 So the live demos are already going great. So that promises good stuff for today. So I'm Jasper. I'm a technical cybersecurity specialist, but I also do media stuff like podcasts. And fun fact, I started a company this week, which I think is really cool. So I'm also known as Muse. I'm a pentas at KPMG Cyber. I love physical security. I love physical devices. And I really hate writing these small blurbs about myself. So let's go on. So how do you roll into this? So a couple of years ago, one of the major grocers in the Netherlands started handing out loyalty cards. So basically it's a card you get. And if you scan the card before every purchase, you get a small discount on certain products. And it's their entry into the deep big data thing they want to do on all their customers. And I was like, this is interesting. So six years ago, I was doing this really naively. And I was like, how can I mess around with this? So I just got like 10 bonus cards at the grocery. Like just got them from Teller. And I had a whole stack and just started noting down the numbers. And I noticed that they were all sort of similar. They had just 13 digits. They all had the same starting sequence. And you could actually use them on the website of the grocer at the time. You just filled in the number. And it would tell you what your last purchases were. There was no other sort of validation. It was interesting. And I noticed a small sort of race condition. Some of the numbers I just randomly made up were instantly declined. And the numbers that were sort of valid, it took like half a second later. So I noticed there was like a sort of pre-validation. And that actually indicated there was a check bit. So all that taken together, I realized these are actually product codes. So the same thing that you have on a pack of cookies. Now the user is the product too. So what the nice thing is, this also allowed me to sort of figure out what the conditions were for a valid, we call them bonus cards. And it was really simple. It needed to be within a certain range, because it's a reserve range in like a large database. And it just needed to have a valid check bit. So I could create all the bonus cards. And even funnier, I could create what technically would be the first ever bonus card, because I knew the lower bounds. And I could just generate that. So I don't know, some engineer in that Grocer's card probably was his testing card or something like that. But also random cards. And the funny thing is, even though it was six years ago, they're still valid. I could register them yesterday on the website. This bonus card number is actually the number I got six years ago, because they still allow the ranges. They did change the validation model a bit. So you now have to register a proper account, and you just connect the bonus card to your account. So the card doesn't do anything more in terms of access. But they do have still all the old ranges. So I could register old cards. But even funnier, even the not so valid cards, like 009, 0000, 007, I could still register those as well. And those are not cards I actually had at any point. So there are also some other attacks with barcodes. And we jump a little bit to QR codes, but we'll regard them a little bit as the same and we'll come back to that in a moment. But for example, what happened in China, for example, a lot of people pay with QR codes. So it's like, it works a little bit like a tiki. And what you can do as an adversary and what's really a problem there as well, is that you can print your own barcodes, paste it over a barcode, or for example, a shop, and then you can just, yeah, well, get the income, steal the income of the shop. And this seems a little bit far from home, maybe, but let me see if it works. Yeah. You can also do this, for example, while shoplifting. So you can paste over a barcode over another. For a cheaper product, it would work. And even more modern, you now have those, like, those sharing ride services. And they also have these barcodes. So if you walk up to one of those for the first time, you have this barcode, you scan it, you go to the website, you can download the app, couple your credit card, small exclamation mark. So also people just paste it over another QR code to their own portal where you can enter your credit card details on a malicious site. And if you have a little bit of a lower kind of style for tech, you could even, it's a bit more complicated, but you could, if you want to rent a scooter, you take a picture of the QR code of your scooter, you paste that over another scooter, somebody else pays, and you drive with your scooter away. So in short, a lot of fun things with barcodes, and that started us thinking a little bit. There you go. So one of the interesting attacks that's also possible, and it sort of goes onto the replacing attacks, in Dutch we have Statiegeld, or as the Germans know, it's fund. So we have a fund on plastic bottles. And it basically means you pay a small fee, you get a plastic bottle with the drink in it, and afterwards you return the bottle for recycling, which is a really high system. There's a whole industry of what they call reverse vending. That's basically, you put the bottle in a machine, the machine scans it, and it gives you a small ticket for your Statiegeld, or the amount that the bottle has worked. However, in the older version of the systems, the little ticket you got had a barcode on it, and the barcode was nothing else than a product code. And at the end it just said something like zero, two, five, or one, two, five, which just happened to be the amount you were due to get back. So you could actually just replicate, copy, just cut them out again, or even create your own barcodes. And this was really popular on the students. I think that 10, 15 years ago, many drink budgets for students was subsidized by this kind of things. But nowadays they changed it. So it's a unique idea. You get a barcode, and that's actually does the transaction ID. And the system, the return vending machine, is connected to the teller. So you get a code that's valid for one-time use. It gets scanned. You get the amount that's connected to it. And it also has a limited validity. And this is actually interesting, because the tickets, legally, they're sort of valid for five years, but the machine actually doesn't maintain more than about two weeks of code. So if you ever forget one of your tickets, you'll bring it to the teller. They'll say, oh, I can scan it. The computer says no. You'll have to go to the help desk, because they actually can still validate those tickets. But it's just because they had to do some kind of fix to make it more secure. At least that's how I think it works. I mean, you never know. You hope they learned at some point. Yeah. So the picture is not great, but I also wanted to touch on this example. This was a couple of years ago. There was also a DevCon talk, and it's about flight tickets, because they also use standardized barcodes on flight tickets. And what's funny is that there's all kinds of fun information printed on it as well. I hope you can see it. I think not. But stuff like your name, your flight number, your destination, where you're flying from, your seat, et cetera. So if you want to know more about this, you could edit it. I don't know if that's still possible, but you could just change your flight details. Or for example, if other people post a picture on Instagram with their flight details, you also got name and some flight details. And on most websites with just these details, you can also log in and see more information about your account with the flight operator. So a lot of fun. So that was all fun things that you could do with barcodes. So then we dove a little bit deeper in this barcode phenomenon. There we go. Let's dive a bit deeper into how do barcodes work or what are they actually? So what are barcodes? It's actually machine readable information. It's made for machine to be read and the data is encoded in the variations in the width and spacing. So originally this was patented in I think 1951 and it was the idea, the concept was based sort of on Morse code. So the guy that made it up was thinking like Morse code, it has like a nice sort of pattern and they actually created barcodes with that idea. And it has a lot of old, it's really old. So there's a lot of fun legacy stuff in there. It's still in use nowadays because there's nothing else that's as good readable or as quick as readable as barcodes. I think even at the time something like British Railways found out a way to read barcodes on the side of containers while they were going like 100 miles an hour or something like that. They were actually scanning trains in transit. And the nice thing about this barcode is technically it has like a 99.9% fault tolerance but only vertically. So you always see it will get cut through the middle. So we have two kind of barcode shapes. So we have what we call the one dimensional barcodes which is the regular stripe ones that you know. And we have the 2D barcodes. And the 2D barcodes are the newer ones that we've all grown a bit more familiar with like QR codes, we have Aztec, we have data matrix, we have dot code. And they're all different ways of encoding data. And the sort of overarching feature is they're all standards. So there's no sort of global way of how to put data in there. It's always somebody made a definition of how to encode it. He says you put the data in like this. For instance, with the QR code you have masking. And it describes how data should be stored in the barcodes. And if you look at the 1D barcode, for instance, and we'll get to that later as well, we'll have like, and this is a couple of examples, you have like the code definitions. The nice thing is for the 2D barcodes, they actually have proper fault tolerance. So you can miss like 75% of the QR code and it will still be readable because the data can be reconstructed. So it's all standard. So we have something like code 128, which is an encoding standard for barcodes. And it also includes check bits. So when you scan the barcode, the scanner actually knows did I read this correctly. And it also knows did I read it upside down or not. You have code 39, which is really interesting because it's more like a font style barcode. So the problem is the data density isn't that large. Because basically it has a specific barcode character, so a combination of stripes in it, for every single character it wants to encode. And it's built in such a way that if you scan it halfway in between the characters, that if you get the last bit of the first character and the first bit of the second character, those don't combine into a proper character. So there's no way to misread it. And this is used in a lot of legacy applications because you don't actually need to calculate a barcode. You can just put a font on a system and let it print whatever number you were originally wanting to print. So different encoding, different uses. We have the UPC codes, which was the product codes as well, which we've already seen. Well, now we talked about the barcodes themselves. But now we're going to talk a little bit about the scanners. It looks like this. I think you have seen one. And I have a question about that for you to think about for a moment. So if you were a vendor and you want to create a cheap barcode scanner, how would you make it? Just maybe think about that for a little moment. Probably you want to have a USB port, because that's very popular. Maybe a serial connection of some sort, right? Well, actually no, because most barcode scanners are keyboards. So what does that actually mean? The barcode registers itself as a keyboard to the computer. And this is not a crazy, weird setting that you need to set. This is the default mode for almost all modern barcode scanners that you can buy. What it does, if you scan a regular barcode, so for example, a product number, it types in that product number and presses Enter. What could go wrong? So yes, UHB HID devices. What could go wrong? So technically it works as a keyboard. Yeah, so then the next question is, how do you think you would configure such a barcode scanner? Maybe you're thinking about proprietary tooling, maybe some hardware hacking. Well, yeah, all right. Of course you scan barcodes. So we have these huge manuals, actually, a lot of fun. Most of them are in Chinese. So at the top right you see Rob trying to decipher some of the text that's beneath them. But you configure the barcode scanners with barcodes. That's convenient. Users are accessible even if you want. And most of the barcode scanners, they are in the end input devices facing a user. So you can, well, input everything you want in theory. So for example, some of the more interesting codes we found in the booklets are, you can already see them, factory resets. You can switch the character sets of barcodes. Very fun. Maybe we'll see that in a moment as well. You can switch to the serial mode. But a lot of people and developers don't do that because that's very complicated nowadays. And you have to download this shady driver from this Chinese website that enables that. Or the other way around, of course, you as a developer you set it up in serial mode. Think you're secure. We just use B mode, change character sets. Interesting. Let me see. Next one. So I think now is our first demo time. Hit it. What could go wrong? So just give a second for the camera. So let's take a regular sort of barcode. So hold on for a sec. Demo effect, no. Shall I explain the setup a little bit while you counter the demo effect today? So we have a small e-ink reader. And we prepared some barcodes for the demo today. And Rob is now quickly resetting the thing. And what you're going to do on the screen, we'll see a notepad window. And on the camera, you can see that we're scanning something. So let's imagine this is like your generic self-checkout teller machine. So I just scan a regular barcode and says, test 1, 2, 3, 4. It works. Perfect. That's what you want. Now I'll actually go to the manual of this device. And it has this really nice barcode that said, put me into serial mode. It gave a nice beep. So apparently it worked. And now none of the barcodes will print out anymore. So this is just a really simple denial of service attack. We just set it into a mode that's not configured on the receiving system. And all the barcodes will fail from this. We put it back to USB mode. And it will work again. So now the next one. And this is actually credit to Pila at Tech Inc. So in the manuals, we found language modes. And we were like, why is there a language mode in here? Why do you need a language for a scanner? And then we figured out, wait a minute. It's a USB scanner that goes to a USB HID device. And it communicates scan codes to the host system. And then it uses key mapping. And then it's text. So that actually means that the key mapping on your machine matters? Well, so what can go wrong? So I have another demo barcode. And let's put the camera on there. Thanks. It's fun to see you close. So what could go wrong? I don't know. But let's change my key mapping to something that a lot of hackers use, the forex. Yes, OK, now we know what can go wrong. Let's put it back, because otherwise I'm helplessly lost. All right, so now let's look at another interesting property. So a little bit before the presentation, you saw that we had different kinds of standards for printing the barcodes, but also some different standards for how the data is being interpreted. One popular one is code 128. And what it basically does is it maps 128 character positions to the ASCII table. I printed the ASCII table for you. And well, what we think happened is some vendors of those devices were looking at this table and were like, especially this half of the table, that works. Yeah, we don't use those characters anymore, right? All serial legacy stuff. We're modern now. We use USB. Yeah, so the vendors, we think, thought we can swap those characters out for some more interesting combinations. Something more useful. Maybe control and a key, control shift and a key, et cetera. We really like that if vendors do this. And what's funny to mention is that there's no standard for this. So we have a couple of barcode scanners here. They all work differently. So probably the vendors thought, well, what are good keys to use? Let's just put it there, document it nowhere in the world. Let's give the user all the options. Yeah, so then the next question would be, of course. What could go wrong? Let me see. So let's put up the next demo. This is our most sophisticated demo. So I hope the demo got so we'll be with us. We created a small, well, web shop portal, put a lot of effort on it yesterday evening. Lots of coding. So imagine. But this is how it might actually work. Like you have just a single computer in kiosk mode, and it basically has this sort of thing where please use the scanner that's next to the thing and scan your products before you leave. So then the question is, what fun things could we do with especially this barcode scanner and this very simple software? So we split it into different parts. So I'll walk you through some of the fun steps that we came up with. But this is just an example. So we prepared some of the barcodes. Let's scan the first one. I think this is Control-L. So then most post systems based on our browser already fill a little bit. So OK, what can we do next? Let me see. Open scans. OK, proceed with caution. That's probably good. Right, we can go to a configuration of Firefox. I think we can enhance the security for this web shop. Well, it was pretty secure, right? Until we connected the scanner, of course. All right, let's see if you can do a little bit more. We can actually... Yeah, we just skipped the warning. We skipped the warning. Maybe we can search some interesting preferences also with a barcode. That would be cool. An HTTP proxy. Let's see if we can set that. It's actually the time. Would be fun. This is the most difficult barcode. Identity barcodes. Aha. So with just a couple barcodes and no further interaction with the machine, we could actually overwrite these proxy settings, which I think is pretty cool. Let's put them back because I think I'm actually using an online PowerPoint slide. So this will probably mess up everything. Oh, no. All right, so let's... So I hope you enjoyed this. If you liked this, there's a lot more people when we were still like babies that already dove into this. There's a really cool talk by Felix Lindner. He did a talk at DEF CON 16 and Chaos Computer Congress where he actually dove more into the barcodes themselves, but also the system behind the implementation. So don't forget, it's like it talks directly to a backend system. So if it puts it directly into a database, code injection is possible. He has a lot of nice examples. Another talk was given by Michael Weston Colin Campbell. This was at DEF CON 26, which was a couple of years ago. And we found it while researching this topic a bit more for this presentation. They actually made a framework for generating malicious barcodes as sort of like a rubber ducky, they call it, so it's rubber ducky for barcodes. Unfortunately, we couldn't get it to work, but it needs a bit of love and care. It's five years since the last commit. But you could probably get it to work with a bit of work. And we used a simple JavaScript barcode generator. So we needed quick barcodes. We actually used eInc because some of the scanners are a bit finicky about what kind of server you scanned them from. So if you have troubles, print them out or use something like eInc. And we used a simple JavaScript barcode generator for that. So no. OK. So some things to take home from this presentation. Always sanitize your inputs. Even USB devices, whatever they might be, are input devices. They can be manipulated. So never think also that something is secure. A lot of this stuff that you find in those barcode scanner is undocumented. So always check that. And even the funny thing, this barcode scanner, I could not find a serial number on it. I even unscrewed it, looked at the PCB. There's nothing on there. He almost demolished the thing yesterday before the presentation in order to find still the serial number. But he couldn't find it. Default configurations are scary. Don't trust those. Because by default, all these scanners we tested are quite vulnerable to the attacks. It always depends on what kind of hardware you got. So the scanner and also what tool you have. The demo we showed is interesting. We also seen this kind of stuff in practice as well. So it's not just a demo, but also, yeah, well, we've seen it, unfortunately. And users who have configuration barcodes are even scarier, and be mindful of that. I think you should never want this kind of future in a barcode scanner, but that's just me. And a lot of barcodes format supports facial characters. So always be wary of that one as well. And of course, everything is an input device. This was a talk. Thank you very much. We'll have barcodes. So to add a little bit, after our presentation, there will be a break in the stands. We will be, I think, somewhere over there. We have some more barcode scanners with us. So if you would like to try some of the stuff we showed, or have ideas or anything we want to talk about it, join us probably there. We have quite a lot of barcode scanners. So if you're interested, and like we said, every implementation different, so we don't even know all the secrets of all the barcode scanners. We own ourselves. So even if you want to test your own barcode scanner, you can, well, bring it. You can have a look, at least, at what their special first 20-character self-askier will be. Any questions? I think there's room. As there's time left, we can have a question and answer. Are there any questions from the internet already? No. Does the audience please go to the microphone in the middle so that you are heard by all? Perfect. That's quite a hair. Thank you for the great talk. I think the most obvious question would be how possible is it to attack the local supermarket? That one is still on our bucket list to try. We haven't actually yet. So it really depends on whoever implemented the systems, because they basically ask somebody, can you give us a machine that talks to this, that's like this? And there's somebody there in the engineering that's responsible for hooking it all up together. And if they know their stuff and they're like, I want to spend extra time on this and use a serial connection or something like that, have a dedicated channel, it might be a lot more difficult. But even then, if it's hooked up through USB and somebody puts like the USB mode barcode scanner on it, it will switch to a keyboard. So in the end, I wouldn't say like, hey, a certain grocer is vulnerable. It really depends on what kind of system they bought, what kind of measures are in there. And even one of the examples that we had where we were testing a system like that, we told the vendor like, hey, we use this combination of hotkeys to actually move out of your environment. They're like, didn't we block all that? And then the engineer was no, we blocked control of the lead. But we didn't block alt, move down, minimize. So there's always options. And I think to add to that, I think no one here ran out of the room like, oh, shit, I need to check my barcode scanner. So I hope, well, it won't be a problem though. But I think the only way to really check it is if you would just, well, print barcodes and scan them. But it's also a little bit, if you would crush something, it's a bit not nice. Difficult. Okay. Next question, please. Hi. A bit out of scope, have you verified mobile application as well that allow you to scan barcode on your mobile phone? No, we haven't. But I actually know of a really good attack. And this is my stupid brain. I know the attack still. I don't know who to give credit to. There's this guy that actually found out that in QR codes, Unicode characters are all supported. And he actually was able to do reverse reading direction into a barcode. So his barcode was read something like mock.lgoog, question mark, and then his website, all in reverse. So if you scanned it, it looked like google.com, question mark, reverse malicious website. So he was able to create a QR code that would, in display on the app, show the reverse reading direction. But when you click follow link, it would actually follow the reverse one, which was his malicious website. So. And I secretly think, so this is just an introduction. So I think if you would dive into it even more, there's a whole world of madness. I think behind. It depends on the implementation. Whatever the app maker did, I hope they fix that Unicode thing now. I don't actually know. OK. And we have time for one more question. So. Perfect. How much did you research public QR code scanners? Because I feel like those are more vulnerable to these kind of attacks. So the funny thing is about a lot of the QR code scanners, they also support 1D barcodes. So we never actually needed to do something. So QR codes has been more difficult because basically they're just raw text, well Unicode, but raw text. So they don't have control characters. So no control, all super keys or whatever. However, all those scanners, if they support 2D, they probably have backwards compatibility with 1D. They also support all the encoding sets. And if it's disabled, you can just re-enable it by scanning the proper barcodes. So. So we only kind of had to focus on the 1D barcodes yet and still. Well, I have a QR code for you to scan if you're daring enough. Perfect. Find us after the talk. In a few minutes we'll be here. Thank you. So thank you very much for this very entertaining talk. Give him a warm round of applause again, please. Thank you.