24C3: Barcode systems susceptible to serious hacker attacks
Experts say that the Barcodes our highly automated business world could now hardly do without, often display serious security holes. In particular, one- or two-dimensional systems of barcodes and matrix codes are open to common hacker attacks and to experiments that have had variable results. This was stated by "FX" of the Phenoelit group at the 24th Chaos Communication congress (24C3) in Berlin on Friday evening. Frequently, he said, all you had to do was simply copy "used" barcodes in a copyshop, or scan them in and print them out.
The idea of doing deeper scientific research into the world of barcodes occurred to Phenoelit's security testers after having their own fingers burnt by that. At one of their "PH Neutral" conferences they used one-dimensional barcodes on the admission cards which were coupled with a payment function for buying drinks and could be loaded up with credit. One of the resourceful visitors to the meeting simply copied one of these "alcohol coupons". According to FX, his only error was to do it with the pass of the only drinker who had already exhausted his credit balance.
Undaunted by this early mistake the hackers experimented eagerly from then on, initially working on one-dimensional barcodes. These had been developed in 1948 and, in the form of the European Article Number, EAN (in the USA, the Universal Product Code, UPC), and were the basis of the the scanner checkouts that first appeared in the 1970s. The hackers found out that a season ticket to a multistorey car park in Dresden was based on a simple barcode and the tickets issued were not checked by a background computer system, making it easy to get free parking.
FX said that in Germany there was also a similar lack of feedback between automatic returnable bottle machines and dealers' point-of-sale systems. Another presentation at the congress had already brought this to the attention of desperate budget hackers. This, he said, had been discovered long ago by the capital's punks. It had emerged at the same time, he went on, that five digits in the sequence of numbers below the barcode on the credit slips issued by these automatic machines gave the value of the empties. So, in theory, you could not only copy the slips, but also generate your own figures, and these could even be for quite high values. But, he added, the retailing chains were now, as a rule, printing the deposit values on watermarked paper in order to bar that kind of activity.
Anyone who wants more details of the origin of barcodes and how they are read out - one-dimensional barcodes at least - can find a wide range of software for generating those character strings that look so cryptic at first sight, such as the freely available program GNU Barcode. FX emphasized that it was not difficult to write your own generator. The specifications for individual barcodes that were required for doing it could be had, he said, for around 20 USD. On the other hand, he said, readers and scanners for deciphering two-dimensional barcodes were still comparatively expensive, whereas the decoding software was either free, easy to acquire, or easy to crack. Reconfiguring the scanners was also an easy task, he added. They could be linked to a keyboard or via a serial interface to a computer.
Thus equipped, FX tested the access system of an automatically operated DVD hire shop near his home. This actually demanded a biometric check as well, but he simply refused it. There remained a membership card with barcode, membership number and PIN. After studying the significance of the bar sequences and the linear digit combinations underneath, FX managed to obtain DVDs that other clients had already paid for, but had not yet taken away. Automated attacks on systems were also possible, he claimed. But you had to remember not to use your own membership number.
Scanners, too, proved to be open to common hacker attacks. FX described the fundamental principles behind a variety of attacks. "Let's suppose you get 14 digits out of the reading process. But at the same time you can insert your own digits arbitrarily". This, he said, would let you exploit holes connected with SQL databases in the back-end area (SQL Injection) or carry out Format String Attacks. The newer the reader, the more complicated would be the systems working in the background and the easier it would be to hack them. By printing out barcodes at increased resolution and simultaneously inserting surplus character strings, you could moreover flood the database memory and bring it to a standstill with buffer overflows.
According to FX, particularly gaping security holes can be found in most forms of "Mobile Tagging". Using a mobile phone incorporating a camera, a two-dimensional barcode such as QR or DataMatrix is photographed, decoded on the mobile phone with commercially available software, and the information derived is passed on. This is mainly intended to save the user having to type in lengthy Web addresses on a small mobile-phone keyboard. The Semapedia technique for linking public sights with Wikipedia entries uses this process, as do more and more newspapers wanting to send mobile surfers to their online content or to advertisements on the Internet.
In Germany, "Welt kompakt" is among the pioneers in mobile tagging, something the Phenoelit experts have not overlooked. They discovered that the mechanism is ideal for Cross Site Scripting (XSS). This is an attack that normally exploits vulnerabilities in Web sites. Untrustworthy information, perhaps in the form of harmful script codes, is frequently embedded in a page notified to the user and classified by the user, in principle, as trustworthy. Passwords or account data, for example, can be captured by phishing. While "cross newspaper scripting" on the mobile phone you would only have to "rent" one barcode place in a print product, insert a link after it to a kit containing malicious software - and that would give you some form of control over large numbers of iPhones and other mobile devices.
The boarding passes that are now commonly printed out from the Internet, containing two-dimensional codes to indicate the flight and booking numbers as well as the class of seat, are favourite playgrounds according to FX. By linking to the barcodes on baggage labels, you could use them to foist the wrong suitcases, perhaps filled with bomb materials, on passengers, thus branding them as potential terrorists. The two-dimensional codes used by many postal organizations as substitutes for postage stamps are also open for experiments according to FX. The Phenoelites say that, by contrast, they have so far been unsuccessful in their attempts to crack the package collection slips used at the German Post Office's parcel stations, and the online tickets used by German railways. The two-dimensional codes of the latter have clearly been secured additionally with encryption methods, said FX, and this was something he strongly urged as a general practice for the proponents of automation. A check on the correctness of the processing sequence was moreover indispensable with all barcode systems. (Stefan Krempl)/