Jump to content

BadBarCode and RedBox


Johnny_Robot

Recommended Posts

Hi Guys,

So an interesting thing happened to me at a Red Box the other day. I already hate using them as it is. Long story short, when I slid my card the computer locked up and I saw the infamous "Application is not responding" window.. So obviously this is a Windows Server...

I work in POS Retail and most card readers I've seen are basically just HID devices. This got me thinking... I was reading about a hack out there called the "BadBarCode hack" where basically the UPC code contains information so that when the employee scans the code with their scanner (Also just an HID device) it basically opens a shell on the machine and virtually types control commands like a rubber ducky would... Needless to say you can do a lot of things with a rubber ducky! :) So to get to the point... What would stop someone from creating a card with "Bad information" so that when they scan the card the card reader just runs the commands? It's kind of terrifying if something like this is possible! And how would you fix something like this?

Love the show! Keep 'em coming! :)

JohnnyR030T

BadBarCode hack article:

https://threatpost.com/one-badbarcode-spoils-whole-bunch/115362/

Link to comment
Share on other sites

Hi Guys,

So an interesting thing happened to me at a Red Box the other day. I already hate using them as it is. Long story short, when I slid my card the computer locked up and I saw the infamous "Application is not responding" window.. So obviously this is a Windows Server...

I work in POS Retail and most card readers I've seen are basically just HID devices. This got me thinking... I was reading about a hack out there called the "BadBarCode hack" where basically the UPC code contains information so that when the employee scans the code with their scanner (Also just an HID device) it basically opens a shell on the machine and virtually types control commands like a rubber ducky would... Needless to say you can do a lot of things with a rubber ducky! :) So to get to the point... What would stop someone from creating a card with "Bad information" so that when they scan the card the card reader just runs the commands? It's kind of terrifying if something like this is possible! And how would you fix something like this?

Love the show! Keep 'em coming! :)

JohnnyR030T

BadBarCode hack article:

https://threatpost.com/one-badbarcode-spoils-whole-bunch/115362/

Yes can be done. THough I don't think the barcode standard contains the window key to do a win+r and don't think alt is there either. I have done stuff about a year to login into something with a user/pass and could pass enter keys in at least. If you new the POS system you could press the delete previous items button or something and finish purchase at a lower amount.

I'm sure someone will think of an app escape you do basically have keyboard input as you say.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...