the hottest, rawest and most uncensored stories abut sex, drugs and crime which nobody else reports about like they do (because they are mostly made up by vice). IMO vice is classic yellow press packaged for the hip and trendy geeks of my/our generation.

</rant>