Johnny_Robot Posted January 2, 2016 Posted January 2, 2016 Hi Guys, So an interesting thing happened to me at a Red Box the other day. I already hate using them as it is. Long story short, when I slid my card the computer locked up and I saw the infamous "Application is not responding" window.. So obviously this is a Windows Server... I work in POS Retail and most card readers I've seen are basically just HID devices. This got me thinking... I was reading about a hack out there called the "BadBarCode hack" where basically the UPC code contains information so that when the employee scans the code with their scanner (Also just an HID device) it basically opens a shell on the machine and virtually types control commands like a rubber ducky would... Needless to say you can do a lot of things with a rubber ducky! :) So to get to the point... What would stop someone from creating a card with "Bad information" so that when they scan the card the card reader just runs the commands? It's kind of terrifying if something like this is possible! And how would you fix something like this? Love the show! Keep 'em coming! :) JohnnyR030T BadBarCode hack article: https://threatpost.com/one-badbarcode-spoils-whole-bunch/115362/ Quote
Karit Posted January 2, 2016 Posted January 2, 2016 Hi Guys, So an interesting thing happened to me at a Red Box the other day. I already hate using them as it is. Long story short, when I slid my card the computer locked up and I saw the infamous "Application is not responding" window.. So obviously this is a Windows Server... I work in POS Retail and most card readers I've seen are basically just HID devices. This got me thinking... I was reading about a hack out there called the "BadBarCode hack" where basically the UPC code contains information so that when the employee scans the code with their scanner (Also just an HID device) it basically opens a shell on the machine and virtually types control commands like a rubber ducky would... Needless to say you can do a lot of things with a rubber ducky! :) So to get to the point... What would stop someone from creating a card with "Bad information" so that when they scan the card the card reader just runs the commands? It's kind of terrifying if something like this is possible! And how would you fix something like this? Love the show! Keep 'em coming! :) JohnnyR030T BadBarCode hack article: https://threatpost.com/one-badbarcode-spoils-whole-bunch/115362/ Yes can be done. THough I don't think the barcode standard contains the window key to do a win+r and don't think alt is there either. I have done stuff about a year to login into something with a user/pass and could pass enter keys in at least. If you new the POS system you could press the delete previous items button or something and finish purchase at a lower amount. I'm sure someone will think of an app escape you do basically have keyboard input as you say. Quote
winter_soldier Posted January 3, 2016 Posted January 3, 2016 the idea here is simple, if you can dream it, it is possible Quote
Mr-Protocol Posted January 4, 2016 Posted January 4, 2016 I would make sure you have permission first to do such testing. Keep it real, keep it legal. :D Quote
Johnny_Robot Posted January 4, 2016 Author Posted January 4, 2016 I would make sure you have permission first to do such testing. Keep it real, keep it legal. :D Always :) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.