Langsung ke konten utama

Barcode Hacking

"Barcode systems susceptible to serious hacker attacks" - so says Heise Security, in their article posted yesterday concerning FX's presentation at this weeks 24th Chaos Communication Congress.


The article describes a few of the threats to systems that rely upon barcodes (on and two dimensional) - in particular their ease of manipulation for scamming purposes and the possibilities for code injection attacks.


Barcodes vs. RFID Tags


Since I've been spending some in-between research time looking at RFID systems, I've had some opportunity to have a closer look at the various barcode encoding schemas currently in use. There is a lot of overlap between RFID and Barcode systems - with RFID back-end systems adopting many of the same operating principles (mainly because RFID is generally being deployed as a replacement for older/legacy print-barcode systems - particularly in supply-chain and itemized sales).


The limitations of data encoding within barcodes apply almost one-for-one with passive RFID implementations, so by studying the attacks for one, you learn both. While the vehicle for delivery is different (i.e. a printed piece of paper versus a wired antenna), the vectors for encoding attack data and how it will be interpreted by backend systems is identical.


The primary encoding vectors for barcode and RFID attacks are:

  • Value cloning - i.e. duplicating existing barcode/tag values
  • Value overflows - i.e. buffer overflows, off-by-one attacks etc.
  • Code injection - i.e. inserting character codes or strings that will be "incorrectly" interpreted by the backend systems (e.g. SQL Injection, Cross-site scripting, infinite-loop DoS, etc.)

Scale of the threat


The Heise Security article (and no doubt the original presentation) is a little sensationalistic, but that shouldn't undermine the fact that there are some real security issues to be had here. It basically comes down to input validation. Back-end systems generally take the data supplied by the barcode (or RFID tag) as a trusted source and use it as is without validating it. Consequently, the opportunity to do something mischievous is rather easy - especially in this day of home laser printers.


The fact that barcode attacks have received so little attention from security researchers in the past has less to do about difficultly, and more to do with opportunity. They are a very old device, but it's only been in the last decade that we've seen them more fully integrate in to newer (publicly accessible) computer systems that have 'value' from a target perspective.


Over the next year or two I expect more security researchers to turn their attention to barcode and RFID systems. I think that the initial findings are going to be highly implementation specific (and not widely distributed) primarily because the way these technologies have been historically deployed and the amount of 'legacy' or proprietary equipment already out there.


However, as that old equipment fails and/or gets replaced, major organizations will deploy the latest interoperable versions. RFID supply-chain standards for data sharing and complete international product life-cycle tracking will be very interesting - and provide a vehicle for much large and disruptive attacks. But that's only likely to occur more in the 3+ year timeframe.


For the time being, the attacks we'll likely hear about will be deployments of specific implementations - like cloning movie passes, or SQL injection against a particular companies car-part inventory system, etc.


Hopefully these smaller events will get developers thinking about their legacy code and look to improve it's security by either adding the appropriate validation code, or upgrading systems to those that have more rigorous (and proven) security features. With that in mind, I'd expect the latest work in RFID systems to help lead the way as there is already a lot of additional thought going in to the security built in to these newest standards.


Sumber : technicalinfo


Label:

Komentar

Posting Komentar

Postingan populer dari blog ini

Matrix Pro Link HD + Ethernet v4

Selamat Pagi semua rekan-rekan sekalian. Mungkin kali ini saya akan membahas mengenai Receiver dengan Merk Matrix tipe ProLink HD + Ethernet.   Ok berawal dari parabola yang ditinggal oleh penghuni kosan yang lama. Maka saya berniat untuk menggunakan parabola tersebut. Tapi saya tidak tahu, harus diapain tuh parabola agar bisa untuk nonton tipi . Setelah dibrowsing, ternyata saya hanya perlu Receiver. Saya putuskan untuk mencari Receiver tersebut . Browsing sana sini dan ternyata pilihan saya jatuh pada Satellite Receiver bernama Matrix Prolink HD + Ethernet New. Gambar Kardus Matrix ProLink HD Ethernet v4 Gambar Tampak depan MHDE New Gambar Tampak atas MHDE New Gambar Fungsi di MHDE New Gambar Port USB di MHDE New Adapun fasilitas yang ditawarkan oleh produk ini adalah : Bisa membuka siaran acak menggunakan Key seperti Biss (Umum digunakan serta banyak didukung oleh forum-forum satelite), Seca, Viaccess, Irdeto, Cryptoworks, Nagravisio
4 komentar
Baca selengkapnya

Menu Utama pada Matrix ProLink HD Ethernet V4

Sekarang saya akan membahas tentang Tampilan menu yang ada di Receiver Satellite ny milik Matrix yang bernama  Matrix Pro Link HD + Ethernet v4 Untuk masuk ke tampilan menu , kita bisa klik tombol Menu/Back pada remote control. Gambar Tombol Menu/Back Setelah itu muncul tampilan Menu yang ada di  Matrix Pro Link HD + Ethernet v4 . Terdapat 8 menu utama yang bisa digunakan antara lain : Ubah Siaran Gambar Menu Ubah Siaran Instalasi Gambar Menu Instalasi Alat Gambar Menu Alat Permainan Gambar Menu Permainan Pengaturan Sistem Gambar Menu Pengaturan Sistem Akses Tertentu Gambar Menu Akses Tertentu Media Player Gambar Menu Media Player Pengaturan Jaringan Gambar Menu Pengaturan Jaringan Semoga artikel ini dapat membantu untuk memberikan gambaran , bagaimana isi dari   Matrix Pro Link HD + Ethernet v4 ini. Kalau ada saran/kririk , silahkan di komentar.
Posting Komentar
Baca selengkapnya

Nomor Nomor Penting di Axis

Pada artikel sebelumnya sudah membahas mengenai Axis Data Setting  . Selanjutnya pada kesempatan ini, saya coba membahas tentang Nomor Nomor Penting di Axis . 1. Layanan Pelanggan ( Customer Service ) Gunakan  838 pada Handphone Anda, untuk menghubungi Customer Service yang siap membantu Anda jika dalam penggunaan nomor Axis memiliki kendala seperti lupa pin, minta PUK, saran/kritik dan lain-lain. 2. Cek Status dan Pengisian Pulsa ( Status Check and Reload ) Gunakan  888  pada Handphone Anda, untuk informasi status penggunaan kartu Axis dan bisa juga digunakan untuk melakukan pengisian pulsa dengan voucher. 3. Layanan Ring Back Tone (RBT) Gunakan  333  pada Handphone Anda, jika anda ingin nada tunggu nya itu adalah musik kesayangan Anda. Coba lah untuk menggunakan layanan ini. 4. Cek Voice Mail Gunakan  *800#  pada Handphone Anda, anda tidak ada waktu atau lupa untuk mengangkat panggilan masuk. Biasanya layanan voice mail aktif, jika anda tidak mengangkat t
Posting Komentar
Baca selengkapnya