Welcome to Consultant Corner
During this time of lockdown and remote working, many are brushing up on their extra reading and learning. We have asked our expert cybersecurity consultants to write up 5-minute reads on trends they’re seeing and tips for IT teams to stay protected. These topics aren’t COVID-19 specific and vary from VPN to brute-force attacks to barcodes.
You can stay alerted to new blogs from ‘Consultant Corner’ as soon as they are made available just register in our pop-up form below. After all, a cybersecurity blog a day keeps the malicious attackers at bay.
This blog is focused on barcodes and is written by, David Coleman, Cybersecurity Consultant at SureCloud.
Test don’t trust
Over the years, there has been an implicit trust in specific technologies, to work only in the way they were intended to operate. Specific devices and applications are built with this trust in mind, sometimes forgetting to test this trust whilst developing applications and tools to work with them. One example, which is the focus of this article, is the integration of barcode scanners at kiosk terminals. These terminals are believed to be locked down in such a way to prevent a user from using the device in a way that the application was not designed to handle.
The implicit trust around a barcode reader is that its only ability is to scan expected alphanumeric barcodes and write them to the expected areas of the application where intended. Although this is true for the most part, there is a misconception that alphanumeric codes are the only type of code they can read.
Although the functionality of barcode scanners is to be able to read a range of characters, including alphanumeric and symbol characters, many scanners can also read characters from the control character set. If the barcode reader is set up in such a way to mimic a keyboard, the interpreted characters will be sent to the host device as the appropriate keystroke. The problem occurs when a malicious attacker begins to take advantage of this ability and produces barcodes of characters not intended to be used with the application.
Attacks
One example of this could be to perform injection type attacks on an application where the application itself only presents an on-screen keyboard of alphanumeric keys but will accept any character typed into the input fields. If the developer believes that the application does not require input sanitization due to the understanding that only alphanumeric values are able to be used with the application, then the application itself may be vulnerable to injection type attacks. If it is possible to utilise the barcode scanner to input non-alphanumeric values into the app, then attacks such as SQL injection or XSS may be possible.
Another more dangerous attack involves the control character set. Characters in this set can include keys such as the Tab key, the Carriage Return key, and the Escape key. Not all barcode scanners have the ability to scan control characters, however; if a barcode scanner does have this ability (and many do), then this presents a potentially dangerous attack, since many applications upon receiving a signal such as the escape key, will obligingly perform the relevant action and quit, giving access to the underlying operating system. This is especially dangerous when the creator of the application believes their full-screen application to be secure enough that they have paid little to no attention to the security of the underlying device as they may feel this to be unnecessary.
This can then mean that a user then has full access to various systems running on the underlying operating system, such as databases, network access, and even the ability to run PowerShell scripts to compromise the system further.
About SureCloud
SureCloud is a provider of Gartner recognised GRC software and CREST accredited Cyber Security & Risk Advisory services. Whether buying products or services your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programmes to the next level.