'Badbarcode' attacks expose potential vulnerabilities in barcode tech
Researchers at Tencent’s Xuanwu Lab demonstrated attacks using barcodes that could deliver commands to systems that read them
Researchers with Tencent's Xuanwu Lab demonstrated several attacks that used barcodes to execute commands on barcode reader host systems and could potentially be used to upload trojans at the PanSec 2015 Conference in Tokyo on Nov. 12.
Yang Yu, the firm's founder and head, posted several videos to his Twitter account of an attack he has dubbed “Badbarcode” that demonstrate how barcodes that were printed on paper and on digital screens could be programmed to execute any command on a computer.
The attack consisted of the researchers printing barcodes that were programmed to execute various commands when scanned. Yu said the researchers were able to exploit the fact that most barcodes contain full ASCII characters in addition to numeric and alphanumeric characters depending on the protocol being used, according to Threat Post.
An attack carried out in one of Yu's videos shows a barcode being scanned by a device commonly used at airports to check boarding passes. After the code is scanned a shell opens on the adjacent computer where a user could enter commands.
“BadBarcode is not a vulnerability of a certain product. It affects the entire barcode scanner-related industries,” Yu told Vice's Motherboard in direct message on Twitter.
“I do not know what the bad guys might do,” Motherboard quoted him as saying. “But considering barcode scanners are everywhere in our world, so BadBarcode is really a serious problem, not just a bug people could use to get free beer.”