‘Badbarcode’ attacks expose potential vulnerabilities in barcode tech

Researchers with Tencent’s Xuanwu Lab demonstrated several attacks that used barcodes to execute commands on barcode reader host systems and could potentially be used to uploadtrojans at the PanSec 2015 Conference in Tokyo on Nov. 12.

Yang Yu, the firm’s founder and head, posted several videos to his Twitter account of an attack he has dubbed “Badbarcode” that demonstrate how barcodes that were printed on paper and on digital screens could be programmed to execute any command on a computer.

Researchers at Tencent’s Xuanwu Lab demonstrated attacks using barcodes that could deliver commands to systems that read them

Researchers at Tencent’s Xuanwu Lab demonstrated attacks using barcodes that could deliver commands to systems that read them

The attack consisted of the researchers printing barcodes that were programmed to execute various commands when scanned. Yu said the researchers were able to exploit the fact that most barcodes contain full ASCII characters in addition to numeric and alphanumeric characters depending on the protocol being used, according to Threat Post.

An attack carried out in one of Yu’s videos shows a barcode being scanned by a device commonly used at airports to check boarding passes. After the code is scanned a shell opens on the adjacent computer where a user could enter commands.

“BadBarcode is not a vulnerability of a certain product. It affects the entire barcode scanner-related industries,” Yu told Vice’s Motherboard in direct message on Twitter.

“I do not know what the bad guys might do,” Motherboard quoted him as saying. “But considering barcode scanners are everywhere in our world, so BadBarcode is really a serious problem, not just a bug people could use to get free beer.”

Source:http://www.scmagazine.com/

Advertisements

About webimprint

Webimprints is the leading company which provides global information security services to the client around the World.
This entry was posted in Vulnerabilidad and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s