BadBarcode is a design flaw widely exists in barcode reading devices, which could be exploited to hack into host computers that connect to a barcode scanner. Currently almost all the barcode scanners are designed to work in Keyboard Simulation Mode, or support multiple modes but can be switched into Keyboard Simulation Mode by scanning a barcode. Also, symbologies like Code 128, PDF417 and QR code can encode Ctrl key combinations. As a result, attacker can send key combinations to host computer by scanning one or one set of crafted barcode, to open system common dialogs, and possibly execute arbitrary command.
Many barcode scanner manufacturers also support proprietary customization features in their products. By utilizing these features, attacker can send system hotkeys by scanning a barcode, for example sending "Win+R" to bring up the Run dialog, which makes it much easier to achieve the attack.
For laser barcode scanners, attacker can also use a beam of fast flashing laser to emulate a barcode. Theoretically, it is possible to conduct this attack from 1000 meters away.
BadBarcode is not an implementation bug but a design flaw. Symbologies such as Code 128 supports encoding control characters, and devices work in Keyboard Simulation Mode. These two seemingly logical designs, when combined, become a security vulnerability.
Not exactly. For laser barcode scanner, attacker can use laser beam to conduct long-distance attacks. Attackers can also tamper with barcode displayed on user's cellphones via network penetration.
Scan QR code on a cellphone, resulting in an application download and execution:
BadBarcode attack via laser beam:
Note: the red light spot on the table is from laser device rather than the barcode scanner.
BadBarcode is OS independent. Any OS could be vulnerable to this attack as long as there are hotkeys that can perform privileged operations. These privileged operations are not limited to command execution, they can also be manipulating application input, like modifying discount value in POS system.
In theory, any barcode scanner that works in Keyboard Simulation mode and supports any one of the Code 128 / PDF417 / QR code symbologies that can encode control characters is vulnerable. In other words, it means that vast majority of barcode scanners in the world are vulnerable. The models we tested and confirmed to be vulnerable are listed below:
| Motorola/Zebra | LS3578 |
| Honeywell(Intermec) | SG20B |
| Datalogic | GBT4400 |
| Denso | SE1-QB |
| Sick | IDM160PDF BT PS/2 Kit |
| Cognex | DataMan8600 |
| Fujian Newland | HR3220-SV |
| Opticon | OPL-9813 |
| Cipherlab | 1564A |
| Code | CR2600 |
| KOAMTAC | KDC450 |
| WASP | WWS850 |
| Socket | SocketScan 10 |
| Unitech | MS910 |
| Mindeo | MD2000 |
| Access IS | LSR120 |
The BadBarcode research was a collaboration between Yang Yu (@tombkeeper) and Hyperchem Ma, both from Tencent's Xuanwu Lab.
We disclosed this vulnerability at the following conferences:
GeekPwn held on October 25, 2015 in Shanghai, China
PacSec held on November 12, 2015 in Tokyo, Japan
We requested a CVE ID, but got the following response from MITRE:
"The vulnerability for which you requested a CVE ID does not affect a product that is in scope for CVE at this time, and so it cannot be assigned a CVE ID."
Ctrl key combinations and manufacturers' proprietary customization features are not needed in most situation. We suggest manufacturers disable these features by default in future product release and firmware updates, and make sure they can only be enabled from host computer.
We had tried contacting some of the vendors and encourage them to fix the BadBarcode vulnerability, but they seem lacking enough incentive to address this, possibly because this is a widespread issue affecting the entire industry. We suspect this issue will continue to exist for a very long time.
You can disable privileged operations hotkey in both operating system and application, such as "Ctrl+Esc" and "Win+R" in Windows.
http://www.slideshare.net/PacSecJP/hyperchem-ma-BadBarcode-en1109nocommentfinal
We will update this page with the latest information available.