
BadBarcode: Start a shell by scanning a boarding pass - ProZsolt
http://motherboard.vice.com/read/badbarcode-project-shows-customized-boarding-passes-can-hack-computers
======
paulasmuth
Am is missing something or is the presented "attack" really trivial? They use
a barcode scanner connected as a virtual keyboard to directly enter keystrokes
into the windows shell - I imagine the barcode simply reads "CTRL, T, S, O, M,
E, C, O, M, M, A, N, D".

It's not surprising that it works to me -- I think it's the intended
behaviour.

The article suggests the fact that barcodes can contain arbitrary (non-
printable) ascii characters is the discovery of a new vulnerability which can
be used to attack a large number of real-world POS/airport check-in systems,
but doesn't give a single example or proof for that. This seems like complete
speculation on the presence of input handling bugs in systems connected to
barcode scanners presented as a fact.

~~~
voltagex_
How do you know that FooBar (TM) Barcode Scanner isn't presenting as a HID to
the underlying system? The keyboard's not accessible so the kiosk mode
probably isn't protected against alt-F4, ctrl-alt-delete etc.

~~~
paulasmuth
I could only speculate how specific applications (e.g. at airports) are built.

However, if some specific vendor was susceptible to this attack, it would just
be a stupid, obvious and easily fixable input handling bug in their product.

But the linked article doesn't even demonstrate such an attack against an
actual application ("BadBarcode is not a vulnerability of a certain product").
Just a trivial "demo" where they use a virtual keyboard device to enter
commands directly into a windows shell and then get excited that it works...

~~~
voltagex_
Well yes, but it's a new application of a HID attack, and it's nicely wrapped
up for the media/public (who just got done watching CSI Cyber and Mr Robot)

Also, just because it's trivial doesn't mean it'll get patched quickly (wasn't
it France's airports that were still running Windows 3.11?) or even be
acknowledged by the vendor.

I'd try this on my local self-serve supermarket checkout if I were feeling
brave...

~~~
paulasmuth
Agreed on all points.

Still the "airports can be hacked using this ninja barcode trick" spin that
they put on the story pushes my buttons. -- The "trick" is absolutely trivial
and they haven't even bothered to try and confirm it on _any_ real world
device.

This doesn't stop them from framing it in a way that makes it look like a
significant discovery of a new vulnerability which "affects the entire barcode
scanner-related industries" and then try to insinuate fear of the possible
consequences of that "new discovery": "[It's] really a serious problem, not
just a bug people could use to get free beer". Even though it's all based on
complete speculation in the first place.

In all likelihood, the people building those systems have thought of and
closed the attack vector a long time ago (if it was ever there). But of course
vice apparently hasn't even asked a single vendor for comment -- maybe the
answer would've been "no, it's not a problem in our product".

I find it a typical case of vice reporting. They take something that isn't
exactly true/new to begin with and then blow it extremely out of proportion.
This creates the illusion that only vice has the hottest, rawest and most
uncensored stories abut sex, drugs and crime which nobody else reports about
like they do (because they are mostly made up by vice). IMO vice is classic
yellow press packaged for the hip and trendy geeks of my/our generation.

</rant>

------
ProZsolt
Demo:
[https://twitter.com/tombkeeper/status/664723564717715456](https://twitter.com/tombkeeper/status/664723564717715456)

------
ProZsolt
Defcon presentation about barcodes:
[https://www.youtube.com/watch?v=qT_gwl1drhc](https://www.youtube.com/watch?v=qT_gwl1drhc)

------
slaesche
What is special about this?

~~~
voltagex_
>“General speaking, we can make [a barcode scanner] to 'type' any keys to the
host system, not only the 0-9 and a-z,” Yu said. He claims this lets someone
create a boarding pass to “execute any command on computer.”

At a guess, they encoded Win+R cmd <enter> into a barcode. It's a neat trick
with big potential.

~~~
slaesche
I'm still confused. This seems completely trivial.

~~~
downer70
The point being that it assuredly is trivial, but also potentially a gaping
hole left open across a wide array of software.

In these sorts of situations, as with the Y2K bug, the problem is more often
the product of social circumstances than technical circumstances.

Nonetheless, this doesn't prevent technical adversaries from preying upon the
flaw, and taking advantage of social patterns of behavior, such as the casual
tendency to presume barcodes are intrinsically safe.

------
dang
We changed the URL from [http://www.slideshare.net/PacSecJP/hyperchem-ma-
badbarcode-e...](http://www.slideshare.net/PacSecJP/hyperchem-ma-badbarcode-
en1109nocommentfinal) which appears not to render correctly.

