'BadBarcode' Vulnerability in Barcode Sensors Can Be Used to Hack Computers
Rick
From Yumite
2015-11-19 14:41:52
Imagine somebody walking to a checking counter at an airport, and using his boarding pass to hack a nearby computer. That isn't a plot taken from sci-fi movies, it's something that can be in news in the coming days. A researcher has demonstrated a method of creating malicious barcode strings that could allow an attacker to trigger shell commands. The vulnerability affects almost every barcode sensor currently in use, Gadgets 360 was told.
At the MobilePwn2Own, PacSec 2015 conference in Tokyo, Yang Yu, founder and head of Tencent's Xuanwu Lab, demonstrated a vulnerability that he referred to as "BadBarcode," which allows an attacker to use a piece of paper to gain access to a computer.
In a detailed presentation, which is available on SlideShare, Yu has revealed a vulnerability in the way barcode sensors are fundamentally designed.
Most of the barcode in use today, including the ones that you see on postal packages and behind retail boxes and containers, utilise the Code 128 standard or its derivative - and support ASCII characters. Barcode scanners, furthermore, work as a keyboard emulation device.
At the MobilePwn2Own, PacSec 2015 conference in Tokyo, Yang Yu, founder and head of Tencent's Xuanwu Lab, demonstrated a vulnerability that he referred to as "BadBarcode," which allows an attacker to use a piece of paper to gain access to a computer.
In a detailed presentation, which is available on SlideShare, Yu has revealed a vulnerability in the way barcode sensors are fundamentally designed.
Most of the barcode in use today, including the ones that you see on postal packages and behind retail boxes and containers, utilise the Code 128 standard or its derivative - and support ASCII characters. Barcode scanners, furthermore, work as a keyboard emulation device.