barcOwned—Popping shells with your cereal box

Conference:  Defcon 26



The presentation discusses the use of barcodes as a potential attack vector for red team attacks and the need for filtering malicious keys at the OS level.
  • Barcodes can be used as an attack vector for red team attacks
  • Filtering malicious keys at the OS level can prevent such attacks
  • Enforcing non-HID modes can also prevent such attacks
  • The presentation demonstrates various barcode-based attacks, including launching commands and disabling barcode scanning for a period of time
  • Considerations for a red team attack include finding the beeper hole and covering it up
The presentation demonstrates how a simple UPC barcode from an unaltered box of s'mores can be used to execute an attack. By scanning the barcode and then the programming barcode, the presenter is able to launch Metasploit and gain access to the system. The presentation also shows how a barcode can be used to disable barcode scanning for a period of time, rendering the scanner useless. The only way to reset it is to go to factory defaults, which almost no one knows how to do.


Barcodes and barcode scanners are ubiquitous in many industries and work with untrusted data on labels, boxes, and even phone screens. Most scanners also allow programming via barcodes to manipulate and inject keystrokes. See the problem? By scanning a few programming barcodes, you can infect a scanner and access the keyboard of the host device, letting you type commands just like a Rubber Ducky. This culminates in barcOwned—a small web app that allows you to program scanners and execute complex, device-agnostic payloads in seconds. Possible applications include keystroke injection (including special keys), infiltration and exfiltration of data on air-gapped systems, and good ol' denial of service attacks.



Post a comment

Related work