By Stefan Krempl
Experts say that the Barcodes our highly automated business world could
now hardly do without, often display serious security holes. In
particular, one- or two-dimensional systems of barcodes and matrix codes
are open to common hacker attacks and to experiments that have had
variable results. This was stated by "FX" of the Phenoelit group at the
24th Chaos Communication congress (24C3) in Berlin on Friday evening.
Frequently, he said, all you had to do was simply copy "used" barcodes
in a copyshop, or scan them in and print them out.
The idea of doing deeper scientific research into the world of barcodes
occurred to Phenoelit's security testers after having their own fingers
burnt by that. At one of their "PH Neutral" conferences they used
one-dimensional barcodes on the admission cards which were coupled with
a payment function for buying drinks and could be loaded up with credit.
One of the resourceful visitors to the meeting simply copied one of
these "alcohol coupons". According to FX, his only error was to do it
with the pass of the only drinker who had already exhausted his credit
Undaunted by this early mistake the hackers experimented eagerly from
then on, initially working on one-dimensional barcodes. These had been
developed in 1948 and, in the form of the European Article Number, EAN
(in the USA, the Universal Product Code, UPC), and were the basis of the
the scanner checkouts that first appeared in the 1970s. The hackers
found out that a season ticket to a multistorey car park in Dresden was
based on a simple barcode and the tickets issued were not checked by a
background computer system, making it easy to get free parking.
FX said that in Germany there was also a similar lack of feedback
between automatic returnable bottle machines and dealers' point-of-sale
systems. Another presentation at the congress had already brought this
to the attention of desperate budget hackers. This, he said, had been
discovered long ago by the capital's punks. It had emerged at the same
time, he went on, that five digits in the sequence of numbers below the
barcode on the credit slips issued by these automatic machines gave the
value of the empties. So, in theory, you could not only copy the slips,
but also generate your own figures, and these could even be for quite
high values. But, he added, the retailing chains were now, as a rule,
printing the deposit values on watermarked paper in order to bar that
kind of activity.
Anyone who wants more details of the origin of barcodes and how they are
read out - one-dimensional barcodes at least - can find a wide range of
software for generating those character strings that look so cryptic at
first sight, such as the freely available program GNU Barcode. FX
emphasized that it was not difficult to write your own generator. The
specifications for individual barcodes that were required for doing it
could be had, he said, for around 20 USD. On the other hand, he said,
readers and scanners for deciphering two-dimensional barcodes were still
comparatively expensive, whereas the decoding software was either free,
easy to acquire, or easy to crack. Reconfiguring the scanners was also
an easy task, he added. They could be linked to a keyboard or via a
serial interface to a computer.
Thus equipped, FX tested the access system of an automatically operated
DVD hire shop near his home. This actually demanded a biometric check as
well, but he simply refused it. There remained a membership card with
barcode, membership number and PIN. After studying the significance of
the bar sequences and the linear digit combinations underneath, FX
managed to obtain DVDs that other clients had already paid for, but had
not yet taken away. Automated attacks on systems were also possible, he
claimed. But you had to remember not to use your own membership number.
Scanners, too, proved to be open to common hacker attacks. FX described
the fundamental principles behind a variety of attacks. "Let's suppose
you get 14 digits out of the reading process. But at the same time you
can insert your own digits arbitrarily". This, he said, would let you
exploit holes connected with SQL databases in the back-end area (SQL
Injection) or carry out Format String Attacks. The newer the reader, the
more complicated would be the systems working in the background and the
easier it would be to hack them. By printing out barcodes at increased
resolution and simultaneously inserting surplus character strings, you
could moreover flood the database memory and bring it to a standstill
with buffer overflows.
According to FX, particularly gaping security holes can be found in most
forms of "Mobile Tagging". Using a mobile phone incorporating a camera,
a two-dimensional barcode such as QR or DataMatrix is photographed,
decoded on the mobile phone with commercially available software, and
the information derived is passed on. This is mainly intended to save
the user having to type in lengthy Web addresses on a small mobile-phone
keyboard. The Semapedia technique for linking public sights with
Wikipedia entries uses this process, as do more and more newspapers
wanting to send mobile surfers to their online content or to
advertisements on the Internet.
In Germany, "Welt kompakt" is among the pioneers in mobile tagging,
something the Phenoelit experts have not overlooked. They discovered
that the mechanism is ideal for Cross Site Scripting (XSS). This is an
attack that normally exploits vulnerabilities in Web sites.
Untrustworthy information, perhaps in the form of harmful script codes,
is frequently embedded in a page notified to the user and classified by
the user, in principle, as trustworthy. Passwords or account data, for
example, can be captured by phishing. While "cross newspaper scripting"
on the mobile phone you would only have to "rent" one barcode place in a
print product, insert a link after it to a kit containing malicious
software - and that would give you some form of control over large
numbers of iPhones and other mobile devices.
The boarding passes that are now commonly printed out from the Internet,
containing two-dimensional codes to indicate the flight and booking
numbers as well as the class of seat, are favourite playgrounds
according to FX. By linking to the barcodes on baggage labels, you could
use them to foist the wrong suitcases, perhaps filled with bomb
materials, on passengers, thus branding them as potential terrorists.
The two-dimensional codes used by many postal organizations as
substitutes for postage stamps are also open for experiments according
to FX. The Phenoelites say that, by contrast, they have so far been
unsuccessful in their attempts to crack the package collection slips
used at the German Post Office's parcel stations, and the online tickets
used by German railways. The two-dimensional codes of the latter have
clearly been secured additionally with encryption methods, said FX, and
this was something he strongly urged as a general practice for the
proponents of automation. A check on the correctness of the processing
sequence was moreover indispensable with all barcode systems.
Visit InfoSec News