TechnicalInfoBannerA
TechnicalInfoBannerB
TechnicalInfoBannerC



  Hacking Barcodes
Gunter Ollmann, January 1st, 2008

"Barcode systems susceptible to serious hacker attacks" - so says Heise Security, in their article posted yesterday concerning FX's presentation at this weeks 24th Chaos Communication Congress.

The article describes a few of the threats to systems that rely upon barcodes (on and two dimensional) - in particular their ease of manipulation for scamming purposes and the possibilities for code injection attacks.

Barcodes vs. RFID Tags

Since I've been spending some in-between research time looking at RFID systems, I've had some opportunity to have a closer look at the various barcode encoding schemas currently in use.  There is a lot of overlap between RFID and Barcode systems - with RFID back-end systems adopting many of the same operating principles (mainly because RFID is generally being deployed as a replacement for older/legacy print-barcode systems - particularly in supply-chain and itemized sales).

The limitations of data encoding within barcodes apply almost one-for-one with passive RFID implementations, so by studying the attacks for one, you learn both.  While the vehicle for delivery is different (i.e. a printed piece of paper versus a wired antenna), the vectors for encoding attack data and how it will be interpreted by backend systems is identical.

The primary encoding vectors for barcode and RFID attacks are:

  • Value cloning - i.e. duplicating existing barcode/tag values
  • Value overflows - i.e. buffer overflows, off-by-one attacks etc.
  • Code injection - i.e. inserting character codes or strings that will be "incorrectly" interpreted by the backend systems (e.g. SQL Injection, Cross-site scripting, infinite-loop DoS, etc.)

Scale of the threat

The Heise Security article (and no doubt the original presentation) is a little sensationalistic, but that shouldn't undermine the fact that there are some real security issues to be had here.  It basically comes down to input validation.  Back-end systems generally take the data supplied by the barcode (or RFID tag) as a trusted source and use it as is without validating it. Consequently, the opportunity to do something mischievous is rather easy - especially in this day of home laser printers.

The fact that barcode attacks have received so little attention from security researchers in the past has less to do about difficultly, and more to do with opportunity.  They are a very old device, but it's only been in the last decade that we've seen them more fully integrate in to newer (publicly accessible) computer systems that have 'value' from a target perspective.

Over the next year or two I expect more security researchers to turn their attention to barcode and RFID systems.  I think that the initial findings are going to be highly implementation specific (and not widely distributed) primarily because the way these technologies have been historically deployed and the amount of 'legacy' or proprietary equipment already out there.

However, as that old equipment fails and/or gets replaced, major organizations will deploy the latest interoperable versions.  RFID supply-chain standards for data sharing and complete international product life-cycle tracking will be very interesting - and provide a vehicle for much large and disruptive attacks.  But that's only likely to occur more in the 3+ year timeframe.

For the time being, the attacks we'll likely hear about will be deployments of specific implementations - like cloning movie passes, or SQL injection against a particular companies car-part inventory system, etc.

Hopefully these smaller events will get developers thinking about their legacy code and look to improve it's security by either adding the appropriate validation code, or upgrading systems to those that have more rigorous (and proven) security features.  With that in mind, I'd expect the latest work in RFID systems to help lead the way as there is already a lot of additional thought going in to the security built in to these newest standards.

That said, regardless, with each new technology we consistently see new threats develop.

Create Your Own Barcode

online barcode
Symbology  
Data  

Submit  

Note - if the above "Create your own barcode" doesn't work for you, it's probably because the site that hosts that content is using the HTTP_REFERER field.  So either make your HTTP_REFERER blank using various privacy settings or save this page locally and re-open that saved page.  If all else fails, just go to the original site with the link below.

A useful site for experimenting with barcodes: http://www.tec-it.com/asp/demo/playground.asp?mainmenu=Software&sbmenu=Online&LN=1

 

    Copyright 2001-2008 © Gunter Ollmann