Vector
Vector

Choose your topics

Blogs
What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
Blogs
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Cyber Security

Beware of Barcodes I Consultant Corner

Beware of Barcodes I Consultant Corner
Written by

Soni

Published on

5 Mar 2020

Beware of Barcodes | Consultant Corner

 

Welcome to Consultant Corner

During this time of lockdown and remote working, many are brushing up on their extra reading and learning. We have asked our expert cybersecurity consultants to write up 5-minute reads on trends they’re seeing and tips for IT teams to stay protected. These topics aren’t COVID-19 specific and vary from VPN to brute-force attacks to barcodes.

You can stay alerted to new blogs from ‘Consultant Corner’ as soon as they are made available just register in our pop-up form below. After all, a cybersecurity blog a day keeps the malicious attackers at bay.

This blog is focused on barcodes and is written by, David Coleman, Cybersecurity Consultant at SureCloud.

Test don’t trust

Over the years, there has been an implicit trust in specific technologies, to work only in the way they were intended to operate. Specific devices and applications are built with this trust in mind, sometimes forgetting to test this trust whilst developing applications and tools to work with them. One example, which is the focus of this article, is the integration of barcode scanners at kiosk terminals. These terminals are believed to be locked down in such a way to prevent a user from using the device in a way that the application was not designed to handle.

 

The implicit trust around a barcode reader is that its only ability is to scan expected alphanumeric barcodes and write them to the expected areas of the application where intended. Although this is true for the most part, there is a misconception that alphanumeric codes are the only type of code they can read.

Although the functionality of barcode scanners is to be able to read a range of characters, including alphanumeric and symbol characters, many scanners can also read characters from the control character set. If the barcode reader is set up in such a way to mimic a keyboard, the interpreted characters will be sent to the host device as the appropriate keystroke. The problem occurs when a malicious attacker begins to take advantage of this ability and produces barcodes of characters not intended to be used with the application.

Attacks

One example of this could be to perform injection type attacks on an application where the application itself only presents an on-screen keyboard of alphanumeric keys but will accept any character typed into the input fields. If the developer believes that the application does not require input sanitization due to the understanding that only alphanumeric values are able to be used with the application, then the application itself may be vulnerable to injection type attacks. If it is possible to utilise the barcode scanner to input non-alphanumeric values into the app, then attacks such as SQL injection or XSS may be possible.

Another more dangerous attack involves the control character set. Characters in this set can include keys such as the Tab key, the Carriage Return key, and the Escape key. Not all barcode scanners have the ability to scan control characters, however; if a barcode scanner does have this ability (and many do), then this presents a potentially dangerous attack, since many applications upon receiving a signal such as the escape key, will obligingly perform the relevant action and quit, giving access to the underlying operating system. This is especially dangerous when the creator of the application believes their full-screen application to be secure enough that they have paid little to no attention to the security of the underlying device as they may feel this to be unnecessary.

This can then mean that a user then has full access to various systems running on the underlying operating system, such as databases, network access, and even the ability to run PowerShell scripts to compromise the system further.

About SureCloud

SureCloud is a provider of Gartner recognised GRC software and CREST accredited Cyber Security & Risk Advisory services. Whether buying products or services your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programmes to the next level.

Discover SureCloud’s new Cyber Resilience Assessment Solution here.