 Okay, it looks like we're up and running. Hi, everybody. Welcome. Hi Defcon. Hi Defcon 29. Thanks for everybody tuning in from wherever you are Hopefully next year we get to all do this in person Here we are. So hi guys, my name is Richard. We'll get to that in a second. This is my talk on barcodes An old McDonald out of our code. EI EI car. I'm you have to apologize for me looking back and forth I have two monitors my slides for another one So who am I? My name is Richard Henderson. I'm a ham radio nerd. I'm an electronics dork I write for a living a lot An infosec professional. I currently work as a CISO I've trained at Defcon multiple years in the past up on 25 26 27 Defcon China beta one I've run the ham radio fox hunt contest at Defcon for a few years did not run it this year I didn't know what was going to happen Daily back next year. I hope and the rich sent me. It's how you can find me on Twitter and LinkedIn. So feel free to connect so Let's talk here for a second What would happen if you built the system that was designed to Take inputs from barcodes that didn't do any sort of input validation What sort of hijinks could you get up to could you crash a system with nothing more than just a simple string of text you sure can We'll come back to this screenshot Multiple times you're in the talk and we'll explain what it is we're seeing but The bottom line is yes there are a lot of systems out there that Through nothing more than presenting it a string of text will make it fall over crash reboot Service it so let's talk about the icar string The icar string is kind of the key here. Although we'll get to other strings that might Cosmischief later, but in this case we're talking specifically about icar. So what is the icar string? That's the icar string It's a significant or substantially long enough random piece of text that With enough randomness in it that you wouldn't find it just by chance So you know that you see the string of text you are looking at the icar string So who created it what's it used for how does it work? in a nutshell icar the icar test file was created by the European Institute for computer antivirus research icar and it's a method to test the functionality and The ability of antivirus engines to actually function so it's used by pretty much every antivirus company or Tech company that incorporates some sort of antivirus Technology into their product. So think like firewalls email security appliances things like that And they use it to make sure their AV engines are working Why would they do that? Well When you're working with malware You want to avoid using Real malicious malware samples whenever possible Unless you have to work with something really malicious and the reason for that is Imagine if you were just trying to test your firewall to see if it could detect a piece of malware as move past the firewall But it failed And you decided you use the latest greatest piece of ransomware that you found online Then that ransomware escaped through the network and started infecting other machines. That'd be pretty bad, right? So icar came about as a way to safely test antivirus Create a text string which you can embed in another small file. You can compress it hide it See if your antivirus engine can detect it think of it as a virus that The the general antivirus community has decided is a virus, but doesn't have any malicious capabilities whatsoever Okay, QR codes everybody's seeing QR codes now, right? I would think Created those what are they used for and how do they work? So the QR in QR code means quick response And it was created by the Japanese auto parts manufacturer Denso In the mid 1990s if you own a Japanese car your car is likely full of Denso Oxygen sensors computers things like that So why do they create it? Well? There's a bunch of reasons, but the main reason is you can simply just store a lot more information QR code that you can and Do I have one around here somewhere? then in a Simple UPC code. I'm not gonna show you the whole UPC code because that's Got some sense of data Hey, so like you know standard UPC codes you see on a box of cookies at the grocery store. So What's inside a QR code? So? QR codes are really really brilliant. You look at them. You start to dissect how they work So if you see 4.1 position What that means that I'm playing at the screen, which Yes, in a virtual talk doesn't The position squares basically tell the scanning computer how to orient the barcode you could see this always Those three position squares and there's never a position square position square in the bottom right of a barcode And that allows the computer to know that when they're taking a picture of a QR code Like this one right here it doesn't matter what way it's scanned The computer always knows that this spot right here should be So this is mirrored, but it should be right there Alignment is really neat. So alignment squares are used by the QR code to See even though if you present the barcode to it like this on an angle It knows the alignment square right here is a square So it can create like those magic converging lines We did an art school and high in high school Our class in high school to know That it can correct the image to make everything square or you know square facing the The the computer so what would happen if you put the two and two together you put the iCarString on a QR code well You get something like this So Again, I'm gonna come back to this this screenshot in a couple minutes and explain exactly what it is We're looking at and where this screenshot was taken, but let's stop for a minute And we're gonna talk about where did this whole thing start like where did the idea of Turning iCar into a QR code come from So special shout out to my friend on Twitter Rob Rosenberger who planted the seed in my head that there's probably a lot of systems out there that can scan a QR code and a lot of them Won't know what to do when they see the iCarString so in this case if you look at the tweet here He put the iCarString as a QR code on the side of his car I think on the front of his car as well with the with the idea of Maybe triggering an antivirus response on license plate scanners toll booths things like that but what was interesting is that The antivirus they hit running on his Android phone also triggered detection So we're gonna talk a little bit more about attack surfaces in a couple minutes But the idea here was to get that the the code picked up by cameras and counter Picked up by cameras you might encounter whenever you're driving around so like toll booth cameras like automated toll booths Automatic license plate reading cameras like the ones you see on top of police cars or Bylaw enforcement cars municipal enforcement cars parking enforcement cars private parking Lots is a good one So initially it was just a guess to what might work and without access to the actual system that scan the QR code If it's scanned it you probably won't know for sure if it actually triggered something But it definitely does work I'm gonna share a couple of video clips with you in a couple minutes To show you that it actually works So beyond a sticker on your car What else could you do with this? so Enter the embroidered iCar QR patch So what do you think might happen if you take the iCar text string with you wherever you go? Stick it on your backpack put it on a hat Just stick it on your shirt I mean in many cases you'd have to be really really close to the camera To have it pick up the QR code, but cameras are getting better all the time I mean 4k cameras are not particularly inexpensive anymore. I have one at the front of my house now cost a couple hundred bucks Go to Costco Costco sells full 4k systems with dozens of kill it doesn't spend a half dozen cameras for a few hundred bucks So cameras are getting better all the time and they're going to be able to pick these up Even if you're not particularly close to the camera So Let's go to the next slide. So devices that you think Wouldn't need to read or interpret a QR code absolutely can so This is a checkout terminal for a very large multinational retail slash grocery chain that I will not name Why would a checkout scanner that should only need to scan a standard UPC code that you find on like a box of cereal? Need to read a QR code at all Well, this is clearly added functionality provided to the retailer by the checkout machine checkout area manufacturer and it's probably built into the product during the development phase You know things like they might want to add loyalty coupons purchase tracking Things like that. Hey, also, for example, they'll send you a QR code coupon on your smartphone and you can scan it and it can read it They build this into the product because they want to offer All of this to all the customers and not all the customers are going to use it But they want it there just in case, right? That's how things work with a lot of software today But what happened in this specific case? So the code was scanned It correctly scanned the string You see my mouse? No, I guess you can't but if you look at the top left of the screenshot You can see that it clearly read the iCar string from the QR code And it just instantly returned this error So what happened after this was scanned? So the checkout became Unresponsive to all inputs didn't matter what button you press what you tried to scan what you tried to do It was totally unresponsive Even a manual intervention by the the staff that are on site to help you Check out Really, they just their stuff from stealing stuff, but they came over they couldn't make anything work They even said weirdo never seen anything like that before And then the register eventually rebooted itself after quite a long wait So I'll talk about more about what's probably happening behind the scenes in a minute But the reality is you could walk by a group of checkouts and scan this and crash every single one and No one would have any idea how to fix it until it fixed itself okay, so I'm gonna play a video This video was sent to me by a random friend because I would never do anything stupid like this That would be really dumb This is a passport scanner at a port of entry some country somewhere But many countries now offer you the ability to pull up your smartphone Fill it customs form ahead of time In that app creates. I don't think I have one available. Let's see. It's not working. I'm sorry. So They'll give you a QR code basically instead of getting those old school paper customs forms You fill it where you went what flight you were on what dates you were gone? How much money you spent, you know Do you have any drugs all that usual stuff? You just check off a bunch of boxes on a smartphone for me gives you a QR code Which the QR code contains the answers to all your questions so What would happen if? Do you scan one of those machines with the egg heart strength? Let's see and it's gonna be hard to see so I'll walk through it here in a second, but I Slides now have to back up here for a second. Sorry guys Okay, so I can't pause it and show you basically what happened was That machine gave a big fat red error message on the screen and then froze completely with just a total black screen So like I said, I highly suggest you do not do not try this Because believe it or not Customs officers don't really like people screwing around with machines at a port of entry. Um, so what happened here? Don't know for sure But it did not like the input was not expecting the input that it was hoping to get and it froze the machine Did not cause as far as I could tell thankfully a general system outage Cross multiple terminals, which would have been a real bad I you literally could walk over to the next machine and scan your QR code there and it worked So what can we infer from that? These terminals aren't super smart They limit the amount of information they send back to a central database or central source which makes sense because these terminals are literally just reading the questions you fill out on that form and Filling out the form for you via QR code but Other systems are sending the interpreted QR code to a centralized location for processing So let's watch a few minutes of video and then we'll explain what happened here Yeah Thanks, Richard. Now we're stuck here because fucking Mike had to scan that goddamn barcode He crashed the fucking machine It's fucked. He scan that fucking I car thing Now we're fucked Thanks, Richard. Now we're stuck here because minutes later Thank you. Good job. Are you recording a video? Yes, I am Good job. If it gave me my ticket back, I could go to the other one. Yeah, I missed your scan. They don't fucking everything No, there's nobody here I use another machine, but it doesn't my car or my tickets in the machine So I thank you so so You got one of those tickets from the parking garage when you go in and then he stuck the I car QR code sticker on the ticket and then inserted the ticket into the machine and Ticket would remove nothing worked But there's still two more videos. So let's keep watching Still fun There's a parking guy in the booth literally 20 feet behind me. I'm just gonna back up and go talk to him Like he's sitting He's sitting there staring at me. I don't know why he doesn't want to just yeah, that would be nice But he's kind of an idiot apparently so anyway, I'll just back up and go see him talk to the guy Yeah, I mean if you can open the gate you hear that too, but I mean I haven't paid yet So I'll just go to the guy back here. It's fine. Don't worry about it Okay, so basically might crash the entire fucking payment system in this entire fucking parking garage So no one get out Apparently they get in but that's about it. Yeah, so the tenants went up there to unlock the gate. Yeah I should look in front of this fucker fucking hose, but hose Fucked up big time, but so what happened here? What can we infer based on what we saw in those clips? People are still able to get into the garage So clearly the ticket machines that print A Parking ticket on the way in don't require instant interactivity with the database that's hosted somewhere else probably in data center in some remote area And it makes sense if you think about it because you don't want to slow the line down on the way in There's any sort of network congestion or delay The inbound machines likely just record a timestamp of entry generating barcode tied to that timestamp And then send it back to a database and set intervals every couple seconds a couple minutes. Who knows? This would be great for areas that don't have the greatest internet connectivity So like, you know parking terminal the three levels down in the garage Isn't gonna have the greatest network connectivity, right? Or in some cases they're relying on cellular base links and don't really want to waste bandwidth They want to save that for the exit phase, which is what messed everything up So some people were able to exit as you saw in the last clip But those were monthly parkers who had a different type of passcard to exit So there's probably an entirely different system that deals with that And if you look at a lot of parking machines that have a separate reader for monthly parkers to scan their badge So there's probably just a local file that cross references unique IDs tied to those Rocks cards or whatever ID card they used to get out and it looks for a match But for people who had to pay to exit there was no way to get out the machines ate their tickets and gates wouldn't open so After that last video clip My friends here talked to the the attendant and basically he said his PC wasn't working anymore He couldn't do anything. He had to come out to manually open the gate He'd never seen anything like it. So clearly what's happened is The qr string was transmitted to some database somewhere else and it caused So string got transmitted to another computer somewhere else Whatever AV was running on that machine triggered an antivirus alert and dropped it into a quarantine cycle to Clean the virus and the whole system went down They were in there 15 20 minutes trying to get out of the garage and so were lots of other people So again, I'm sorry. So why does this attack work? Well pretty simply Much like we've seen in the past decade or so with industrial control systems and SCADA systems where companies have just bolted on internet connectivity to these devices with Very little or zero thought of the security implications of doing so, you know, they they sell these two companies as you know Money-saving measures, you know, you don't have to send a repair person out to some remote Pumping station because you can do it all about because they're all connected to the internet They don't really spend very much time thinking out people might be able to fuck with this but the bigger part is that Most of these smart machines are all running windows or windows embedded So what does that mean? So like let's go back to a couple famous Windows embedded malware attacks So target and Home Depot are two of the most famous ones Attackers were able to design malware specifically built to skim credit card numbers on those windows embedded cash registers And then exfiltrate all that data somewhere else. I mean Everybody knows what's the one of the first security measures to put on a Windows machine You install any virus, right? so if your antivirus is just some typical out-of-the-box antivirus commodity product and If you haven't done any customization or any tuning of it, which is often the case It should see the icar string Think that it's being tested and do exactly what it's supposed to do in order to show that it's working properly That's quarantine the system and clean it up So most cases in antivirus has it's a quarantine cycle. What does it do a lot of AV makes the system completely unresponsive? Makes it unavailable throws it into a reboot cycle to do like a low-level clean and This is what's happening here with a lot of these these scans so Why are devices and systems scanning QR codes anyways? When they should only be scanning like a UPC code, well you know, there's lots of different barcode formats out there and I'll talk about that in a couple minutes, but You don't always stop a standard UPC code, there's there's dozens of different types of So they usually build in that type of functionality to be able to cover all their bases, right? so my gut tells me that Most owners have no idea that it's even a thing on the systems. They have And it's probably not easy to turn it off not without going back to the manufacturer and saying, you know, we disable these type of input skins Why would you why would you ask that you even think to ask that question? So like I said earlier, you know added functionality by developer these companies want to be all things to all people So they just build it in and hide it from those people don't need it, but it's there if you need it so Let's talk about attack services. What other things might you be able to scan? with the iCarStream so Koopans here's Karwash Koopan a Lot of newer or very modernized Karwash is the really cool ones and the young lights and the 16 colors of foam They spray on your car They have the ability to accept Koopans that you present to the payment machine and those Koopans are often QR codes and why are they QR codes because each QR code can be unique to the person presenting it It's not like just Koopan code, right? It allows them to track It allows the marketing people to track the effectiveness of advertising campaigns, right? So they know if this person used this Koopan then they'll probably do it again So you might want to offer them another but if someone else didn't use it and not be worth spending the resources on so What happened if you scan the iCarStream there instead? What else? price-checking scanners Maybe maybe not Really all depends what the scanner does with the data and what the underlying system is so target for example Newer targets the newest price code scanners of targets are all Android based tablets not like this one on the screen This is an older one But while the target Android ones can read the iCarStream and you can see it if you go and present it It'll actually interpret the string and show it on the screen Nothing happens The price code scanners Maybe So this is a discontinued older one. You'll see in a lot of stores and you can see here that That It's running Windows CE 5.0 and it says right on the top fast and intuitive barcode reading of all linear and 2d barcodes so Linear barcode is just another way of saying like a one-dimensional barcode like a UPC code And 2d means just that two-dimensional barcodes like a QR code And like I said, it's right windows. So Many of the new ones you go back you go to like a point of sale vendor people to provide these types of products to small stores and stuff Most of them all transitioned over to Android, but like we saw on Rob's tweet way back There's plenty of Android based any virus products out there that detect the iCarStream and we'll think there's a virus So what else? The luggage tags probably not all the luggage tags that I've seen in my travels and The ones I can find online all use the 1d barcode format with the short identifier string So typically it's just two letters to signify the airline and then six digit String of numbers to uniquely identify that piece of baggage That doesn't mean our systems behind the scenes that can interpret it to the barcode so If you stuck the iCarStream to your suitcase Who knows what would happen? You probably never know what would happen unless you can find a friend who works inside airport IT So if you're watching this talk and you work inside an airport infrastructure and you would like to try it out I would love to find out if it work Feel free to let me know So the next one is my favorite Hard to see with the screenshot here. I know but Automated license plate rears on police cars and parking enforcement private parking lots ALPR Most of the police cars municipal enforcement private parking enforcement They all have tough books in their cars you walk by these cars and see tough books, right? Those tough books are always running windows And if you look at the software, I know it's really hard to see but you can see this is running windows the software That's provided by a very large Company The company claims on its website that it works with all license plates No matter where they're from which means there's got to be a lot of flexibility and leeway for how it's scanning things, right? Because there's Thousands of different kinds of license plates different fonts different spacing states and provinces Things like that. So what have you stuck an iCar sticker next to the license plate? And it picked it up Mike And others like but I'm pretty sure I remember a story way back when someone created a sequel string on Their hood in the UK and it crashed the speeding ticket cameras So ring a bell anybody seems ring a bell to me But amazingly I have yet to be able to find a parking force and officer police office Who let me actually try to see if I can crash the system no matter how I phrase it or how nice I try to be no matter How I frame it around security research? None of them are interested But what else? QR codes are being much more prevalent or much more used and things like Big events Sporting games concerts things like that So could you present the iCar string to them as your ticket and crush the central system? It's very possible Hospitals hospitals are likely very susceptible to this attack Lots of back-end systems provided to hospitals are windows-based. I know this for a fact Someone close to me who works in healthcare IT and deals with this kind of stuff all the time and their back-end systems are all windows So here's like a patient bracelet with a type of QR code Here's for those of you with children when your kid is born they put Bracelet around the kid and a bracelet around you Just to track the baby through the hospital make sure you leave with the right child Lots of qr codes on those ones So these are qr codes on blood transfusion Just to make sure the right person gets the right blood and You know follows the chain of custody of that blood as it moves to the hospital So yeah It should probably start looking for this I'm extending this attack so How do you want to make sure if you're gonna test your own systems because this is the only time you should be doing this right guys There are like I said earlier there are a lot of 2d barcode types out there So you should try and figure out which one your target is using so here's icar as a data Matrix qr code. Here's the Aztec format. You see these a lot on Like Amazon packages UPS boxes things like that That's the icar string right there Doesn't look any different than anyone maxi code you used to see on a lot of UPS or FedEx a long time ago. I think it was UPS. I Don't see that on their boxes anymore. I really haven't been paying attention UPS is trial to use them Micro PDF 417 that's another barcode format that you'll see in a lot of places. There's the icar string there the hand shin Barcode format obviously is one you probably don't see much here, but you might see it overseas a lot You might see it on electronics components things like that that are that are manufactured overseas These are some of the ones that I was able to actually encode the complete icar string into there are lots of other barcode formats out there But most of them will not take the icar string because The character space is very limited some cases just numeric some cases is just alpha numeric some cases It doesn't use the extended code character set. So there's no asterisks or slashes or whatever So what I suggest you do is just go online and look for a barcode generator There's some really good ones that will show you all the dozens of dozens of different barcode formats out there And you can put in whatever information you want There are some that are used specifically for bank transfers when you put in account details name Receiving bank sending bank you can hide the icar string in one of those pretty easily But beyond the icar string Could you take some malicious javascript and have a system parse it? Or could you do something as simple as sending someone to a malicious url? Yeah QR code You sure can so this is from paper from many years ago Where this is if you interpret this QR code is just you know the standard of cross-site scripting Alert script that you would write to test for the existence of a cross-site scripting attack So you could use this to try and maybe see if something is vulnerable to a cross-site scripting There are cases of malicious QR codes being used in the past in places like Russia To fool people into signing up for premium SMS scams like six dollars and message type scams That's happened in the past But what other systems might you be able to attack? Beyond just like barcode scanners What would happen if you decided to encode the icar string into an RFID tag? Automatic teller machines often use windows underneath. Could you use the pay wave slash smart card? You know the little chip? You know proximity chip thing that you're seeing a lot of places around the world just to quick You know tap and go could you code this string onto a chip and scan it into the ATM or the payment machine? So I'm not going to try and find out but maybe someone else will who owns an ATM for experimentation will Railroads a lot of railroads have been using RFID tags on cargo containers to track carpet cargo movement And I've been doing it for decades. I first learned about this more than 20 years ago as I Was living in Toronto at the time and there was a main rail line going right by the house I was living at and we would often go just watch the train and stuff and there was a little hut and There was a big yaggy antenna pointed at the tracks and you could see when a train rolled by it was pointing in such a way it was just pointing at the front edge of the containers and Doing some reading at the time. They stick our ID tags on the containers to be able to tell Customers where their cargo is so someone wants to know, you know, I've got something that's gotta be in Los Angeles in a week And it's just leaving New Jersey. I want to see where that thing is moving through the rail network And the way I was able to confirm it was I was Much younger guy and much more willing to go ask questions There was a rail crew working in that little mini hut. I went up and asked them what they were doing And they literally were happy to explain. Oh, yeah, this is an RFID system. Look, here's the manual See this, huh? So don't be afraid to ask people because they typically just think that you're A hacker spirit. You just want to learn how things work, right? So but beyond that, so now a whole bunch of retailers are using RFID tags to both combat theft And to make checking out way faster. So I don't know if you've been unique low anytime in a recent couple years But you literally just walk up to the cash register with your bundle of clothes You just set it down and they they know within like a second what it is You've got what sizes they are and they tally it all up They don't have to scan each one of these things really fast, but You can get so here's some of the unique low tags. They use three different types of RFID tags in their stores So come back to that second, but you can buy on even on Amazon But you can clone RFID like I mean look at The RFID thief The Bishop box made many many years ago. I'm pretty sure procs mark three can do it But You can buy just got anything on Ali express or Amazon these days That's a role of RFID tags. You can write to You buy on Amazon for two bucks. So It would be very simple to encode the Icarus training into some RFID tags and Go see if you could Make things stop working Um, is this shit legal? Well, I'm not a lawyer. So but the question really is What is the legality around walking around with a giant barcode on your backpack and causing random camera systems to crash I mean you didn't give them a permission to scan your barcode. And why should they be scanning barcodes anyways, right? Um But if you decide to start actively scanning things like you walk up to a cash register You scan it with the Icarus train and it causes things to crash and they catch on to what you're doing That's probably not gonna work out well for you, you know, maybe a mischief charge computer mischief charge who knows But if you want to try it out for yourself, I mean, how can you do this sticker wheel love sticker wheel Great place to get small runs of stickers done cheaply, but there are lots of other sites out there that will do stickers for you cheap laser labels were great. Remember QR codes are pretty Flexible or very fault tolerant as to how rough the scan will be because you have to remember like if you put something on a UPS package and it crosses miles of conveyor belts You know, sometimes those stickers those QR codes are gonna get slightly roughed up. So it is quite a bit of error correction inside QR codes to So you can print them all at home yourself So embroidered patches like I showed in an earlier picture. I Sell them And not sell them for a lot of money I'm not doing this to make money Figure out how to find them yourselves. I'm not gonna show them here Make them yourself. I can share the design with you. If you want to make a whole bunch yourself reach out to me I'll tell you who my manufacturer is overseas and I'm introducing you can make a whole bunch patches yourself But if you're at Defcon Defcon proper and not watching this online Come see me at the end of the talk and I'll give you a patch for free because I Got hundreds of And I have a new special never really see before never released giant I car QR string so come on up see me and You can get a patch for free if you're watching this online Reach out to me on Twitter or something and they don't create a special coupon code for you So with that being said as part of the in-person talk Time for questions for the rest of you Did you find something interesting trying to set it home yourself? Let me know either on Twitter or you can email a Richard at goat c.cx. Yes That's my really email address goat c.cx Some of the old-timers will probably get a kick out of the email address and you're a gray beard like me Then don't go looking at what goat c.cx is So thanks for listening. I really appreciate it was fantastic to be able to talk to you all today and I look forward to hearing from some of you in the future Cheers