SlideShare ist ein Scribd-Unternehmen logo
1 von 49
Downloaden Sie, um offline zu lesen
BadBarcode: How to hack a
starship with a piece of paper
Hyperchem Ma
Tencent’s Xuanwu Lab
http://xlab.tencent.com @XuanwuLab
Who am I ?
Security Researcher @
– Embedded Device Security
– Firmware Reverse-Engineering
– Big Fan of IoT
Wait, hack a starship?
4
About Barcode
Though often be ignored, barcode is
the most ancient technology of IoT.
What is barcode?
•  Barcode is an optical machine-readable
representation of data relating to the object
to which it is attached;
•  Originally barcodes(1D) systematically
represented data by varying the widths and
spacings of parallel lines.
Barcode Symbology
•  Every barcode includes:
– Quiet Zone: Blank margin, No Information, Tell where
barcode starts and stops;
– Start character(s): Special pattern for barcode starts;
– Data: Includes Numeric, Alpha-Numeric, Full ASCII
chars depending on different barcode protocols;
– Stop character(s): Special pattern for barcode ends.
•  Some barcode have checksum bits/character(s)
Barcode Scanners
Scanner Inside
How Barcode Scanner Work
Capturing Decoding Transferring
RS232
PS/2
USB HID
…
Code 39
Code 128
QR Code
…
LED
Laser
CCD
CMOS
…
Protocols
Code 128
•  Full ASCII Encode Ability, Effictive and
High-Density
•  4 Function Codes Availiable For Manufacture
•  Three Character Sets: CodeA,CodeB,CodeC
– Unprintable ASCII can be encoded by CodeA
– CodeC encodes only two-digit numbers
– CharSets are chosen automatically
– Encoder can hybridize three code sets
In addition to supporting standard protocols,
many manufacturers also typically implement
some of their unique features in scanners.
Scanner Manufactures
•  Symbol (Zebra)
•  HoneyWell
•  TaoTronics
•  ESky
•  ACCESS IS
•  UNITECH
•  AIBO
•  Newland
•  Copycat products
Barcode Scanner Is Everywhere
Previous Work on Barcodes Security
“Toying with Barcodes”, Phenoelit, 24C3
•  Barcode driven buffer overflow
•  Barcode driven format string
•  Barcode driven SQL injection
•  Barcode driven XSS
Other Scenarios
•  Predict and recreate barcodes
•  Duplicate barcodes
•  Phishing attacks by QR code
However, most of previous research
focused on the application that do not
properly process data from barcodes
Our Research:BadBarcode
What is BadBarcode?
•  Many barcode scanners are keyboard emulation device
•  Some barcode protocols, like Code 128, supports
ASCII control characters
•  Almost every barcode scanner support Code 128
•  Almost every barcode scanner has its own additional
keyboard emulation features
So, is it possible to open a shell and “type”
commands by barcodes like a keyboard?
ASCII Table
Hex ASCII Scan code Hex ASCII Scan code Hex ASCII Scan code
00 NUL CTRL+2 0B VT CTRL+K 16 SYN CTRL+V
01 SOH CTRL+A 0C FF CTRL+L 17 TB CTRL+W
02 STX CTRL+B 0D CR CTRL+M 18 CAN CTRL+X
03 ETX CTRL+C 0E SO CTRL+N 19 EM CTRL+Y
04 EOT CTRL+D 0F SI CTRL+O 1A SUB CTRL+Z
05 ENQ CTRL+E 10 DLE CTRL+P 1B ESC CTRL+[
06 ACK CTRL+F 11 DC1 CTRL+Q 1C FS CTRL+
07 BEL CTRL+G 12 DC2 CTRL+R 1D GS CTRL+]
08 BS CTRL+H 13 DC3 CTRL+S 1E RS CTRL+6
09 HT CTRL+I 14 DC4 CTRL+T 1F US CTRL+-
0A LF CTRL+J 15 NAK CTRL+U 7F DEL *
ASCII Control Characters
•  Combination key, like "Ctrl+ ", is mapped to a
single ASCII code
•  Encode these chars with Code 128 ,scan it with
scanner, and finally a combination key was
sent to computer
•  No Win keys, Alt keys, or other function keys
support
•  Though only “Ctrl+*” keys can be sent, it still poses
threat to kiosks! WHY?
Dialog Attack
•  Common Hotkeys are registered by many
programs, like: CTRL+O, CTRL+P
•  Hotkeys can launch common dialogs, like
OpenFile, SaveFile, PrintDialog and etc
•  These dialogs offer us opportunity to
browse file system, launch browsers and
execute program
•  And the most essential thing is "Besides
barcode scanner, touch screen is often available
as input device in kiosks."
Demo 1: Dialog Attack
What about Win+R?
If there is no touch screen, is it
possible to make a blind attack?
ADF(Advanced Data Formatting)
•  Symbol Technologies Invent this
•  Scanned data can be edited to suit particular
requirements before transmitted to host device
•  Specified Key can be sent to computer
•  Set up ONLY by scanning barcodes!
ADF
Actions Examples
Send data Send all or part of data
Setup fields Move cursor
Modify data Remove spaces and others
Data padding Pad data with space or zero
Beep Beep 1,2,3 times
Send Keystrokes Send ctrl+, alt+,shft+ etc keys.
Send GUI Keys Send GUI+ keys.
Send Right Control Send right contrl stroke.
Demo 2: ADF Attack
Unfortunately, not all scanners support
read barcodes from LCD/LED screen.
Can this attack be cooler ?
Can we do it automatically?
What about making an android APP?
Though scanners which read barcodes from
LCD/LED screen exist, many of them read
barcodes from materials which can absorb
and reflect light of certain wavelength.
However, LCD/LED screen display images
by modulating backlight rather absorbing
and reflecting lights, which means total black
for barcode scanners.
Display Technology
•  CRT
•  LCD
•  OLED
•  Electronic Paper
The answer is Kindle
•  Kindle use E-ink technology
•  It display words and images based on absorb
and reflect light, just like a paper
•  High Resolution, Up to 300 PPI
•  Programmable, of course after Jailbreak.
Kindle is perfect BadBarcode tool !
Demo 3: Fully-automated ADF Attack
Can we execute a command
by only one single barcode?
Yes, for some products, it is possible
But, the product in the next demo is widely
used in many really serious places, like
airports, so we would not disclose details
this time
Let’s just see the demo
Demo 4: A Piece of Paper Attack
Summary
BadBarcode is not a vulnerability of a certain product. It’s
even difficult to say that BadBarcode is the problem of
scanners or host systems.
So when we discovered BadBarcode, we even do not
know which manufacturer should be reported.
Although our demos is based on Windows, but in fact it
can attack any system as long as there is appropriate
hotkey.
Summary
•  BadBarcode is really a serious problem
•  Host system using keyboard emulation barcode scanner is
potentially vulnerable
•  Kiosks with touch screen and barcode scanner are easy to be
compromised
•  Barcode scanner that support ADF or some special keyboard
emulation features can be utilized to achieve automatic and
advanced attack
•  Other device via keyboard emulation connection might
suffer from the same problem
•  Keyboard Wedge RFID/NFC Reader ?
Security Suggestions
•  For barcode scanner manufactures
– Do NOT enable ADF or other additional features by
default
– Do NOT transmit ASCII control characters to host
device by default
•  For host system manufactures
– Do NOT use keyboard emulation barcode scanner as
far as possible
– Do NOT implement hotkeys in application, and
disable system hotkeys
Acknowledgement
•  My leader : tombkeeper
•  All team members in Xuanwu Lab
Q&A

Weitere ähnliche Inhalte

Was ist angesagt?

EG-i-3-106-111-Poljoprivreda - podela, razmestaj i osnovni tipovi proizvodnje
EG-i-3-106-111-Poljoprivreda - podela, razmestaj i osnovni tipovi proizvodnjeEG-i-3-106-111-Poljoprivreda - podela, razmestaj i osnovni tipovi proizvodnje
EG-i-3-106-111-Poljoprivreda - podela, razmestaj i osnovni tipovi proizvodnjeTeacherDN
 
GS-120-125-Antropogena kulturna dobra i njihova zaštita
GS-120-125-Antropogena kulturna dobra i njihova zaštitaGS-120-125-Antropogena kulturna dobra i njihova zaštita
GS-120-125-Antropogena kulturna dobra i njihova zaštitaTeacherDN
 
Sekundarni sektor
Sekundarni sektorSekundarni sektor
Sekundarni sektorprijicsolar
 
Srpski jezik 4. razred
Srpski jezik 4. razredSrpski jezik 4. razred
Srpski jezik 4. razredbelisce
 
Привреда Србије
Привреда СрбијеПривреда Србије
Привреда СрбијеTanja Milanović
 
Географска писменост
Географска писменостГеографска писменост
Географска писменостTanja Milanović
 
Vazdušne mase i vazdušni frontovi lj đ
Vazdušne mase i vazdušni frontovi lj đVazdušne mase i vazdušni frontovi lj đ
Vazdušne mase i vazdušni frontovi lj đljubicadj1
 
Polozaj, velicina i funkcije naselja
Polozaj, velicina i funkcije naseljaPolozaj, velicina i funkcije naselja
Polozaj, velicina i funkcije naseljaprijicsolar
 
Izgled, oblik i veze sela sa ruralnim prostorom
Izgled, oblik i veze sela sa ruralnim prostoromIzgled, oblik i veze sela sa ruralnim prostorom
Izgled, oblik i veze sela sa ruralnim prostoromprijicsolar
 
Сједињене Америчке Државе
Сједињене Америчке ДржавеСједињене Америчке Државе
Сједињене Америчке Државеprijicsolar
 
Beograd - Glavni grad Srbije
Beograd - Glavni grad SrbijeBeograd - Glavni grad Srbije
Beograd - Glavni grad SrbijeZoran Simic
 
Cetvorougao, paralelogram, pravougaonik, romb i kvadrat, trapez
Cetvorougao, paralelogram, pravougaonik, romb i kvadrat, trapezCetvorougao, paralelogram, pravougaonik, romb i kvadrat, trapez
Cetvorougao, paralelogram, pravougaonik, romb i kvadrat, trapezmirjanamitic
 

Was ist angesagt? (20)

Primarni sektor
Primarni sektorPrimarni sektor
Primarni sektor
 
EG-i-3-106-111-Poljoprivreda - podela, razmestaj i osnovni tipovi proizvodnje
EG-i-3-106-111-Poljoprivreda - podela, razmestaj i osnovni tipovi proizvodnjeEG-i-3-106-111-Poljoprivreda - podela, razmestaj i osnovni tipovi proizvodnje
EG-i-3-106-111-Poljoprivreda - podela, razmestaj i osnovni tipovi proizvodnje
 
Privreda
PrivredaPrivreda
Privreda
 
GS-120-125-Antropogena kulturna dobra i njihova zaštita
GS-120-125-Antropogena kulturna dobra i njihova zaštitaGS-120-125-Antropogena kulturna dobra i njihova zaštita
GS-120-125-Antropogena kulturna dobra i njihova zaštita
 
Sekundarni sektor
Sekundarni sektorSekundarni sektor
Sekundarni sektor
 
Srpski jezik 4. razred
Srpski jezik 4. razredSrpski jezik 4. razred
Srpski jezik 4. razred
 
Привреда Србије
Привреда СрбијеПривреда Србије
Привреда Србије
 
Географска писменост
Географска писменостГеографска писменост
Географска писменост
 
Stanovnistvo i naselja srbije
Stanovnistvo i naselja srbijeStanovnistvo i naselja srbije
Stanovnistvo i naselja srbije
 
Klimatske odlike Republike Srbije
Klimatske odlike Republike SrbijeKlimatske odlike Republike Srbije
Klimatske odlike Republike Srbije
 
Vazdušne mase i vazdušni frontovi lj đ
Vazdušne mase i vazdušni frontovi lj đVazdušne mase i vazdušni frontovi lj đ
Vazdušne mase i vazdušni frontovi lj đ
 
Polozaj, velicina i funkcije naselja
Polozaj, velicina i funkcije naseljaPolozaj, velicina i funkcije naselja
Polozaj, velicina i funkcije naselja
 
Izgled, oblik i veze sela sa ruralnim prostorom
Izgled, oblik i veze sela sa ruralnim prostoromIzgled, oblik i veze sela sa ruralnim prostorom
Izgled, oblik i veze sela sa ruralnim prostorom
 
Sad privreda
Sad privredaSad privreda
Sad privreda
 
Сједињене Америчке Државе
Сједињене Америчке ДржавеСједињене Америчке Државе
Сједињене Америчке Државе
 
Beograd - Glavni grad Srbije
Beograd - Glavni grad SrbijeBeograd - Glavni grad Srbije
Beograd - Glavni grad Srbije
 
Насеља
НасељаНасеља
Насеља
 
Cetvorougao, paralelogram, pravougaonik, romb i kvadrat, trapez
Cetvorougao, paralelogram, pravougaonik, romb i kvadrat, trapezCetvorougao, paralelogram, pravougaonik, romb i kvadrat, trapez
Cetvorougao, paralelogram, pravougaonik, romb i kvadrat, trapez
 
Raznovrsnost biljnog sveta Srbije
Raznovrsnost biljnog sveta SrbijeRaznovrsnost biljnog sveta Srbije
Raznovrsnost biljnog sveta Srbije
 
3. republika crna gora
3. republika crna gora3. republika crna gora
3. republika crna gora
 

Andere mochten auch

Adam Laurie, Blue Toot -pacsec-2015
Adam Laurie, Blue Toot -pacsec-2015Adam Laurie, Blue Toot -pacsec-2015
Adam Laurie, Blue Toot -pacsec-2015PacSecJP
 
Guang gong escalate privilege by vulnerabilities in android system services ...
Guang gong  escalate privilege by vulnerabilities in android system services ...Guang gong  escalate privilege by vulnerabilities in android system services ...
Guang gong escalate privilege by vulnerabilities in android system services ...PacSecJP
 
Mickey pac sec2016_final_ja
Mickey pac sec2016_final_jaMickey pac sec2016_final_ja
Mickey pac sec2016_final_jaPacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaPacSecJP
 
James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator actionPacSecJP
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
 
Richard high performance fuzzing ja
Richard  high performance fuzzing jaRichard  high performance fuzzing ja
Richard high performance fuzzing jaPacSecJP
 
James Windows10 elevator action final-jp
James Windows10 elevator action final-jpJames Windows10 elevator action final-jp
James Windows10 elevator action final-jpPacSecJP
 
Filippo, Plain simple reality of entropy
Filippo, Plain simple reality of  entropyFilippo, Plain simple reality of  entropy
Filippo, Plain simple reality of entropyPacSecJP
 
Georgi Geshev, warranty void if label removed
Georgi Geshev,   warranty void if label removedGeorgi Geshev,   warranty void if label removed
Georgi Geshev, warranty void if label removedPacSecJP
 
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japaneseAndersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanesePacSecJP
 
Martin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalMartin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalPacSecJP
 
Martin UPnP - pacsec -final-ja
Martin UPnP - pacsec -final-jaMartin UPnP - pacsec -final-ja
Martin UPnP - pacsec -final-jaPacSecJP
 
Gang gong, escalate privilege by vulnerabilities in android system services
Gang gong, escalate privilege by vulnerabilities in android system servicesGang gong, escalate privilege by vulnerabilities in android system services
Gang gong, escalate privilege by vulnerabilities in android system servicesPacSecJP
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalPacSecJP
 
Qinghao vulnerabilities mining technology of cloud and virtualization platfo...
Qinghao  vulnerabilities mining technology of cloud and virtualization platfo...Qinghao  vulnerabilities mining technology of cloud and virtualization platfo...
Qinghao vulnerabilities mining technology of cloud and virtualization platfo...PacSecJP
 
Hyperchem bad barcode final_ja
Hyperchem  bad barcode final_jaHyperchem  bad barcode final_ja
Hyperchem bad barcode final_jaPacSecJP
 
Mickey, threats inside your platform final
Mickey,  threats inside your platform finalMickey,  threats inside your platform final
Mickey, threats inside your platform finalPacSecJP
 
Adam blue toot pacsec-2015-jp
Adam blue toot pacsec-2015-jpAdam blue toot pacsec-2015-jp
Adam blue toot pacsec-2015-jpPacSecJP
 
Stuart attacking http2 implementations truefinal-jp
Stuart  attacking http2 implementations truefinal-jpStuart  attacking http2 implementations truefinal-jp
Stuart attacking http2 implementations truefinal-jpPacSecJP
 

Andere mochten auch (20)

Adam Laurie, Blue Toot -pacsec-2015
Adam Laurie, Blue Toot -pacsec-2015Adam Laurie, Blue Toot -pacsec-2015
Adam Laurie, Blue Toot -pacsec-2015
 
Guang gong escalate privilege by vulnerabilities in android system services ...
Guang gong  escalate privilege by vulnerabilities in android system services ...Guang gong  escalate privilege by vulnerabilities in android system services ...
Guang gong escalate privilege by vulnerabilities in android system services ...
 
Mickey pac sec2016_final_ja
Mickey pac sec2016_final_jaMickey pac sec2016_final_ja
Mickey pac sec2016_final_ja
 
Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_ja
 
James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator action
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzing
 
Richard high performance fuzzing ja
Richard  high performance fuzzing jaRichard  high performance fuzzing ja
Richard high performance fuzzing ja
 
James Windows10 elevator action final-jp
James Windows10 elevator action final-jpJames Windows10 elevator action final-jp
James Windows10 elevator action final-jp
 
Filippo, Plain simple reality of entropy
Filippo, Plain simple reality of  entropyFilippo, Plain simple reality of  entropy
Filippo, Plain simple reality of entropy
 
Georgi Geshev, warranty void if label removed
Georgi Geshev,   warranty void if label removedGeorgi Geshev,   warranty void if label removed
Georgi Geshev, warranty void if label removed
 
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japaneseAndersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
 
Martin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalMartin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -final
 
Martin UPnP - pacsec -final-ja
Martin UPnP - pacsec -final-jaMartin UPnP - pacsec -final-ja
Martin UPnP - pacsec -final-ja
 
Gang gong, escalate privilege by vulnerabilities in android system services
Gang gong, escalate privilege by vulnerabilities in android system servicesGang gong, escalate privilege by vulnerabilities in android system services
Gang gong, escalate privilege by vulnerabilities in android system services
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
 
Qinghao vulnerabilities mining technology of cloud and virtualization platfo...
Qinghao  vulnerabilities mining technology of cloud and virtualization platfo...Qinghao  vulnerabilities mining technology of cloud and virtualization platfo...
Qinghao vulnerabilities mining technology of cloud and virtualization platfo...
 
Hyperchem bad barcode final_ja
Hyperchem  bad barcode final_jaHyperchem  bad barcode final_ja
Hyperchem bad barcode final_ja
 
Mickey, threats inside your platform final
Mickey,  threats inside your platform finalMickey,  threats inside your platform final
Mickey, threats inside your platform final
 
Adam blue toot pacsec-2015-jp
Adam blue toot pacsec-2015-jpAdam blue toot pacsec-2015-jp
Adam blue toot pacsec-2015-jp
 
Stuart attacking http2 implementations truefinal-jp
Stuart  attacking http2 implementations truefinal-jpStuart  attacking http2 implementations truefinal-jp
Stuart attacking http2 implementations truefinal-jp
 

Ähnlich wie Hyperchem Ma, badbarcode en_1109_nocomment-final

Workshop 2016 Genebank IT - Print Barcode
Workshop 2016 Genebank IT - Print BarcodeWorkshop 2016 Genebank IT - Print Barcode
Workshop 2016 Genebank IT - Print BarcodeEdwin Rojas
 
Feasibility of Security in Micro-Controllers
Feasibility of Security in Micro-ControllersFeasibility of Security in Micro-Controllers
Feasibility of Security in Micro-Controllersardiri
 
HITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbHITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbSeunghun han
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Integrated development environment
Integrated development environmentIntegrated development environment
Integrated development environmentMakers of India
 
Embedded system design process
Embedded system design processEmbedded system design process
Embedded system design processRayees CK
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandReversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandSignalSEC Ltd.
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalPriyanka Aash
 
Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Knoldus Inc.
 
Arduino by yogesh t s'
Arduino by yogesh t s'Arduino by yogesh t s'
Arduino by yogesh t s'tsyogesh46
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitDimitry Snezhkov
 
2015 02 28 DotNetSpain IoT Fight
2015 02 28 DotNetSpain IoT Fight2015 02 28 DotNetSpain IoT Fight
2015 02 28 DotNetSpain IoT FightBruno Capuano
 
Testing curl for security
Testing curl for securityTesting curl for security
Testing curl for securityDaniel Stenberg
 

Ähnlich wie Hyperchem Ma, badbarcode en_1109_nocomment-final (20)

Workshop 2016 Genebank IT - Print Barcode
Workshop 2016 Genebank IT - Print BarcodeWorkshop 2016 Genebank IT - Print Barcode
Workshop 2016 Genebank IT - Print Barcode
 
Feasibility of Security in Micro-Controllers
Feasibility of Security in Micro-ControllersFeasibility of Security in Micro-Controllers
Feasibility of Security in Micro-Controllers
 
HITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbHITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad Usb
 
Barcode technology
Barcode technologyBarcode technology
Barcode technology
 
Barcode Decoder
Barcode DecoderBarcode Decoder
Barcode Decoder
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
Integrated development environment
Integrated development environmentIntegrated development environment
Integrated development environment
 
Embedded system design process
Embedded system design processEmbedded system design process
Embedded system design process
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
IOT Exploitation
IOT Exploitation	IOT Exploitation
IOT Exploitation
 
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandReversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
 
Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?
 
Arduino by yogesh t s'
Arduino by yogesh t s'Arduino by yogesh t s'
Arduino by yogesh t s'
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
2015 02 28 DotNetSpain IoT Fight
2015 02 28 DotNetSpain IoT Fight2015 02 28 DotNetSpain IoT Fight
2015 02 28 DotNetSpain IoT Fight
 
Testing curl for security
Testing curl for securityTesting curl for security
Testing curl for security
 

Mehr von PacSecJP

Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalPacSecJP
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpPacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jPacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalPacSecJP
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpPacSecJP
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecPacSecJP
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-finalPacSecJP
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaPacSecJP
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3PacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...PacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...PacSecJP
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpPacSecJP
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpPacSecJP
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalPacSecJP
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 

Mehr von PacSecJP (20)

Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-final
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-ja
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
 

Kürzlich hochgeladen

Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Internet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxInternet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxErYashwantJagtap
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 

Kürzlich hochgeladen (15)

Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Internet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxInternet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 

Hyperchem Ma, badbarcode en_1109_nocomment-final

  • 1. BadBarcode: How to hack a starship with a piece of paper Hyperchem Ma Tencent’s Xuanwu Lab http://xlab.tencent.com @XuanwuLab
  • 2. Who am I ? Security Researcher @ – Embedded Device Security – Firmware Reverse-Engineering – Big Fan of IoT
  • 3. Wait, hack a starship?
  • 4. 4
  • 5.
  • 6.
  • 8. Though often be ignored, barcode is the most ancient technology of IoT.
  • 9. What is barcode? •  Barcode is an optical machine-readable representation of data relating to the object to which it is attached; •  Originally barcodes(1D) systematically represented data by varying the widths and spacings of parallel lines.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14. Barcode Symbology •  Every barcode includes: – Quiet Zone: Blank margin, No Information, Tell where barcode starts and stops; – Start character(s): Special pattern for barcode starts; – Data: Includes Numeric, Alpha-Numeric, Full ASCII chars depending on different barcode protocols; – Stop character(s): Special pattern for barcode ends. •  Some barcode have checksum bits/character(s)
  • 17. How Barcode Scanner Work Capturing Decoding Transferring RS232 PS/2 USB HID … Code 39 Code 128 QR Code … LED Laser CCD CMOS …
  • 19. Code 128 •  Full ASCII Encode Ability, Effictive and High-Density •  4 Function Codes Availiable For Manufacture •  Three Character Sets: CodeA,CodeB,CodeC – Unprintable ASCII can be encoded by CodeA – CodeC encodes only two-digit numbers – CharSets are chosen automatically – Encoder can hybridize three code sets
  • 20. In addition to supporting standard protocols, many manufacturers also typically implement some of their unique features in scanners.
  • 21. Scanner Manufactures •  Symbol (Zebra) •  HoneyWell •  TaoTronics •  ESky •  ACCESS IS •  UNITECH •  AIBO •  Newland •  Copycat products
  • 22. Barcode Scanner Is Everywhere
  • 23.
  • 24. Previous Work on Barcodes Security
  • 25. “Toying with Barcodes”, Phenoelit, 24C3 •  Barcode driven buffer overflow •  Barcode driven format string •  Barcode driven SQL injection •  Barcode driven XSS
  • 26. Other Scenarios •  Predict and recreate barcodes •  Duplicate barcodes •  Phishing attacks by QR code However, most of previous research focused on the application that do not properly process data from barcodes
  • 28. What is BadBarcode? •  Many barcode scanners are keyboard emulation device •  Some barcode protocols, like Code 128, supports ASCII control characters •  Almost every barcode scanner support Code 128 •  Almost every barcode scanner has its own additional keyboard emulation features So, is it possible to open a shell and “type” commands by barcodes like a keyboard?
  • 29. ASCII Table Hex ASCII Scan code Hex ASCII Scan code Hex ASCII Scan code 00 NUL CTRL+2 0B VT CTRL+K 16 SYN CTRL+V 01 SOH CTRL+A 0C FF CTRL+L 17 TB CTRL+W 02 STX CTRL+B 0D CR CTRL+M 18 CAN CTRL+X 03 ETX CTRL+C 0E SO CTRL+N 19 EM CTRL+Y 04 EOT CTRL+D 0F SI CTRL+O 1A SUB CTRL+Z 05 ENQ CTRL+E 10 DLE CTRL+P 1B ESC CTRL+[ 06 ACK CTRL+F 11 DC1 CTRL+Q 1C FS CTRL+ 07 BEL CTRL+G 12 DC2 CTRL+R 1D GS CTRL+] 08 BS CTRL+H 13 DC3 CTRL+S 1E RS CTRL+6 09 HT CTRL+I 14 DC4 CTRL+T 1F US CTRL+- 0A LF CTRL+J 15 NAK CTRL+U 7F DEL *
  • 30. ASCII Control Characters •  Combination key, like "Ctrl+ ", is mapped to a single ASCII code •  Encode these chars with Code 128 ,scan it with scanner, and finally a combination key was sent to computer •  No Win keys, Alt keys, or other function keys support •  Though only “Ctrl+*” keys can be sent, it still poses threat to kiosks! WHY?
  • 31. Dialog Attack •  Common Hotkeys are registered by many programs, like: CTRL+O, CTRL+P •  Hotkeys can launch common dialogs, like OpenFile, SaveFile, PrintDialog and etc •  These dialogs offer us opportunity to browse file system, launch browsers and execute program •  And the most essential thing is "Besides barcode scanner, touch screen is often available as input device in kiosks."
  • 32. Demo 1: Dialog Attack
  • 33. What about Win+R? If there is no touch screen, is it possible to make a blind attack?
  • 34. ADF(Advanced Data Formatting) •  Symbol Technologies Invent this •  Scanned data can be edited to suit particular requirements before transmitted to host device •  Specified Key can be sent to computer •  Set up ONLY by scanning barcodes!
  • 35. ADF Actions Examples Send data Send all or part of data Setup fields Move cursor Modify data Remove spaces and others Data padding Pad data with space or zero Beep Beep 1,2,3 times Send Keystrokes Send ctrl+, alt+,shft+ etc keys. Send GUI Keys Send GUI+ keys. Send Right Control Send right contrl stroke.
  • 36. Demo 2: ADF Attack
  • 37. Unfortunately, not all scanners support read barcodes from LCD/LED screen. Can this attack be cooler ? Can we do it automatically? What about making an android APP?
  • 38. Though scanners which read barcodes from LCD/LED screen exist, many of them read barcodes from materials which can absorb and reflect light of certain wavelength. However, LCD/LED screen display images by modulating backlight rather absorbing and reflecting lights, which means total black for barcode scanners.
  • 39. Display Technology •  CRT •  LCD •  OLED •  Electronic Paper
  • 40. The answer is Kindle •  Kindle use E-ink technology •  It display words and images based on absorb and reflect light, just like a paper •  High Resolution, Up to 300 PPI •  Programmable, of course after Jailbreak. Kindle is perfect BadBarcode tool !
  • 42. Can we execute a command by only one single barcode? Yes, for some products, it is possible
  • 43. But, the product in the next demo is widely used in many really serious places, like airports, so we would not disclose details this time Let’s just see the demo
  • 44. Demo 4: A Piece of Paper Attack
  • 45. Summary BadBarcode is not a vulnerability of a certain product. It’s even difficult to say that BadBarcode is the problem of scanners or host systems. So when we discovered BadBarcode, we even do not know which manufacturer should be reported. Although our demos is based on Windows, but in fact it can attack any system as long as there is appropriate hotkey.
  • 46. Summary •  BadBarcode is really a serious problem •  Host system using keyboard emulation barcode scanner is potentially vulnerable •  Kiosks with touch screen and barcode scanner are easy to be compromised •  Barcode scanner that support ADF or some special keyboard emulation features can be utilized to achieve automatic and advanced attack •  Other device via keyboard emulation connection might suffer from the same problem •  Keyboard Wedge RFID/NFC Reader ?
  • 47. Security Suggestions •  For barcode scanner manufactures – Do NOT enable ADF or other additional features by default – Do NOT transmit ASCII control characters to host device by default •  For host system manufactures – Do NOT use keyboard emulation barcode scanner as far as possible – Do NOT implement hotkeys in application, and disable system hotkeys
  • 48. Acknowledgement •  My leader : tombkeeper •  All team members in Xuanwu Lab
  • 49. Q&A