 So yeah, what are we gonna do quick intro barcodes. I'm gonna talk about encoding decoding scanners some simple tricks Some more simple tricks Some back-end stuff and some unsolved cases and stuff So this is actually all not really hard so relax you don't need your brain or at least like the left side of it What about a history of barcodes like they got developed in 1948 by two people and The first usage attempt and that's actually really funny Was the American railroad people that try to barcode all all the cars that they have it took them 17 years to label all the cars and then the system didn't work like it never did At that point in time people figured barcodes are useless however 1966 the National Association of Food Chains Started to require having barcodes on products to speed up the checkout process So they could make more money and that usually tends to be a really good driver for technology either making more money or porn so in 69 The same requested a industry standard which later became the UPC code that you all have on your grocery products and stuff here in the States and since 81 the US Department of Defense required a code 39 barcode on all products that are sold to the military and You will see why that is a bad idea So in barcode speech The little like barcodes that the thing that we just call barcodes are called symbologies And we have one-dimensional symbologies and two-dimensional symbologies Here you see a few samples and the smarter ones of you will actually start to notice that There are in the samples. That's probably just hard to read Some of the samples contain only numbers some of the samples actually contain letters So we can actually have letters in barcodes Here's some more symbologies We will talk about a few of those in more detail in the talk This is just an overview. So there is a bunch of different symbology standards out there and They differ mostly in error correction and they differ also in what resolution you can print them in and All kinds of other stuff. So it's really like what protocols like everyone invents his own Then you have like really weird barcodes like this the upper one You've probably seen on envelopes and this is actually a post-net barcode. This is actually a routing information for letters The British always being their separate if island folks Of course had to invent their own postal barcode that roughly looks the same But it's the British one and then we have two-dimensional barcodes now If you look at this graphic and then you look at your batch who can tell me what type of barcode you have on your batch Data metrics that is right And you will like probably notice that this data matrix here looks a bit different It actually has like a cross in the middle. This is because you can cluster them So you can actually extend the amount of information that goes into a data matrix code. That is true for most two-dimensional barcodes You'll often see at stake barcodes on UPS parcel I've rarely seen maxi code except for on stuff that Cisco sent me once in a mail And PDF barcodes are widely used in Europe For ticketing systems and we're gonna go into those later Now when you see your barcode and you need to decode it like how many people raise your hands if you actually decoded the barcode on your batch Yeah, you kind of like we're sitting next to me Okay, cool. So some people actually did it now Are you interested in knowing what's on there? It's a URL and I'm not telling you which Yeah, it seems to be part of it like a scavenger hunt kind of thing So essentially if you want to decode a barcode there are two ways One is you just take a scanner and Go like beep and then see what's on your computer screen and the other one is decoding software This is what I use Some decoding software is free other decoding software Comes for the cost of like a few hundred dollars or the modification of two bytes and I'm like really lazy. So I went to capitalist way and actually bought one that was really expensive, but it's really good Most scanners actually output the stuff directly into your keyboard loop and that's the older scanners You also have usb So they're actually seen as input devices by the computer And that makes it really easy. You don't need any special software So it's you we want to generate barcodes. How do we do that? So there is a very good for one dimension of barcodes There's a very very good generator Which is surprising because it is called GNU and it's actually good and like it even compiles so This GNU barcode is actually decent and you can like generate a lot of barcodes with it You can online generate barcodes. There are many PHP scripts and stuff to do that They're uncountable commercial solution Many of them actually ship as true type fonts, which I find kind of weird, but you can do that You can write your own generator really easily. The fun part is you Need the specs and the specs actually come in a very very fucked up form Like I was actually buying the specs for the ad state code and the way you get them is you get a skinned in Print out that was written on a typewriter way back that has like hand corrections in it And this is what you pay 20 us dollars for So go figure, but it's really easy generation. It's really easy as with everything So in general Barcodes are used for like three different things and I have to excuse the German in the slide But there's just no other way to say it Either they're used as tags and IDs So you're just putting a number on something and tag it Or the two-dimensional ones are actually used to as virtual data transport Or virtual to physical because barcodes have this unique property that you can send them by email and then print them out And you get a physical data carrier in your hand that you called email and this is what people actually use in Europe a lot I don't know how much it's used here The third application they're used for is utter bullshit and we will cover some of that as well So now we're coming to the first interesting thing about barcodes the scanners The scanners that like face outside to a potentially hostile barcode Are actually configured by barcodes So you have a scanner the one side faces to an attacker and the other one is connected to a computer And you actually configure it from the attacker side Which is really stupid So what happens is this you have a special like enter configuration mode barcode that ships with every scanner You scan this enter configuration Barcode thingy and then he goes in config mode and then you can scan in other barcodes that like change the configuration Like the output character set to Japanese or something and then you send a new scan an end of Configuration barcode and it gets saved to the scanner This is really not a good idea. I mean you really Change how this device works. I've actually seen a scanner that offered software update over barcode Which was scary? What the hell so and this is essentially what you do you go to the vendors page and you're like you many vendors actually post the configuration Barcodes on the web page You can just like call up the dealer that like sells those barcode scanners And then you reconfigure it you can change the supported barcode types Which means that the system that formerly thought it's only accepting? Let's say UPC barcodes now suddenly except all types of barcodes because one thing that you need to know is all the scanners Support all the barcode types like you don't buy a separate scanner for UPC or something the chipsets became so easy And cheap that like all the scanners support all the barcodes And you have to actually configure them away So the system that used to only accept you PC with a single similar simple configuration More beer Well suddenly is have pretty much everything you feed it Not good some scanners actually support special key codes This is cool when you have a cash register system that still runs on MS-DOS for example There are many of those because they're really stable in contrast to modern operating systems The thing is with the special barcode that like has a special key code You can actually go and scan an escape key and since it's looped into the keyboard It actually has the same effect as someone hitting escape on the keyboard Which means it's going to exit the cash register application Quite nicely you can pretty much shut down entire shopping centers Yeah, so the easiest hack in quotes with barcodes is in most cases actually just copying them If the if the barcode actually transports the information that you want Already get a good camera or get and get a printer make a picture Print it out have a copy of the barcode and use that one as well Happened so there's a stand up come on There is this person who actually um like at pH neutral we have those batches and some of those batches are the alcoholic batches like you can actually get free beer with them and This guy didn't want to pay beer But get free beer. So he actually took a picture. Thank you Actually took a picture of someone's get free beer batch And then went to the coffee shop and got a printed out and laminated and like got free beer Which is why we now have chip cards Another thing like I don't know how come in that is here much of this is European centric. So Many parking systems like parking garage payment systems actually use barcodes nowadays in in our areas and For the for the residents they have like special barcodes And so I ended up in a hotel and they gave me for a parking place in in a city in Germany They gave me a long-term pass because I was staying at the hotel And so I didn't have to pay for the parking now This long-term pass is just a simple encoded number And I don't need to actually know what this number means because I can just copy it and then like Distribute around like free parking passes for the city center, which I actually did So you guys don't do any of that recycling bullshit now. It's really really bad in Europe So they make you actually come back like bring back your empty bottles And then they make you stand in front of a machine and feed them individually into this machine Until you are done. The whole process actually takes longer than drinking the beer. So This is really retarded it and they are using barcodes That come out of the machine they get printed out of the machine and you walk up to the register And get your refund for the recycling, right? so Getting paid for drinking beer The thing is in those systems. They actually have no Connection between a recycling machine and a cash register That means all the information has to be on the barcodes like there is no other way to transport the information And the vouchers that they use that come out of the machine are ean 13 which is like our version of UPC it's just a bit longer and This ean 13 is actually doing the super standard that UPC is under and your UPC is actually missing a leading Digit a zero. That's what why it's not printed All other countries have a leading digit that says from which country this product comes and There are special use digits to for example is used for store internal use now what I did was like I'm Actually went actually I didn't do that. So let's do that for me went to this store and gave back two bottles and So you see I'm getting back like 55 cents euro, which is about $2 And when you're when you're checking down here No, those are all fixed. Yeah, I cannot walk around When you're checking down at the barcode it actually ends with 0 5 5 5 Now if you happen to know that the last digit is actually a checksum So it's not part of the transported data. It suspiciously looks like the amount of money that you get back Now we got a second bottle checked in and that was 25 cents and it exhibited the same pattern So you can actually like count it and see that you can get up to 999 euros in refund for like returning stuff Which is actually pretty decent The thing is Berlin is full of people that don't like to work but to drink a lot of alcohol And so when they introduced the systems People immediately realized that this is cool because they didn't even read the barcode But they did what I told you earlier. They just copied them in masses and like went into stores and got money and To prevent this the stores actually started to use like special paper So they would recognize their own paper, but the thing is if you stick the barcode under your six pack which is heavy and The lady at the cash register doesn't like to like lift it up. So they just scan it over So if you stick something under this and you are not too greedy you actually get paid for drinking beer Another thing that people use barcodes for is access control More often than you will actually expect the access control system only Verifies that the structure of the data is nice, which means that it can read a barcode like it will not look at the content Not at all It's a really easy test like when you have an access system that uses barcodes Just take your pack of cigarettes or whatever you currently have on you with a UPC and just scan it and see if the door opens Don't be too surprised if it does because that's like really a regular case Other than that you can just like get the right number of digits on your barcode and scan it and it will open The door that frequently works so in a Attack in quotes because that's all really silly stuff That I used actually is this so the synchronization the thing is People do not realize that the barcode and the numbers that are the digits that are actually printed below the barcode Do not have anything to do with each other except for your assumption that this number is what the barcode says Like this is an assumption and many people have that assumption which can be exploited so What you do is you can just change it like you can change the number or the barcode and leave the other one intact and then Yeah, do stuff with it Other people do that as well like this is we had a company trip to the zoo don't even ask So this is the tickets we got and of course I collected them all and skin the barcodes And this is what they do as well the numbers that they show next to the barcode Are the shorter ones and when you decode the barcodes you see the longer numbers there And the leading digit actually says if you need to pay or not Everything else is pretty much useless So these synchronization can be used for property tracking now. Let us assume You work as a contractor at this company and your fellow Co-contractor working next to you has this night's laptop So like let's assume you have a Mac and you're like really finally understanding that there are crap and you want his IBM This is what you do In this company that I'm contracting there They actually do property checking by You go and you get a barcode And stick it on your laptop and then they say this barcode belongs to this guy So this is fx's laptop and when you check out they scan a barcode and they see if that's yours So what you do is you replace the barcode on your badge Just a barcode not the number Temporarily with the barcode on the badge of the legitimate owner now. How do you know the value? Well, it's printed below so you can just generate the barcode. You don't need any magic Now you stack that and stuck it on Go out check it out like check your new IBM laptop out Go back in because right now. He's not at work, but he's about to leave so that does not is not good Right, so you have to go back in Change your fix your badge again and then like remove it and then check out and go home and have two laptops Easy as that you can also use that for Changing the identity of your laptop like many companies actually use the barcodes that are below your machine That actually contain the MAC address they use that for Part access security for example, so you bring your laptop that you scan the barcode and then they know your MAC address and stuff Of course, you can put a different MAC address in there So one of the ideas I have was like putting the broadcast MAC address in there like all F and so when they put it into the network access control system It's gonna like fuck up the network The thing about barcodes is it's a really simple technology, but you actually have to get your procedure, right? So this this is what happens like when you're really lucky so this is actually a picture of the place the apartment building I live in and they put in a Store a automated DVD rental system like unattended right there it had a barcode scanner at the door and I walked right in there and like asked them for an account and like figured out that They're actually using biometric authentication like they wanted my fingerprint, and I'm like yeah, you're gonna get my fingerprint this side So I only go for the pin Now this is really cool because it's like unattended and it's in my house And so I can like go at night and like play with their systems So okay, here's this here's the rental procedure and the pickup procedure So the rental procedure is you go in you swipe your card you enter your pin you select the movie you want you lock out You can do the same thing on their website Now the pickup procedure to actually get to the physical data carrier the DVD is you swipe your card You get the DVD from the machine is Anyone seeing a issue here? Well, the second doesn't ask for a pin So the card that you get actually has a barcode on it The barcode is actually highly complicated There yeah Over there like the top It actually has like four digits and one character now the one character is actually Pretty much static. It is the it is the first letter of your last name And then the digits just like the numbers just increase which means you can just guess Who just rented a movie and then print a barcode with this number? Swipe it and if they ordered it over the web you get it Their problem is they cannot prove that they don't have it so they have to pay for it And you get to watch DVDs and even keep them so Yeah, this is this is why I did also what's really funny So on this website where you can like pre-order this stuff They will actually tell you if it's rented out or not And it will actually look a little bit different if it's already taken out or just reserved So you already know what movies are Rented and are pre-ordered so you're not picking up like I don't know Disney crap Yeah It's good So the next class that we have is injections and multi multi-decoding so most barcode readers as I mentioned actually Read everything like every possible type of barcode and they're usually left in their factory setting because nobody cares And even if they're not we have learned already we have configure barcodes. We can make them so again The back end application however will in many cases only expect the barcode type. It's written for How surprise every herd of people for getting input validation? It is the same deal So using a very powerful barcode like code 128 You can inject arbitrary characters that brings us to actually having sequel injections and format string attacks in barcodes You will be surprised how good this works the really interesting part of that is the older the application the less likely that you actually succeed because people back in the days called actually code and The later the application like the latest PHP written shit is gonna fail all over you if you have a sequel injection barcode This is actually I had the pleasure of professionally like playing with barcodes as well So this is actually from a medical system Which is really important because it tests your blood for HIV And you can actually like you see barcodes over there. I found the injection in that system So that you could actually make like Test results go away This is scary. You don't want to do that Okay, I mentioned that people use barcodes for utter bullshit. It's called QR codes So the idea is this you have a newspaper like a paper paper newspaper like for us hackers We probably don't have seen those in like years, but like a physical RSS, okay, so and What the idea is they print barcodes on the newspaper and It is a two-dimensional barcode and then there is commercial decoder software for your mobile phone Nokia IT ships with one. I think the latest That will scan the barcode decode the barcode automatically and point your browser right at the URL. This is pointing to This is actually a really really bad idea now Yeah, here's some more of them the German newspapers. They actually started off with using them and said everyone else is using them now Now the thing is this we took one of those commercial software thingies and like looked at it and realized that it's actually Not even going to the newspapers website, but it's just going to some web 2.0 marketing bullshit company and When you decode like when you brute force the numbers you can see who else is using this service Which is kind of nice, but it's not really barcode related The problem is this people can actually print arbitrary content in newspapers. We call this advertisement Like this is how the newspapers actually make their money So most people especially most suit and tie-wearing people do actually trust their physical newspaper like Not only do they believe what they read in there, but they also do not think it could be evil content So you're pointing your browser to a not-to-you-known URL automatically With your newspaper is that potentially a bad idea? anyone Like have you ever heard of a vulnerable browser before and You all and you get to cross-site script people with your newspaper Like you put a cross-site scripting attack in the newspaper. He's locked into gmail. He skins this shit You delete all his email. This is like no, it's a no-brainer. It's like cross-site scripting 101 like how about Just renting like very little advertisement space and then pointing it to it to an ice pack or mpeg site Or like whatever Exploitation framework you use against browsers and like owning mass owning managers now great We have now to tell our CEO's they should not click on images in their fucking morning newspaper Thank you There is another great property of barcodes This is the density thing the barcodes are actually designed to have a variety of density The thing is some of them are arbitrary length so you can print as much as you want If you have a really long reader, that's not a problem But the the programs the software that is going to handle the barcode that you're just like giving it is Actually written for this fixed amount of digits that it was expecting So even in the same space physical space that you probably need like when you print it on a card or on a slip Here in Vegas you can actually print a lot more digits Every hear of buffer overflows before Like have you noticed that putting more stuff into something that it was expecting? Is actually something that hackers really like So yes, it does happen like we did find buffer overflows with barcodes Simply by just like printing more It is a lot less common than the injection attacks But your tool of choice here is the code 128 Because it's full seven bit ASCII character set and you can chain them together like you print multiple of them And they end with a control code FC4 and that says Which there's more coming and the barcode reader is actually caching that So the barcode reader is actually like buffering all the barcodes you're scanning and then you send the final one Say go and then you finally scan like a 1k big bark in 1k big barcode Which is kind of cool. I mean really breaks shit Warning it is I have to warn you it is a pain to develop shell code on barcodes I can tell you from experience Yeah, and coming back to this qr thing like taking pictures in your newspaper and then rooting your out Browser to it. Yeah, you put it into a disassembler Right away you find a place where they have a percent s that they later on passed to a w's printf you also find like some phone number that is undocumented and play Funny statements and you'll find their username and their password for like some HP OpenView looking glass In their software. I don't actually know what that is But they it was too cool to pass on it has nothing to do with barcodes But they if you want to own some some fucked up web 2.0 company. There it is We actually tested a lot of stuff that didn't break. So this is something we have in in Germany. It's called the pack station you Get a barcode in your mail It's a year and 13 and then you walk up to the station and then you scan it and it spits out the delivery that you got Because the UPS guy again didn't find the door or something so wait a second What I'm spending my weekends with sometimes is like going to public barcode scanners and Then fuzzing them and this is how that looks like so you have a few numbers. You have a few more numbers More numbers Then you end up at some point would like very dense barcodes and Sequel injection should be in here as well. Yeah, you have like special character sets And you just go there and scan them and see what happens So this thing actually didn't crash quite disappointing I also tried IKEA Because they use interleaf 205 which is a bit more powerful you get more digits in And all their scanners accept almost all one-dimensional barcodes, but their application is actually well written It's one of these MS-DOS written programs and it actually didn't crash So and then we have what I call recreation attacks Which means can I predict what the barcode is gonna contain for a specific scenario that I want if so I can just print it out. It's that simple So the most obvious target is postal codes now postal codes are used instead of stamps, right? So they're actually worth money So They use two-dimensional barcodes now because they can automate the process like they don't have to have an intern like leaking Stems and like placing them on letters, but they print the barcodes on the letters and it goes a lot faster Some of the postal systems as we've seen in the intro actually use different systems, but most actually use data matrix and So I got just simple letters from from companies that write me Like invoices and stuff and decoded them and checked out like what's in there. So what can you actually verify? So this is one thing that I got It has the Australian post barcode over there and I decoded it and it is literally this line of zeros like That's it So how do you actually verify that someone paid for this letter with a bunch of zeros? Like how do you do that? Probably not at all So if you want to send mail in Austria get like a bunch of zeros and put them in a barcode They also had like rear barcodes, but those were postal system barcodes and Interleaf and they just like had nothing to do with the payment and then we have the US postal system This is probably gonna get me in trouble So they have this labeling system. That's called intelligent mail Hmm, and I assume It got this name because the compared to the author the system was actually written there Not getting there So it uses code 128 labels and I actually found the specs on the internet No, literally like the doc file specs on the internet on how this works. So here you see like the How big this thing has to be and stuff? So what's in the barcode? They have this back in a barcode. So it says here's this the zip code Yeah, kind of makes sense here. Where should this go? Oh and you mind you this only works for crates and big stuff Not for small letters. So Do you have this zip code where it goes you have a CIN you have a label source? So it says like where did it came from? Or what type you have a mailer ID, which is unique and I'm coming to that in a minute and a unique Identifier for the shipment and you have a label type and it's about it. I Don't see any authentication Like I don't see any way you can prove that is this is your mail or this wasn't your mail Now this unique identifier could be a problem because we're not able to predict it But then in the same specs it says to maintain the uniqueness of the barcode The data for these labor types must be unique for 30 to 45 days Mailers are asked to check with their postal service marketing representative to confirm the requirement for uniqueness Hmm, so it's absolutely random like it doesn't really care Now on the other hand I'm trying to get On the other hand I compared that to another spec that at first sight has nothing to do that with it This is the Pentagon building security emergency Procedures guide that also has a guide on how to handle mail and recognize letter bombs So it has all those things like it is foreign mail or excessive postage or it actually has Protuning wires and tin foil Whoever wrote that probably never built a bomb it does not contain you get a large shipment of a crate that has a Sender ID of the Pentagon and then in that is actually the bomb like You can send pretty much everything anywhere for free and it will be trusted because the center ID says like This is the Department of Defense Do you guys use barcodes for boarding tickets airline boarding tickets here in the States? Yeah, okay, you're gonna love this so This is the latest trend So the security on our biggest hub Frankfurt mine Airport, of course, our capital doesn't have a large airport Realize on the boarding tickets They don't actually have anything anymore except for the scanner that goes red or green and if it goes green You can go in and if it's red then no The security checkpoint is central therefore it's not our own specific right now on the other hand the security Like this implies that the security checkpoint may not know Everyone who's already checked in because that would mean everything else is rewired with each other And I don't think that is the case so the validity must be in a barcode. I Fly a lot So this is like barcodes from from trips all over the place Here's some more So I got all those and then I decoded them and this is a tool I've wrote myself for this barcode research so I can like color hex dumps and stuff So This is what I found in the barcode. It has a passenger numb. It has a last name first name booking code From where you're flying to where you're flying of which flight number the day of the year In which class you are flying Interesting important what seed you have what your ticket number is and a security check number However, like the last row the last column here is the security check number Do we notice a pattern? Yes, we do Everything else changes security check numbers days the same bad turns out that thing is static now what's really scary is The two red ones that I have in there are actually online check-in boarding passes so you check in on the website instead of at the counter and They don't have anything in the second column the second column is what is called the passenger record number and Everything like literally everything in airline security routing and whatnot depends on a PNR being there and Correct and unique like all the airline software everything works with PNR now. They don't have a PNR Which means we don't have any piece of information. We cannot predict So we can say from where to where we want to fly what our name is what flight We want to be on what class we want to be on and we are going to be like left Checked in and they will like bring us to the gate On the other hand luggage tagging actually works by logically attaching a one-dimensional barcode to your trip and to you So baggage is actually routed in the airport deliver a system depending on this barcode And with online boarding you can actually connect any piece of Luggage that you have to your boarding pass Simply by dropping it off at the counter like when you online check in right you check in online Then you got a bag and like a big trolley you go like drop it at the counter show them your online Check in boarding pass and they're connected logically to your trip Which may not necessarily be yours. So here's the scenario We have this person that is considered a potential terrorist because just he wears blankets And then we have his boarding pass We have this other person who strangely looks like a government official in our country Who actually has an agent and wants to make this innocent blanket wearing person Looked like a real terrorist So he actually Creates recreates a boarding pass on the name of the other fellow and Drops some luggage in With some extras Gets x-rayed Evil security Finds a terrorist. This is how it works. You can totally do that So recommendation, I mean they made water illegal in flights They can actually make luggage illegal as well for security and anti-terror reasons Because like the same concept as with the water is going to apply here you buy a button You buy a bottle of water before you go to the airport. It's like $1.00. You buy it at the airport It's like $5.00. They can do that with luggage to like I don't see why we why we should be allowed to have luggage For security reasons There are some unsolved cases like one thing that I find really interesting is this US visit immigration thing that they used to have It kind of like no longer is in use So from for a period of time you actually got like this huge barcode over there that looks like an entail When you checked out of the United States like literally when you left the country and I decoded those and they're like entirely crypto and So I decoded those and they're entirely crypto and I decoded like a few train tickets in Germany And they're actually done right. They actually have a crypto certificate in the 2D barcode. This is how you do it like Consider your barcode like a browser cookie whoever you give it to is gonna fuck with it I if you give it to me, I'm gonna fuck with it Let's put it this way and so everything that people will do to their cookies They would potentially also do to their barcodes if you can only use one-dimensional barcodes Make really sure it is like a one-time pad like you you draw a random number out of a non-dibby and random number generator And then you post it on whatever you want to tag and then you have a central database where you Put the stuff together and you don't tell anyone do not try to put information into one-dimensional barcodes If you have a two-dimensional use real crypto like the the German systems like the railway system and everything they have done it Right, they have actual crypto on the barcode and it may actually provide for non repudiation in both ways anyway And make sure your process works like do not what my video store did Make really sure that like the people cannot Do something with the barcode and just because you're implicitly trusted do not trust a printed number I hope that was somewhat entertaining if you have barcodes that you want to play with Generate barcodes or scan barcodes and decode them. We have on this funny URL. We have set up a viki that contains all the all the decoding software that we know and All the free decoding software and everything else and has some war stories of people like what went wrong with barcodes and Actually people contributing content there. So it's actually pretty cool Yeah, thank you Right on time any questions any barcodes No, actually the slides are not on a disc because I was like getting myself into this talk Tuesday something but I will post them up. They should be up the phenolic website. Oh This is really funny You're gonna love this if you have seen the port bunny talk that I gave together with faps This system is actually like the back end is the other site like the victim system that he tested his firewall Detection packet storm shit against so the system is actually broken right now because faps killed it It's gonna be back up in a few days Okay, thank you very much. See you at the next party