Threat Post But like other technologies supporting the so-called Internet of Things, there are bound to be vulnerabilities and there are bound to be white hats and black hats poking about. by Michael Mimoso
'Case in point is this week’s PanSec 2015 Conference in Tokyo where researchers with Tencent’s Xuanwu Lab demonstrated a number of attacks using poisoned barcodes scanned by numerous keyboard wedge barcode scanners to open a shell on a machine and virtually type control commands. The attacks, dubbed BadBarcode, are relatively simple to carry out, and the researchers behind the project said it’s difficult to pinpoint whether the scanners or host systems need to be patched, or both—or neither.
'“We do not know what the bad guys might do. BadBarcode can execute any commands in the host system, or [implant] a Trojan,” said Yang Yu, who collaborated with colleague Hyperchem Ma. Yu, last year, was rewarded with a $100,000 payout from Microsoft’s Mitigation Bypass Bounty for a trio of ASLR and DEP bypasses. “So basically you can do anything with BadBarcode.”
'Yu said his team was able to exploit the fact that most barcodes contain not only numeric and alphanumeric characters, but also full ASCII characters depending on the protocol being used. Barcode scanners, meanwhile, are essentially keyboard emulators and if they support protocols such as Code128 which support ASCII control characters, an attacker could create a barcode that is read and opens a shell on the computer to which the commands are sent.'