BadBarcode: Poisoned barcodes can be used to take over systems

Researchers from Tencent’s Xuanwu Lab have proved that a specially crafted barcode can be used to execute commands on a target system, saddle it with malware, or perform other malicious operations.

Yang Yu, the founder of the Lab, and his colleague Hyperchem Ma, who did most of the work and presented it at PacSec 2015 held last week in Tokyo, have demonstrated how the fact that most barcodes also contain ASCII characters can be exploited to do things like open a shell and execute commands in it.

Another demo of our talk “BadBarcode” in PacSec 2015: start a shell by one single boarding pass. pic.twitter.com/7ssmyYJsIo

— Yang Yu (@tombkeeper) November 12, 2015

Many barcode scanners are keyboard emulation devices. The ASCII characters in the BadBarcode – as the attack has been dubbed by the researchers – are there to make the barcode reader “press” the system’s combinations keys (e.g. Ctrl) and other keys that make hotkeys (e.g. CTRL+0), effectively activating a particular function.

And the barcode in question does not have to be in electronic format – the attackers can print them out and use this paper version.

“BadBarcode is not a vulnerability of a certain product. It’s even difficult to say that BadBarcode is the problem of scanners or host systems,” the researchers noted. They also pointed out that other devices via keyboard emulation connection might suffer from the same problem.

To mitigate this (potential) problem, they advised barcode scanner manufacturers to not enable ADF or other additional features by default, and to not transmit ASCII control characters to host devices by default.

Host system manufacturers could prevent this type of attacks by not using keyboard emulation barcode scanners (if possible), and by not implementing hotkeys in apps and disabling system hotkeys.

Yu has shared some additional demos of attacks here and here.