24C3: Barcode systems susceptible to serious hacker attacks

24C3: Barcode systems susceptible to serious hacker attacks
24C3: Barcode systems susceptible to serious hacker attacks 

By Stefan Krempl
Heise Security

Experts say that the Barcodes our highly automated business world could 
now hardly do without, often display serious security holes. In 
particular, one- or two-dimensional systems of barcodes and matrix codes 
are open to common hacker attacks and to experiments that have had 
variable results. This was stated by "FX" of the Phenoelit group at the 
24th Chaos Communication congress (24C3) in Berlin on Friday evening. 
Frequently, he said, all you had to do was simply copy "used" barcodes 
in a copyshop, or scan them in and print them out.

The idea of doing deeper scientific research into the world of barcodes 
occurred to Phenoelit's security testers after having their own fingers 
burnt by that. At one of their "PH Neutral" conferences they used 
one-dimensional barcodes on the admission cards which were coupled with 
a payment function for buying drinks and could be loaded up with credit. 
One of the resourceful visitors to the meeting simply copied one of 
these "alcohol coupons". According to FX, his only error was to do it 
with the pass of the only drinker who had already exhausted his credit 

Undaunted by this early mistake the hackers experimented eagerly from 
then on, initially working on one-dimensional barcodes. These had been 
developed in 1948 and, in the form of the European Article Number, EAN 
(in the USA, the Universal Product Code, UPC), and were the basis of the 
the scanner checkouts that first appeared in the 1970s. The hackers 
found out that a season ticket to a multistorey car park in Dresden was 
based on a simple barcode and the tickets issued were not checked by a 
background computer system, making it easy to get free parking.

FX said that in Germany there was also a similar lack of feedback 
between automatic returnable bottle machines and dealers' point-of-sale 
systems. Another presentation at the congress had already brought this 
to the attention of desperate budget hackers. This, he said, had been 
discovered long ago by the capital's punks. It had emerged at the same 
time, he went on, that five digits in the sequence of numbers below the 
barcode on the credit slips issued by these automatic machines gave the 
value of the empties. So, in theory, you could not only copy the slips, 
but also generate your own figures, and these could even be for quite 
high values. But, he added, the retailing chains were now, as a rule, 
printing the deposit values on watermarked paper in order to bar that 
kind of activity.

Anyone who wants more details of the origin of barcodes and how they are 
read out - one-dimensional barcodes at least - can find a wide range of 
software for generating those character strings that look so cryptic at 
first sight, such as the freely available program GNU Barcode. FX 
emphasized that it was not difficult to write your own generator. The 
specifications for individual barcodes that were required for doing it 
could be had, he said, for around 20 USD. On the other hand, he said, 
readers and scanners for deciphering two-dimensional barcodes were still 
comparatively expensive, whereas the decoding software was either free, 
easy to acquire, or easy to crack. Reconfiguring the scanners was also 
an easy task, he added. They could be linked to a keyboard or via a 
serial interface to a computer.

Thus equipped, FX tested the access system of an automatically operated 
DVD hire shop near his home. This actually demanded a biometric check as 
well, but he simply refused it. There remained a membership card with 
barcode, membership number and PIN. After studying the significance of 
the bar sequences and the linear digit combinations underneath, FX 
managed to obtain DVDs that other clients had already paid for, but had 
not yet taken away. Automated attacks on systems were also possible, he 
claimed. But you had to remember not to use your own membership number.

Scanners, too, proved to be open to common hacker attacks. FX described 
the fundamental principles behind a variety of attacks. "Let's suppose 
you get 14 digits out of the reading process. But at the same time you 
can insert your own digits arbitrarily". This, he said, would let you 
exploit holes connected with SQL databases in the back-end area (SQL 
Injection) or carry out Format String Attacks. The newer the reader, the 
more complicated would be the systems working in the background and the 
easier it would be to hack them. By printing out barcodes at increased 
resolution and simultaneously inserting surplus character strings, you 
could moreover flood the database memory and bring it to a standstill 
with buffer overflows.

According to FX, particularly gaping security holes can be found in most 
forms of "Mobile Tagging". Using a mobile phone incorporating a camera, 
a two-dimensional barcode such as QR or DataMatrix is photographed, 
decoded on the mobile phone with commercially available software, and 
the information derived is passed on. This is mainly intended to save 
the user having to type in lengthy Web addresses on a small mobile-phone 
keyboard. The Semapedia technique for linking public sights with 
Wikipedia entries uses this process, as do more and more newspapers 
wanting to send mobile surfers to their online content or to 
advertisements on the Internet.

In Germany, "Welt kompakt" is among the pioneers in mobile tagging, 
something the Phenoelit experts have not overlooked. They discovered 
that the mechanism is ideal for Cross Site Scripting (XSS). This is an 
attack that normally exploits vulnerabilities in Web sites. 
Untrustworthy information, perhaps in the form of harmful script codes, 
is frequently embedded in a page notified to the user and classified by 
the user, in principle, as trustworthy. Passwords or account data, for 
example, can be captured by phishing. While "cross newspaper scripting" 
on the mobile phone you would only have to "rent" one barcode place in a 
print product, insert a link after it to a kit containing malicious 
software - and that would give you some form of control over large 
numbers of iPhones and other mobile devices.

The boarding passes that are now commonly printed out from the Internet, 
containing two-dimensional codes to indicate the flight and booking 
numbers as well as the class of seat, are favourite playgrounds 
according to FX. By linking to the barcodes on baggage labels, you could 
use them to foist the wrong suitcases, perhaps filled with bomb 
materials, on passengers, thus branding them as potential terrorists. 
The two-dimensional codes used by many postal organizations as 
substitutes for postage stamps are also open for experiments according 
to FX. The Phenoelites say that, by contrast, they have so far been 
unsuccessful in their attempts to crack the package collection slips 
used at the German Post Office's parcel stations, and the online tickets 
used by German railways. The two-dimensional codes of the latter have 
clearly been secured additionally with encryption methods, said FX, and 
this was something he strongly urged as a general practice for the 
proponents of automation. A check on the correctness of the processing 
sequence was moreover indispensable with all barcode systems.

Visit InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods