Barcode scanners are disguised windows to your Windows

now we're gonna have a really fun talk and did you notice when you walked in we scanned your QR codes any review Quick Draw you had your QR codes ready for scanning this next talk is all about scanning barcodes and QR codes and how these QR codes that we are scanning and scanning all around how they are actually a window to your soul well maybe not to your soul but to the secrets on your computers and to your windows so I'd like you to help me welcome to the stage a first time speaker for besides Tel Aviv but a very experienced speaker Buzz no I want to tell everybody a little bit about you how are you doing today I'm great we're so happy to have you on our stage today let's smile to the camera right down there big smile teeth Tuesday smile yeah that's good so past has more than 30 years of experience 30 years of experience 3-0 30 years of experience and he started hacking with video games computer games and with developing tours when he was just a teenager that's awesome so we actually have that in common because I was I was hacking video games and doing fun stuff in the 90s too 80s 90s 80s okay so you got a little bit more experience than I do all right and five it also worked as a systems engineer not on land not on sea he's an aerospace engineer right are you going to take us into space today um hopefully cyberspace all right let's give it up for puzzle all you cowboys and cowgirls that's the stage is yours uh the clicker is here the timer is there the audience is there all right hi everyone my name is and I'll talk about barcode scanners and malicious barcodes if this would work yeah that is a naughty Clicker naughty clicker please behave no battery um okay this happens but we're professionals Don't Panic don't panic and while you work on that we're working on it so meanwhile I got stickers y'all so while we were don't look over there anybody wants some besides of these limited edition stickers well you better come down here and get them because the stickers ain't coming over there you gotta come down here and sit down next to me right there yeah you're a speaker you know sit down there oh you are speaker weren't you yes okay we're good you got stickers I want you all to sit down here okay okay but now now that's it last one yeah that's it okay all good now with the clicker yeah you see the distraction it's all professionalism here all right sayonara it's the stage of yours okay so again I'm passing and this is my talk about barcode scanners and malicious barcodes a few words about myself I'm a system Engineers for a very long time almost 15 years I have a master's degree in Electro Optical engineering I'm a Defcon 29 speaker former speaker and as Karen mentioned I started my career very early as a kid I was a programming hacking games creating tools for hacking and I'm still doing it at home today so barcodes barcodes are everywhere you know it you've seen it you just been scanned at the entry here it was patented in 1952 very interesting pattern read it you won't expect what you'll read there it's a bit different than the barcode you know today and the first can was in 1974 to the industry 20 years to understand what to do with barcodes um they got a very good clue and the patent was issued but it was it stabled slowly and today we are surrounded by barcodes each one of these products is has a barcode on it you got the barcodes on you right now on your phones and it's everywhere and so as the barcode scanners for the one-dimensional barcodes there is a very established industry with a lot of standards and the UPC for retail the code 128 for the supply chain and a lot of standard very established industry two-dimensional barcodes enter at the last years of the Millennia data Matrix came first the QR code came last and there are a lot of more standards but these are the main standards that we are using today and they brought two improvements one was the inherit the inherent error correction if the barcodes currently scanning a barcode then the barcode isn't really clear the inherent error connection will help it to encode the barcode and the other Advantage was that you get greater volumes at lower size and you can see here the numbers for data metrics and QR code and it's a lot of information in a very small symbol the common two-dimensional barcode scanners come with a USB cable which is not surprising and most of these devices are configured to emulate the keyboard when plugged into the computer so when the two-dimensional Barcode Scanner is scanning a barcode it decodes the ASCII code and send it into the computer and if it's in a keyboard emulation mode it will enter as if it was typed um all of these can of course scan alphanumeric characters and these are all printable characters as for non-printable characters it can also scan it but each Barcode Scanner will interpret it different and you in the non-printable ASCII characters you can find the modifier case like Tab and enter and control and the navigation Keys like they insert the home and the end all of these devices almost all of these devices are programmable if you want to program to program a barcode scanner then you go to the manufacturer you get a special programming barcode and you can stand and program your backwards by your own and for me as a hacker when I look at this device I'm asking myself can you emulate Windows keyboard shortcut and the answer is yes great here you can see the most simplest keyboard shortcuts that you can get um for example you got the control Escape if you emulate control Escape right CMD press enter you'll get the command line Powershell is very similar and on the right you can see the task manager two different ways to get into the task manager the task manager is very important because if you want to probe um the computer that you are about to attack you want to gather as much information and information as you can and in the task manager you get all the running services and all the running applications and much more data it is a very useful application to gather information um we spoke I spoke earlier about control keys you need control keys if you want to use the windows keyboard shortcuts so um different barcodes kinda as I said earlier are have the ability to use control keys to emulate control keys by reading specific ASCII codes but you need to know which model you are using in order to create the right barcode and then have the right script injected into the computer and since different models have different ASCII codes you need to identify the model that you are going to attack in most cases it is written on the barcode and if it's not you can go to the Internet and look at similar barcodes to the one you saw and create a few malicious barcodes test it on the barcode if one of them works then hey you got the set correct when you are attacking very when you are attacking a system you are entering a command and then you have to wait for the command to be executed and then you need to create a pause and the pause could be created in two ways either you can program it into the barcode scanners and there's a lot of work on that already published and the other way is just to click on an non-important non-important um key for example if you are writing command and pressing enter and waiting for the command window command line window to pop up then you in the meantime you can press insert and press insert again and insert an insert and insert an insert windows will collaborate it will enter into instant mode and then it will get out and insert again and get out and in the meantime he's working on the last command that you sent and it's a very useful tool to create poses when you're creating pauses in this way you have to remember two things one you're depending on the model the barcode scanner model some are Faster by default some are slower by default you can program the entry rate but you have to take it into account and the computers themselves itself maybe a slow computer or a faster computer and we will take it more time to open for example the command line window or it will take a shorter time and when you are planning your pause inside the barcode you need to take this into account and one strategy is to look for the models of the computer and the barcode scanner go to your home in and try to emulate this system practice practice and go and attack the system and the other option is aiming low create very long pauses it will make the attack spread over a long period of time but it will work here you can see an example of a script a script that you can put into a barcode this for example will run Powershell as an administrator and what you do is emulate control Escape you wait for the start menu to open then you type Powershell and press enter and then you wait for the Powershell window to open and then you press alt back tab to emulate Outback tab this is because when you are doing it manually then you will see that the Powershell window is popping up and you and windows attention is Shifting to the Powershell window but when you're doing it with an automated script it will not so you need to shift Windows attention to the new open window and then you write the command to request to run as an administrator press enter and then you are waiting for the user account control which is supposed to protect you against these kind of attacks and when it pop-ups you can see it here on the right you press tab tab and enter and it shifts from node to yes and you just approve your own attack I've done a lot of tests the test that I did were on two types of computers one is the Asus model which is a very fast computer the other one is an old Dell computer to represent all computers and slow computers and I did my test on Windows 10 and windows 11. these are the three barcode scanners that are used for my tests the first two the Honeywell and the data logic are long known Global suppliers of barcode scanners and you can see these models around every second or third shot and the last one the last Barcode Scanner is just the cheapest one I found on the online and I bought it and I wanted to see if it will behave the same as the more expensive models it does all of the three were Factory configured that means I took it out of the box I used it I never programmed it and I tested the two most common symbologies which are data Matrix and the QR code okay I hope this works here you're going to see how I'm opening a command prompt window as an administrator UAC and I mean and here it is again with Powershell different scanner UAC approval and I mean and in the last example I'm downloading and executing node notepad plus plus from the internet now it is loading it from the internet downloading it UAC again and it's running very simple okay this is the state of the art right now with barcode scanners and barcodes thank you and I was thinking okay this is the state of art where can I take it to the next level and I thought a lot about the rubber ducky that was mentioned earlier and this is why I chose December because technically I'm looking at the barcode at [Music] um at the rubber ducky because if I use the barcode scanner to scan a barcode and it creates a script A malicious script inject it into the computer then it's a rubber ducky so let's do what rubber duckies do and load the file into the computer um the goals I've said to myself was to load the file to upload the file into the computer without connecting it to the internet and without plugging anything to the host and without any Cooperative software just windows so how it's being done you take a binary file or a test script and you zip it to reduce the byte count and then you encode the zip with base64 some of you are familiar with this windows 64 some of you are not so I will go over it in the next slide and then you take the encoded data you divide it into several barcodes the first barcode will prepare the host for reception and load the first part of the file in the rest of the scans the rest of the file will being uploaded into the computer part by part and in the last scan it uploads the last part of the file the and decoded unzip it and execute it and I get my goal regarding base64 if you are not familiar with it it's a very simple but powerful method to transfer 8B data between systems that may not agree on what on the same um data items what is the data item how it is constructed and might react differently to different ASP codes so what you do in base64 you take all your 8-bit data you transfer it into a printable characters and transfer this these printable characters to the next machine and then there you know it is encoded in base64 you decode it and use the data you can see here a very simple example you take each time you take three bytes it's 24 bits and convert it from three symbols of eight bytes into four symbol of six bytes of six bits sorry and it's 24 bits 24 bits and you got the conversion if at the end of the data you got less than three bytes the the encoder will add the equal sign to to Signal the decoder that the data was not fully free bytes here you can see the conversion table 0 to 25 represents uh uppercase a to uppercase Z 25 to 51 represents lowercase a to lowercase z and then the numbers and then the plus sign and the front Flash and that's it all printable characters here you can see the entire process which uses set util I will mention it in a minute why I'm mentioning circuitville the process is you in the first scan you take the first file part and you create a file named temp.txt in the following scans you take the rest of the file and add it to Temple text when it finishes it decode base64 and you get the binary back which is the zip file and then you delete the text because you don't need it anymore unzip the zip file and delete the zip file because you don't need it anymore and you execute the payload and if you are feeling good enough about yourself you exit in a proper manner 30 deal is notoriously known for being used or misused by hackers so it might be blocked on the system that you are trying and it might triggers alarm so you want to be a little bit more careful about 30 till so here's the same with Powershell without using selfie till you just use a variable you load all the text file into the variable decoded from text to um the binary data save it as a zip file unzip the zip file and execute the payload let's see this is the slower model the slower computer and it will execute the snake game and it will use circuitville I intentionally chose to show this clip because it uses the most the slowest Barcode Scanner I have so you can see the data running and because it's low I talked earlier about pauses because it's slow for a certain amount of time it needs less control keys repetitive control keys injections so it only takes four barcodes to upload the file in a minute we'll see a different example and the last one I don't know if you saw the command and we have it running thank you I'm a lousy player so okay and this is the second example not using self detail it will be much faster I promise that's it it's a fast barcode reader and execution and it works thank you okay so we got the attack and we got the means um but life can be easier you probably know these stations that scatter around and most of you local people even might recognize the the certain machine it's a self-checkout point of sale and in these systems they take the point of sale software and show it in a full display mode and it opens a very convenient [Music] um option to um for the attack you just saw because you can scan the first barcode it will open for example the Powershell window and then execute a few commands and then you can hide it behind the pause software by pressing altab and getting the power software to be in front and hide the window and then you can leave the store and come back after a few hours a few days a few months and nobody knows that you have a Windows hiding waiting for the next attack in the next attack you don't need to open the window anymore you just need to press altab it will go up to the front and then you can execute the second batch of commands okay so blue team what can the blue team do and the first thing is look at the bigger picture because it's not a barcode scanner problem it's not a Windows problem it's a system problem and you need to consider each Barcode Scanner as if it was a malicious entry point and because like in the case of the rubber ducky the person who is going to use the barcode scanner may be guided by a well-trained attacker or maybe fooled by a well-trained attacker you can go to that person to give him a note with the barcode tell him you know if we scan this your computer will work twice as fast and your boss will be very happy and he might do it very similar to the rubber ducky and so you need to take into account that this simple device might hide a very skillful person behind it and you also need to remember that it's not a local problem the person that is going after the system might not be satisfied with the host he might be satisfied going after the network beyond the network so you need to take a deep to account it must might be an interactive process someone is coming to work scanning the barcode looking at the screen seeing a few data items being written photograph it send it to his brother nephew I don't know and tomorrow it will return with a new barcode and it has all the Time in the World to attack the system so what can be done immediately limit everything everything you can think of there's no need for someone at the storage room for example and to open Powershell or to try and use set utils for example if you haven't hadn't blocked it anyway and just anything that you can think of the most simple solution I can think of the barcode scanner is very cheap relatively cheap computers today is relatively relatively cheap especially the low models and you don't need much to support a barcode scanner so you can have your own device dedicated for the scanning anything that you can stop it from doing except scanning barcodes then you should imply on this side computer and the person who is working in the storage room has his own laptop is working but he's not mixing this barcode scanner with his regular computer and one last thing which is very very important if your organization doesn't use 2D barcodes don't buy do 2D scanners because you're only expanding the ability to attack your organization but you're not adding any value to the organization so just don't do it here there's a link I've uploaded all the Python scripts I use they're generating barcodes malicious barcodes please be careful what you're doing and where um but you can learn and explore these barcodes and see and understand how these things are being built and made there are a lot of more scripts than I've shown here and that's it thank you very much [Applause]