Everything is an input device (fun with barcodes) [video]

Everything is an input device (fun with barcodes) [video](media.ccc.de)

58 points by wlecometo 3 years ago | 7 comments

victorp13 3 years ago |

Note how these folks are moving to the next slide using a barcode scanner. Like an absolute boss!

stragies 3 years ago |

That reminds me of "Ol' Bobby tables"

https://barcode.tec-it.com/barcode.ashx?data=Robert%27)%3B+D...

https://xkcd.com/327/

behnamoh 3 years ago |

Can't wait to see equivalent NFC tricks misused at stores. Imagine doing an NFC which sends malicious instructions to your phone.

Nextgrid 3 years ago | |

NFC is a bit different - it doesn't try to pretend to be an input device. There are specific protocols that NFC devices can speak and the device can parse and then display (such as for NDEF tags), but short of exploiting a vulnerability in the parser, this kind of attack isn't possible.

The vulnerabilities outlined here are:

1) the barcode reader itself is configured over the untrusted channel via specific barcodes, instead of out-of-band via the USB interface

2) the barcode reader is either already emulating a keyboard, or can be configured to do so via the (untrusted) configuration mechanism described above.

This vulnerability can be mitigated by making sure the barcode scanner can't be reconfigured in the field and by talking to the barcode scanner over a specific interface (serial) instead of keyboard emulation, so that data from the barcode scanner has no chance of being interpreted by the OS as keyboard input.

amelius 3 years ago |

Any good videos/blogs that explain how barcodes (1d and 2d) are read?

cyberbolt23 3 years ago | |

Maybe this answers your questions https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2859730/

or even deeper https://conservancy.umn.edu/bitstream/handle/11299/175329/Sc...

pr07ecH70r 3 years ago | |

I quickly found this one... till this post, I've never thought about how bar codes work. :D

https://www.abr.com/wp-content/uploads/2014/04/barcode-basic...