 So you know it takes a lot to talk in front of all you guys and we got two noobs today. So let's give it up for Michael and Colin. So cheers if you got them. Whiskey. Alright welcome everybody. We're going to be talking today about barcodes and barcode scanner hacking. First quick introduction even though you probably don't care who we are. I'm Michael. I'm obsessed with barcode scanners. As you can see I have way too many of them. Colin? Hey I'm Colin. I do stuff on the web professionally. He's what we call a webmaster. So something we've kind of noticed and something we may take for granted is that barcodes are everywhere. You may not notice them in real life but they really will, they really kind of permeate everything we buy, everything we use. And you may think oh this is some obvious ones. Well there's a lot of non-obvious ones. Like there's three barcodes on that USPS label. There's one on Intel CPUs. There's some on most printers that print color. Even hospital wristbands. And as a result because those barcodes are everywhere it means the scanners are everywhere. And so these scanners are basically kind of hiding all over the place. If you go to almost any store you'll find them. If you go to an airport you'll find them. But they're really an attack vector. So before we get into that let's just talk a little bit about barcodes and kind of what they are. So normally they decode to text. These are just a couple of different types of barcodes called symbologies. You don't have to care about what they are. You just have to know that they decode to text. Some of them have restrictions like the UPC on the right where it can only decode to certain numbers. Some like PDA4 and 7 can hold a lot of data. And others like QR are really good at being viewed at weird angles. But the thing is these scanners are mostly the same. These manufacturers, this one, most of these are simple scanners and most of these are vulnerable to this attack. They sell, let me look at this, these are about like 10 years apart. They look exactly the same. The scanner, the equipment inside are pretty much, the controller inside is basically running the same software, the same features year to year. Most of them will act as an HID device. So they just act as a keyboard. They type in the keys and key by key they type the buffer out. So with all these barcode scanners everywhere, acting as keyboards, what can we do if we could change the text or send arbitrary keystrokes or do things like Windows QR? What could we do with proper permission in a legal sanctioned pen test? So it's not a bug. What this is. A lot of manufacturers will add special features in. Code 128, that's what that barcode right there. That was the one in the first slide. It says barcode underneath that but there's a hidden character. That one in the red right there, right up to the start code, is FNC3, which is our best friend in some of these examples. It tells the scanner, this isn't a normal barcode. This is a programming barcode. A lot of scanners support this. It is a little manufacturer specific. And if this is starting to sound familiar, it's because this is basically in-band signaling. If you guys haven't seen the blue box on the left, that's basically what this is, just modernized. We haven't learned our lessons from decades ago. So why does this programming exist that we can do this from? It mainly exists for legacy systems. So in this example, we have a legacy system we call Cyberdyne Cat ERP and we use it to track and herd our cats. A novel goal. It's a little too, it was made a long time ago and nobody wants to replace it. Nobody wants to modify it. It's way too expensive. It's probably Fortran or something. But we've been told to make it faster. So we want to make it faster with markets. This is actually a real fake example. There's actually a C-Shark program running in the background that we created just to show this off because I don't know how to program in Fortran. So here we have my cat Java. He's a domestic short here. He's born like 2005-ish. And our system wants those three inputs. And so normally we would have to look at the label on the cat, grab their name, type it in manually, press tab, type in the breed, press tab, type in the year, and finally we hit F12 to save. Well, it takes a lot of work. There's a lot of room for error and it's generally just kind of slow. So what if we solve that by barcoding our cats? Because how could that go wrong? So we create a barcode like the one on the upper right that says DSH, domestic short here 2005 Java. Now we've got this barcode. We can't modify the ERP app to know barcodes. It's just like I expect a keyboard and that's it. And so these rules that we generate, they're going to go a little bit like this. So first we've got a cursor and we've got a buffer of the actual scanned barcode. And you see we're starting it right before D or on D. So we just move the cursor forward a little bit. And now we move it forward seven characters. Seven characters are defined length for how big those two fields can be. And then the rest of the barcode is the cat's name. So you could have a name that's eight characters long, twelve characters long, doesn't matter. Now we're at this cursor point. We send that info and we press tab. And you see it types it for us and moves to the next field. Now we go back because the next field is DSH or breed, which is DSH. The cursor moved back to the front. We type in three characters and we hit tab. Again, it doesn't matter what those characters are, we're just typing three characters from the buffer. And then same thing, the cursor's already moved forward for us. So all I do is type four characters and we hit F12. And it saves it for us. So all you have to do is do one quick scan on this legacy system that nobody knows how to modify and we can actually automate that. That's why these rules exist. That's why manufacturers added them 20 or so years ago. And so we're back at that. We've put our barcode on our cat, which is a very successful endeavor I might add. And we're going to just do a scan. So this is what the scan looks like. Simple as that. It's extremely fast, a lot less error prone. But of course, we can make our own malicious rules. We can make our own malicious programming. So we can do all sorts of things. We can specify criteria for these rules. So we can say just do it on everything, do it on certain barcodes, ones that have a certain text in it, or certain symbologies like EPC. Or, and then once we're done with that, we can specify actions. So you can see here on the left, that is the, or the right, that is the actual programming barcode for that cat ERP system. So if you scan that with a scanner, it'll do that. A lot of these scanners can actually support multiple rules, as we'll see later. They do have a less size limit, but it's fairly expensive. You can't write a novel in PowerShell, like you can't write hundreds of characters, but you can get a lot in. These are some of the actions we can do, some of the ideas. So we can modify and replace text on the fly. We can just ignore text. So you scan something that doesn't actually give you any text. We can add extra characters in the end. We can do special keys like windows, control, alt. And we can just do nothing. We can soft break scanners by scanning a rule that says do nothing. And the scanner is dead until you reset it to defaults. There's a classic attack, you guys probably heard of it, of like, you know, the Walmart's where you put a sticker over the barcode or the different barcode for something cheaper, but it's super obvious like that. This is a digital equivalent of that. We can change those barcodes on the fly, make your $200 item ring up as 10 ducks. So this culminates in our tool called barcode. Barcode is an attack IDE developed by Colin in JavaScript. We build payloads in JSON and it makes it really easy to rapidly design them. So these barcode scanners, they don't give you a lot of feedback. If you give it something invalid, they just go, they give you a bad beep, instead of a good beep. And that's all. You don't have any feedback, there's no output, there's no logs. Trying to do these barcodes manually is possible, but literally spent the past year working on that. So this makes it easy for you guys to just write some JSON. It's a little harder than ducky script. Ducky script, you know, it's kind of basic. This allows you to do a lot more, but this takes away all the complexity of doing those barcodes. And you don't have to decide for any manuals. Right now it supports more world symbol, which I think is like 40% of the market. Most other scanners support this like Honeywell, NCR, and it's open source on the MIT license. Here on the right, you can see just a simple, this is how we run calculator. So let's splish over the demo. First demo, run calc. So this is the barcone website, barcone.com, it's live right now. Quick homepage right there, and it takes us into a quick ID. First thing we're going to do is run calc. I know this text is a little small, but don't worry about it. So you see on the bottom, we have exclamation point calc. What we basically defined is a rule where if a barcode starts with exclamation point, we go press Windows key R, we press enter, and when we run, we type in that command and press enter. So this basically allows us to easily build new payloads by just having a simple rule. So as an example, let's scan it. This scanner is fresh. It's reset to defaults. Here's what it looks like just by itself. It types in exclamation point calc. And here's what happens if we scan that programming barcode. We hear it had a programming noise. Full screen calc, my favorite. So let's go and try another demo. Next one is run command. And so this is what the quick iteration looks like. We can just go back, click things up up here. We can change all this text really easy on the fly. And so what we're going to do is we're just going to run this one. This one has two rules. We scan that. It programs it. And then next, let's launch command. And now we just have a command prompt open. We have extra barcodes so we can just type in that user. So we can actually type in text, you know, line by line. So you can actually have a list of one liners that you really love and just use them over and over again. And the quick iteration is stuff like this. You can go and say, you know, net user add. So you can just go click like that. Click run. Now we can type net user add. Next up, do the serial box demo. So right here we've got an unaltered box of s'mores. It's a little smashed from travel here from Dallas but it's got a barcode on the box. Simple UPC barcode. We're going to execute an attack with that barcode. So first let's demonstrate that we scan this. It types in a barcode. Next let's scan the programming barcode. There we go. Let's prep ourselves. We've already got my exploit running right here. Just waiting for a reversal. And so let's scan this barcode and see what happens. Oh, come on. You can do it. We had to change our web host to like 2 AM. And it's super slow right now but it's working. Just give it time. There we go. Now we can switch over to this other window. So that's all great. That's all serious. But you know, what if we just really want to play some video games? What if we're really feeling down for something more fun? So let's play some Tetris. So right here we'll scan this barcode. It can be a little tricky with the glare on the stage but there we go. Got that programmed. So we've got Tetris. Put that over here. And we've got photos. So basically we've invented the world's shittiest way to play Tetris. And finally let's just show off what we can do with a little bit of mayhem. So we'll go back to our brick payload. So there's the programming barcode on the top. So right now if I scan, you know, that barcode is going to scan serial box demo but if we scan this one simple programming barcode we're basically telling the scanner whenever you get a barcode just sleep for 20 seconds and then don't print anything. Any barcode. So let's try and scan the serial box again. If you can't tell this thing's not lighting up. It's just sitting there for 20 seconds doing nothing. It looks like it's powered off. The light's off. The button doesn't do anything. It'll just sit for 20 seconds and wait. And the only way to reset it is to go to the factory defaults which almost no one knows how to do. So once we give this a few seconds go through, it looks like it's dead. You scan this one barcode. It's basically a zombie for that 20 seconds. We've tried up to like one and a half minutes before we got bored. So now if we scan our store defaults we can go back and scan all the barcodes we want. But almost no one knows how to do that. And that whole thing about we find a lot of barcodes hiding everywhere? Well, first let's talk about this. So first can you turn it off? And the answer is yes. You can scan that barcode to disable bar programming barcodes. Can anyone guess how you turn them back on? So some considerations for a red team attack. This is really, this is an advanced attack. You can't just walk into a Walmart and just pull this up on your phone and hit enter and hope it like kind of exploits it. This is something that takes a lot of testing, a lot of recon, but it allows some windows into systems that normally you wouldn't be able to access. They don't have keyboards. They are controlled. You only have access to the barcode or maybe you're not even there. Maybe you send a package to the malicious barcode. One thing to think about, find the beeper hole and cover it up because the programming barcode is at least on simple scanners. They actually play at full volume. Some of you guys can even hear it in the audience. I have it taped over. But it's really loud. So just cover that up. Another good example is you can actually bring your own scanner. These things, almost all of these scanners have the same 10B, 10C connector, ethernet with two extra pins. And you can just slide in a screwdriver, unclick it, and bring your own scanner. Or steal a scanner and replace it and then test with that one. So you can actually program your malicious barcode scanner, bring it in the store, swap it out real quick and you have to scan a barcode. One great thing, there's a great example in the next slide, even when the scanners are turned off, a lot of them are still powered. Most of these aren't actually doing anything but they're almost all still powered. So you can still program them even if the terminal is off. Another thing, laser scanners like this one from probably before I was born. Nope, not that early. This one's a laser scanner. The ones that have them like Walmart and encounter checkouts. This one's actually encounter. Right here. Spinning laser beam of death. Those ones won't work with phones. You've got to have a kindle, paper, something like that. And then we have some great ideas with, you can trick others to deliver these barcodes. For example, maybe you're at airport and you just airdrop someone and say, hi, I'm United Airlines. You know, have this scan this QR code for your free upgrade. That's actually the cat ERP code, but don't worry about it. Or you know PetSmart just sent a fake email to someone and hopefully they do it. Literally a minute after I walked off the plane at Vegas in the airport, came across that scene on the left. Unattended little coffee shop place. The machine's powered off. Everything's locked up. Probably the cash is gone. But we've got a powered scanner right there. No one's watching this and we can just go scan our barcodes all we want because you can program them. And then the one on the right is presented without comment from PISOs if anyone's been there. They even posed with their barcode scanner for me. They probably would have let me scan some barcodes if I'd ask. For the blue team, I don't have good news for you. As far as I know, there's no way to secure these scanners from programming. The only benefit you have is that some models may not support it. Some really old ones may not support it. All the new ones do. So you just have to assume that anything that has a barcode scanner attached is going to get hostile input. So these are the standard kind of stuff we've been talking about in security for a long time. Remove local admin, use endpoint protection, app control. I shouldn't be able to type Windows key R and get an admin command prompt, but a lot of times you can, especially on these unattended kiosks. And there are some good ideas about filtering malicious keys at the OS level. So you could just say, if this device has a scanner type, then don't allow any, like Windows keys or Superkeys. Or you can just enforce non-HID modes. These will transfer a serial port. You can use a barcode to change into a keyboard though. So you got to enforce that at UDev level. Anyways, we'll wrap it up with some special thanks to Terry Burton at Blip who made some last minute changes and helped us a lot. Mark Warren made the Blip and JS version. Hermit, thanks for the shirts. Doss Hackers, thanks for all your help and support. This talk was actually kind of born there. And thanks Cyberg for the travel and support. If anyone's looking for some interesting talks, related talks, these are some good examples. None of them really go into this depth of building a tool, but they give some great details about barcodes and how they work. And there is our site. There's the GitHub link. And your codes, trust me, they're safe.