
Barcode attack technique - voltagex_
http://en.wooyun.io/2016/01/28/Barcode-attack-technique.html
======
crisp
Wow, never really thought a barcode as another attack vector. I might dig a
bit deeper and do my master's thesis about it. Sounds really interesting.

~~~
jakub_g
Since QR codes became ubiquitous in public places, I started thinking about
someone planting fake ones, on top of the original ones, that would redirect
to shady websites. If the website is similar enough to the one it
impersonates, it would be hard for the user to distinguish.

~~~
roel_v
Does anyone ever scan a qr code? Besides, I haven't seen any for maybe 2 years
now - or have I just become blind to them?

~~~
carlob
[http://picturesofpeoplescanningqrcodes.tumblr.com](http://picturesofpeoplescanningqrcodes.tumblr.com)

~~~
roel_v
I lol at this page every time I open it, even after all those years. Call me
immature, I guess...

------
marvel_boy
This is possible on code128 barcode. This kind of barcode accepts not only
numbers but also chars. Usually consumers deal with EAN13 barcode on the
supermarket, they only accept numbers and this attack is impossible.

~~~
crisp
This was something I wasn't sure of. How do you know this for a fact?

~~~
chiph
Because the "A" variant of Code128 allows you to have control characters in
there. Many barcode readers act like keyboards to the computer - so the
clerk/user positions their cursor to the item number field, waves the item in
front of the scanner, and the scanner hardware inserts what it read into the
field. Fast, reliable, and easy.

But if the barcode contains control characters, it acts like a keyboard macro
and will send them to the application. So if I embed a Ctrl-S in my hostile
barcode, I can tell the software to save the record with data I supplied.

~~~
crisp
I actually wanted to know how marvel_boy knows that consumers usually deal
with EAN13 barcode instead of code128. As he or she states, EAN13 barcodes
would make this kind of attack impossible so I wanted to know if this is a
real everyday problem concerning most of the stores or only a minority of
them.

~~~
chiph
Look at the products you buy at the store (supermarket, Walmart, Target, etc)
- the barcode is almost always EAN (now IAN)¹ There are exceptions for smaller
items like packs of gum, which use UPC-E² encoding (if the manufacturer
portion ends in zeros). Hundreds of thousands of products being purchased by
billions of people mean they're the dominant barcode system.

So far as attacks via UPC/EAN/IAN, they're not really possible as it only
encodes digits, and only 13 of them.

¹
[https://en.wikipedia.org/wiki/International_Article_Number_(...](https://en.wikipedia.org/wiki/International_Article_Number_\(EAN\))

²
[http://www.barcodeisland.com/upce.phtml](http://www.barcodeisland.com/upce.phtml)

------
greggarious
Reminds me of Tim Vidas' work on QRishing:

[https://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab12...](https://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab12022.pdf)

------
pkstn
I wonder would similar technique work with RFID's..?

