barcOwned Popping Shells with Your Cereal Box

Video thumbnail (Frame 0) Video thumbnail (Frame 1043) Video thumbnail (Frame 1907) Video thumbnail (Frame 2605) Video thumbnail (Frame 3329) Video thumbnail (Frame 3890) Video thumbnail (Frame 4508) Video thumbnail (Frame 5581) Video thumbnail (Frame 6859) Video thumbnail (Frame 7623) Video thumbnail (Frame 9937) Video thumbnail (Frame 10406) Video thumbnail (Frame 11529) Video thumbnail (Frame 12618) Video thumbnail (Frame 14217) Video thumbnail (Frame 14630) Video thumbnail (Frame 15042) Video thumbnail (Frame 15564) Video thumbnail (Frame 16556) Video thumbnail (Frame 17130) Video thumbnail (Frame 17566) Video thumbnail (Frame 18001) Video thumbnail (Frame 18836) Video thumbnail (Frame 19906) Video thumbnail (Frame 20405) Video thumbnail (Frame 21213) Video thumbnail (Frame 22672) Video thumbnail (Frame 23186) Video thumbnail (Frame 24145) Video thumbnail (Frame 27056) Video thumbnail (Frame 27632) Video thumbnail (Frame 28479) Video thumbnail (Frame 30027) Video thumbnail (Frame 30486)
Video in TIB AV-Portal: barcOwned Popping Shells with Your Cereal Box

Formal Metadata

barcOwned Popping Shells with Your Cereal Box
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Barcodes and barcode scanners are ubiquitous in many industries and work with untrusted data on labels, boxes, and even phone screens. Most scanners also allow programming via barcodes to manipulate and inject keystrokes. See the problem? By scanning a few programming barcodes, you can infect a scanner and access the keyboard of the host device, letting you type commands just like a Rubber Ducky. This culminates in barcOwned—a small web app that allows you to program scanners and execute complex, device-agnostic payloads in seconds. Possible applications include keystroke injection (including special keys), infiltration and exfiltration of data on air-gapped systems, and good ol' denial of service attacks.
Web 2.0 Internetworking Flachbettscanner 1 (number) Video game
Email Befehlsprozessor Vector space Flachbettscanner 1 (number) Data storage device Graph coloring Resultant
Asynchronous Transfer Mode Game controller Code Bit Number Mathematics Type theory Type theory Angle Different (Kate Ryan album) Flachbettscanner Universal product code Right angle Force Default (computer science) Data buffer
Slide rule Asynchronous Transfer Mode Code Code Price index Control flow Computer programming Computer programming Software bug Mathematics Type theory Latent heat Type theory Software Flachbettscanner Buffer solution Right angle Window Default (computer science) Data buffer
Hoax Trail Multiplication sign Real number Maxima and minima Existence Computer programming Computer programming Wave packet Computer programming System programming Cuboid System programming Computer-assisted translation
Point (geometry) Information Java applet Length Code Cursor (computers) Bit Cursor (computers) Code Rule of inference Field (computer science) Type theory Buffer solution System programming output Right angle Computer-assisted translation Enterprise resource planning Error message
Rule of inference Group action Code Model theory 1 (number) Limit (category theory) Group action Limit (category theory) Rule of inference Computer programming Latent heat Flachbettscanner Universal product code Computer programming System programming Right angle Quicksort Computer-assisted translation
Complex (psychology) Beat (acoustics) Inheritance (object-oriented programming) Scripting language Open source Honeywell-Holding Function (mathematics) Login Rule of inference Flachbettscanner Different (Kate Ryan album) Cloning Computer worm Integrated development environment Scripting language Rule of inference Default (computer science) Kolmogorov complexity Feedback Open source Counting Group action Symbol table Symbol table Integrated development environment Window Computer worm
Source code Scripting language Demo (music) Kolmogorov complexity Demo (music) Open source Calculus Symbol table Heegaard splitting Calculation Electronic meeting system Computer worm Integrated development environment
Home page Greatest element Integrated development environment Demo (music) Calculus Electronic mailing list Calculus
Point (geometry) Standard deviation Default (computer science) Noise (electronics) Touchscreen Demo (music) Code Calculus Rule of inference Computer programming Type theory Window Computer worm
Computer programming Division (mathematics) Iteration Rule of inference
Type theory Weight Electronic mailing list Iteration Line (geometry) Automatic differentiation
Greatest element Demo (music) Demo (music) Cuboid Electronic mailing list
Web 2.0 Type theory Inheritance (object-oriented programming) Multiplication sign Right angle Window Reverse engineering
Demo (music) Video game Electronic mailing list
Implicit function theorem Digital photography Demo (music) IRIS-T Hill differential equation
Default (computer science) Demo (music) Weight Demo (music) Letterpress printing Bit Electronic mailing list 2 (number) Graphical user interface Computer configuration Computer programming Factory (trading post) Cuboid Musical ensemble Computer worm
Default (computer science) Hill differential equation Gastropod shell 2 (number)
Demo (music) Flachbettscanner Calculus Parameter (computer programming) Electronic mailing list Computer programming
Personal identification number Slide rule Email Data storage device 1 (number) Volume (thermodynamics) Laser Exploit (computer security) Planning Radical (chemistry) Flachbettscanner System programming QR code System programming Software testing Computer-assisted translation Window
Digital filter Asynchronous Transfer Mode Game controller Mobile app Serial port Model theory System administrator Multiplication sign Virtual machine 1 (number) Limit (category theory) Flachbettscanner Energy level Information security Standard deviation Inheritance (object-oriented programming) Model theory Interactive kiosk Planning Control flow Computer programming Type theory output Right angle Energy level Window Local ring Asynchronous Transfer Mode
Revision control Mathematics Hacker (term) Vector graphics Revision control Online help Hacker (term) output Code Associative property
Internet forum Tower QR code Website Musical ensemble
so you know it takes a lot to talk in front of all you guys and we got two noobs today so let's give it up for Michael and Colin all right welcome everybody we're gonna talk today about barcodes and barcode scanner hacking first quick introduction even though you
probably don't care who we are I'm Michael I'm obsessed with barcode scanners as you can see I have way too many of them come on hey I'm Colin I do stuff on the web professionally so
something we kind of notice it's something we may take for granted is that barcodes are everywhere you may not notice them in real life but they really will they really kind of permeate everything we buy everything we use and you may think oh there's some obvious ones well there's a lot of non obvious
ones like there's three barcodes on that USPS label there's one on Intel CPUs there's some on most printers that print color even Hospital wristbands and as a result because those barcodes are everywhere it means the scanners are
everywhere and so these scanners are basically kind of hiding all over the place if you go to almost any store you'll find them if you go to an airport you'll find them but they're really and they're an attack vector so before we
get into that let's just talk a little bit about barcodes and kind of what they are so normally they decode to text these are just a couple different types of barcodes called symbologies don't care about what they are just have to know that they decode to text some of them have restrictions like the UPC on the right where it can only to code to certain numbers some like PETA four and seven can hold a lot of data and others like you are really good at being viewed at weird angles
but the thing is these scanners are mostly the same these manufacturers this one most of these are simple scanners and most of these are vulnerable this attack they sell we look at this these are about like 10 years apart they look exactly the same the scanner the equipment inside are pretty much there the controller inside is basically
running the same software the same features year to year most of them will act as an HID device so they just act as a keyboard they type in the keys and buffer by key by key they type the buffer out so with all these market scanners everywhere acting as keyboards what could we do if we could change the text or send arbitrary keystrokes or do things like Windows key R what could we
do with proper permission in a legal sanction dentist so it's not a bug what this is a lot of manufacturers will add special features in code 128 that's what that bar code right there that was all in the first slide it says bark underneath that but there's a hidden character not one in the red right there right after the start code is F and C 3 which is our best friend some of these examples it tells the scanner this isn't a normal barcode this is a programming barcode a lot of scanners support this it is a little manufacturer specific and if this is starting to sound familiar
it's because this is basically in-band signaling you guys haven't seen the blue box on the left that's that's basically what this is just modernized we haven't learned our lessons from decades ago so
why does this programming exist that we can do this from it mainly exists for legacy systems so in this example we have a legacy system we call it Cyberdyne cat ERP and we use it to track and hurt our cats a novel a novel goal it's a little - it's made a long time ago and nobody wants to replace it no one wants to modify it it's way too expensive it's probably for a train or something but we've been told to make it faster so we want to make it faster with markets this is actually a real fake example there's actually a c-sharp program running background that we we created just to show this off because I don't know how to program in Fortran so here
we have my cat Java he's domestic Shorthair he's born like 2005 ish and our system wants those 3 inputs and so normally we would have to look at the label on the cat grab their name type it in manually press tab type in the breed press tab type in the year and finally we hit f12 to save well it takes a lot of work there's a lot of room for error and it's generally just kind of slow so what if we solved that by bar coding
accounts because how could that go wrong so we create a bar code like the one on the upper right that says DSH domestic shorthair 2005 java now we've got this bar code we can't modify the erp ax to no bar codes it's just like I expect the keyboard neset and so these rules that we generated they're gonna go a little bit like this so first we've got a cursor and we've got a buffer of the actual scan barcode you see we've got we're starting it right before D or on D so we just moved the cursor forward a little bit and now we move it forward 7 characters 7 characters are defined lengths for how big those two fields could be and then the rest of the barcode is the cat's name so you could have a name that's 8 characters long tall characters long doesn't matter now we're at this cursor point we send that info and we press tab HC it types it for us and moves the next field now we go back because the next field is d SH or a breed which is d SH the cursor moved back to the front we type in three characters and we hit tab again it doesn't matter what those characters are we're just typing three characters from the buffer and then same thing the buffer the cursor is already moved forward for us all I do is type 4 characters and we hit f12 and it saves it for us so all you have to do is to do one quick skin on this legacy system that nobody knows how to modify and we can actually automate that that's why these rules exist that's why manufactures added them 20 or so years ago
and so we're back at that we've put our barcode on our cat which is a very successful endeavor on that ad and we're gonna just do a scan so this is what the scan looks like simple as that it's extremely fast a lot less error-prone but of course we can make your own
malicious rules we can make your own as delicious programming so we can do all sorts of things so you can specify criteria for these rules so we can say just do it on everything do on certain barcodes ones that have a certain text in it or certain symbologies like EPC or and then once we're done with that we can specify actions so you see here on the Left that is the or the right that is the actual programming bar code for that kaki RP system so if you scan that with this scanner it'll do that a lot of these scanners can actually support multiple rules as we'll see later they do have a size limit but it's fairly expensive you can't write a novel and PowerShell like you can't write you know hundreds of characters but you can get a lot in these are some of the actions we
can do some of the ideas so we can modify and replace text on the fly we can just ignore text so you scan something it doesn't actually give you any text we can add if your characters in the end we can do special keys like windows ctrl alt and we can just do nothing we can soft brick scanners by scanning a rule that says do nothing and the scanner is dead until you reset it to defaults there's the classic attack you guys probably heard of like you know the Walmarts where you put a sticker over the barcode of the different barcode for something cheaper but it's super obvious like that this is a digital equivalent of that we can change those bar goes on the fly make your tuner dollar item bling up those ten decks so this culminates in our two
little called our clones bar count is an attack ide developed by colin in javascript we built payloads and json and it makes it really easy to rap rapidly designed them so you these barcode scanners they don't give you a lot of feedback if you give it something invalid they just go they give you an a bad beat instead of a good beat and that's all don't have any feedback there's no output there's no logs trying to do these barcodes manually is possible but literally spent the past year working on that so this makes it easy for you guys to just write some JSON it's a little harder than ducky script ducky scripts you know it's it's kind of basic this allows you to do a lot more but but this takes away all the complexity of doing those barcodes and you don't have to decide for any manuals right now it supports more loyal Simba symbol which i think is like 40% of the market most other scanners support this like Honeywell NCR and it's open source under the MIT license it's here on the
right you can see just a simple this is how we run calculator so let's split
over the demo its first demo run calc so
this is the bark run website barking calm it's live right now quick homepage
right there and it takes us into a quick IDE first thing we do is run calc I know this text a little small but don't worry about it so you see on the bottom we
have exclamation point calc what we bet basically defined is a rule where if a bar code starts with exclamation point we go press Windows key are we press ENTER and when we run we type in that command and press Enter so this basic allows us to easily build new payloads by just having a simple
rule so as an example let's scan at this this scanner is fresh it's reset to defaults here's what it looks like just by itself it types in exclamation point calc and here's what happens if we scan that programming barcode here at a programming noise [Applause] full screen calc my favorite so let's go and try another demo next one is run
command so we this is what the quick
iteration looks like we just go back click things up up here we can change all this text really easy on the fly and so what we're gonna do is just gonna run this one this one has two rules
we're scan that it programs it and then next let's launch a command and now we
just have a command dropped open we have extra barcodes so we can just type in that user so we can actually type in text you know line by line so you can actually have a list of one-liners that you really love and just use them over and over again and the quick iteration is stuff like
this you can go and say you know net user ads so you just go click like that click run now I can type net user ed
next up do the cereal box demo so right
here we've got an all knobs for an altered box of s'mores it's a little smashed from travel here from Dallas but it's got a barcode on the bottom simple UPC barcode we're gonna execute an
attack with that barcode so first let's demonstrate that we scan this the types in a barcode next let's scan the perturbing barcode there we go let's prep ourselves we've already got
Metasploit running right here just waiting for a reversal and so let's scan this barcode and see what happens oh come on you can do it we had to change our web post at like 2:00 a.m. and it's super slow right now but it's working just give it time there we go now if I can switch over to this other window that's one open [Applause] so that's all great that's all serious
but you know what if we just really want
to play some video games what if we're really feeling down for
something more fun so let's play some Tetris so right here we'll scan this barcode it can be a little tricky with the glare on this great stage but there we go got that programmed so we've got
Tetris put that over here and we've got
photos so basically you've invented the
world's shittiest way to play Tetris [Applause]
and finally let's just show off what we
can do with a little bit of mayhem so
we'll go back to our brick payload so
there's the program go quick barcode on the top so right now if I scan any you know that barcode it's going to scan the cereal box demo but if we scan this one simple program barcode we're basically telling the scanner whenever you get a barcode just sleep for 20 seconds so then don't print anything any barcode so let's try and scan the cereal box again [Music] if you can't tell this thing's not letting up it's just sitting there for 20 seconds doing nothing it looks like it's powered off the lights off the button doesn't anything it lists it for 20 seconds in weight and the only way to reset it is to go to the factory defaults which almost no one
knows how to do so let's we'll give this a few seconds to go through it looks like it's dead you scan this one barcode it's basically a zombie for that 20 seconds we've tried up to like one and a half minutes before we got bored so now if we scan restore defaults we can go back and and scan all the barcodes we
want but almost no one knows how to do that and that whole thing about we find
a lot of barcodes hiding everywhere
well alright first let's talk about this
so first can you turned it off and the answer is yes you can scan that barcode to disable bark programming barcodes can anyone guess how you turn them back on [Applause]
so some considerations for Red Team attack this is really this is an advanced attack you can't just walk into a Walmart and just pull this up on your phone hit enter and hope that like kind of exploits it this is something that takes a lot of testing a lot of recon but it allows some windows into systems that normally you wouldn't build access they don't have they don't have keyboards they are controlled you only have access to the barcode or maybe you're not even there maybe you send a package to the malicious barcode one thing to think about find the beeper whole and cover it up because the perving barcodes at least on simple scanners they actually play at full volume some of you guys can't even hear it in the audience I have it taped over but it's really loud so just cover that up another good example is you can actually bring your own scanner these things all most all these scanners have the same 10 B 10 C connector Ethernet with two extra pins and you can just slide in a screwdriver unclick it and bring your own scanner or steal a scanner and replace it and then test with that one so you can actually program your mostess barcode scanner bring it in the store swap it out real quick and you don't have to scan a barcode one great thing there's a great example in the next slide even when the scanners are turned off a lot of them are still powered most of these aren't actually doing a thing but they're almost all still powered so you can still program them even at the terminals off another thing laser scanners like this one from probably before I was born nope not that early this one's a laser scanner the ones they have in like Walmart and the encounter checkouts this one's actually encounter right here spinning laser beam the death those ones won't work with phones you gotta have a Kindle paper or something like that and then we have some great ideas with you can trick others to deliver these barcodes for example maybe you're an
airport and you just airdrop someone and say hi I'm United Airlines you know have this scan this QR code for your free upgrade that's actually the cat ERP toad but don't worry about it or you know a pet pet smart just sent of a fake email to someone and hopefully they do it literally a minute after I
walked off the plane at Vegas in the airport came across that see on the left unattended little coffee shop place unless the machines powered off everything's locked up all the cash is gone but we've got a powered scanner right there no one's watching this so we can just go scan up barcodes all we want because you can program them and then the one on the right is presented without comment from pieces if anyone's been there they even pose with our barcode scanner for me they're probably were to let me scan some barcodes at my desk for the blue team I don't have good
news for you as far as I know there's no way to secure these scanners from programming the only benefit you have is that some models may not support it some really old ones may not support it all the new ones do so you just have to assume that anything that has a barcode scanner attached it's gonna get hostile input so these are the standard kind of stuff we've been talking about in security for a long time remove local admin use endpoint protection app control I shouldn't be able to type windows TR and get an admin command prompt but a lot of times you can especially on these unattended kiosks and there's some good ideas about filtering malicious keys at the OS level so you could just say if this device has a scanner type then don't allow any like Windows Keys or super keys or just enforce non hid modes these will transfer or a serial port you can use a barcode to change into a keyboard though so you got to enforce that at you dev level anyways we wrap it up with some
special thanks to Terry Burton at blip who made some last-minute changes and helped us a lot mark Warren made the blip and Jas version Kermit thanks for the shirts dass hackers thanks for all your help and support this talk was actually born there and thanks Seibert for the travel and support
if anyone's looking for some interested talks related talks you some good examples there none of them really go into this depth of building a tool but they give some great details about bar codes and how they work and there is our
site there is to github linked and QR codes trust me they're safe [Music] [Applause]