DEF CON 29 - Richard Henderson - Old MacDonald Had a Barcode, E I E I CAR

Aug 5, 2021 17:35 · 7173 words · 34 minute read

- Okay, looks like we’re up and running. Hi everybody, welcome.

00:10 - Hi DEFCON, hi DEFCON 29. Thanks for everybody tuning in from wherever you are.

00:15 - Hopefully next year we get to all do this in person.

00:18 - Here we are. So hi guys, my name’s Richard.

00:21 - We’ll get to that in a second. This is my talk on barcodes and Old McDonald had a barcode, E-I-E-I CAR.

00:29 - I have to apologize for me looking back and forth.

00:32 - I have two monitors and my slides are on another one.

00:37 - So who am I? My name is Richard Henderson. I’m a ham radio nerd. I’m an electronics dork.

00:44 - I write for a living a lot, I’m a InfoSec professional.

00:48 - I currently work as a CSO. I’ve trained at DEFCON multiple years in the past.

00:53 - I’ve gone 25, 26, 27, DEFCON China Beta One.

01:00 - I’ve run the Ham Radio Fox Hunt Contest at DEFCON for a few years.

01:05 - Did not run it this year, didn’t know what was going to happen.

01:08 - So, it’ll be back next year, I hope.

01:11 - And richsentme is how you can find me on Twitter and LinkedIn.

01:14 - So feel free to connect. So, let’s talk here for a second.

01:24 - What would happen if you built a system that was designed to take inputs from barcodes that didn’t do any sort of input validation.

01:34 - What sort of hi-jinks could you get up to? Could you crash a system with nothing more than just a simple string of text? You sure can.

01:45 - We’ll come back to this screenshot multiple times during the talk and we’ll explain what it is we’re seeing.

01:52 - The bottom line is yes, there are a lot of systems out there that through nothing more than presenting in a string of text, we’ll make it fall over crash, reboot, denial of service.

02:05 - So let’s talk about the EICAR string. The EICAR string is kind of the key here.

02:09 - Although we’ll get to other strings that might cause mischief later.

02:14 - But in this case, we’re talking specifically about EICAR.

02:18 - So what is the EICAR string? That’s the EICAR string.

02:24 - It’s a substantially long enough, random piece of text that with enough randomness in it that you wouldn’t find it just by chance.

02:36 - So you know that if you see this string of text, you are looking at the EICAR string.

02:42 - So who created it? What’s it used for? How does it work? In a nutshell, the EICAR test file was created by the European Institute for Computer Antivirus Research, EICAR.

02:55 - And it’s a method to test the functionality and the ability of antivirus engines to actually function.

03:04 - So it’s used by pretty much every antivirus company or tech company that incorporates some sort of antivirus technology into their product.

03:13 - So think like firewalls, email security appliances, things like that.

03:20 - And they use it to make sure their AV engines are working.

03:23 - Well, why would they do that? Well, when you’re working with malware, you want to avoid using real malicious malware samples whenever possible.

03:37 - Unless you have to work with something really malicious.

03:40 - And the reason for that is imagine if you were just trying to test your firewall to see if it could detect a piece of malware as it moved past the firewall, but it failed.

03:52 - And you decided you’d use the latest and greatest piece of ransomware that you found online.

04:00 - When that ransomware escaped through the network and started infecting other machines, that’d be pretty bad, right? So EICAR came about as a way to safely test antivirus.

04:12 - Create a text string, which you can embed in another small file.

04:16 - You can compress it, hide it, and see if you’re antivirus engine can detect it.

04:21 - Think of it as a virus that the general antivirus community has decided is a virus, but doesn’t have any malicious capabilities whatsoever.

04:33 - Okay. QR codes. Everybody’s seen QR codes now, right, I would think.

04:40 - Who created those? What are they used for and how do they work? So the “QR” in QR code means “quick response”.

04:48 - And it was created by the Japanese auto parts manufacturer, DENSO, in the mid 1990s.

04:54 - If you own a Japanese car, your car is likely full of DENSO parts, oxygen sensors, computers, things like that.

05:00 - So why did they create it? Well, there’s a bunch of reasons, but the main reason is you can simply just store a lot more information in a QR code that you can in…

05:13 - Do I have one around here somewhere? Here we go.

05:22 - Than in a simple UPC card. I’m not going to show you the whole UPC code because that’s got some sets of data on it.

05:34 - And it’s so like, you know, a standard UPC code, you’d see on a box of cookies at the grocery store.

05:40 - So, what’s inside a QR code? So QR codes are really, really brilliant when you look at them and you start to dissect how they work.

05:50 - So if you see 4. 1. Position. What that means… I’m pointing at the screen, which I guess in a virtual talk, doesn’t really do anything.

06:00 - The position squares basically tell the scanning computer how to orient the barcode.

06:06 - You could see there’s always those three position squares and there’s never a position square in the bottom right of a barcode.

06:14 - And that allows the computer to know that when they’re taking a picture of a QR code, like this one right here, it doesn’t matter what way it’s scanned.

06:25 - The computer always knows that this spot right here should be, so this is mirrored, but it should be right there.

06:35 - Alignment is really neat. So alignment squares are used by the QR code to.

06:44 - See, even though, if you present the barcode to it like this on an angle, it knows the alignment square right here is a square.

06:53 - So it can create like those magic converging lines we did an art school and high school, in art class in high school.

07:00 - To know that it can correct the image to make everything square or square facing the computer.

07:18 - So what would happen if you put the two and two together? You put the EICAR string on a QR code.

07:25 - Well, you get something like this. So again, I’m going to come back to this screenshot in a couple of minutes and explain exactly what it is we’re looking at and where this screenshot was taken.

07:40 - But let’s stop for a minute. And we’re going to talk about where did this whole thing start? Where did the idea of turning EICAR into a QR code come from? So, special shout out to my friend on Twitter, Rob Rosenberger, who planted the seed in my head that there’s probably a lot of systems out there that could scan a QR code.

08:04 - And a lot of them won’t know what to do when they see the EICAR string.

08:09 - So in this case, if you look at the tweet here, he put the EICAR string as a QR code on the side of his car, I think on the front of his car as well, with the idea of maybe triggering antivirus response on license plate scanners, toll booths, things like that.

08:30 - But what was interesting is that the antivirus they had running on his Android phone also triggered detection.

08:37 - So we’re gonna talk a little bit more about attack surfaces in a couple minutes, but the idea here was to get the code picked up by cameras you might encounter whenever you’re driving around.

08:50 - So like toll booth cameras, like automated toll booths, automatic license plate reading cameras, like the ones you see on top of police cars or by law enforcement cars, municipal enforcement cars, parking enforcement cars, private parking lots is a good one.

09:10 - So initially it was just a guess as to what might work and without access to the actual system that scan the QR code.

09:19 - If its scanned it, you probably won’t know for sure if it actually triggered something.

09:25 - But it definitely does work. I’m gonna share a couple video clips with you in a couple of minutes to show you that it actually works.

09:35 - So beyond a sticker on your car, what else could you do with this? So enter the embroidered EICAR QR patch.

09:47 - So what do you think might happen if you take the EICAR text string with you, wherever you go? Stick it on your backpack, put it on a hat, stick it on your shirt, whatever.

10:01 - In many cases you’d have to be really, really close to the camera to have it pick up the QR code, but cameras are getting better all the time.

10:10 - I mean, 4K cameras are not particularly expensive anymore.

10:14 - I have one at the front of my house now, cost a couple hundred bucks.

10:19 - Go to Costco, Costco sells full 4K systems with dozens of, well not dozens, but a half dozen cameras for a few hundred bucks.

10:27 - So cameras are getting better all the time, and they’re going to be able to pick these up, even if you’re not particularly close to the camera.

10:35 - So. Let’s go to the next slide. So devices that you think would need to read or interpret a QR code absolutely can.

10:49 - So this is a checkout terminal for a very large, multinational retail/grocery chain that I will not name.

11:00 - Why would a checkout scanner that should only need to scan a standard UPC code that you find on like a box of cereal need to read a QR code at all? Well, this is clearly added functionality provided to the retailer by the checkout, machine checkout area manufacturer.

11:24 - And it’s probably built into the product during the development phase.

11:29 - You know, things like they might want to add loyalty coupons, purchase tracking, things like that.

11:36 - And also, for example, they’ll send you a QR code coupon on your smartphone and you can scan it and it can read it.

11:43 - They build this into the product because they want to offer all of this to all the customers and not all the customers are gonna use it, but they want it there just in case, right? That’s how things work with a lot of software today.

11:55 - But what happened in this specific case? So the code was scanned.

12:00 - It correctly scanned the string. Can you see my mouse? No, I guess you can’t.

12:05 - But if you look at the top left of the screenshot, you can see that it clearly read the EICAR string from the QR code.

12:14 - And it just instantly returned this error. So what happened after this was scanned? So the checkout became unresponsive to all inputs.

12:24 - Didn’t matter what button you press, what you tried to scan, what you tried to do.

12:28 - It was totally unresponsive. Even a manual intervention by the staff that are on site to help you check out, really they’re just there to stop you from stealing stuff.

12:42 - But they came over. They couldn’t make anything work.

12:46 - They even said, ‘We never seen anything like that before. ’ And then the register eventually rebooted itself after quite a long wait.

12:57 - So I’ll talk about more about, what’s probably happening behind the scenes in a minute, but the reality is you could walk by a group of checkouts and scan this and crash every single one.

13:08 - And no one would have any idea how to fix it until it fixed itself.

13:15 - Okay. So. I’m gonna play a video. This video is sent to me by a random friend, cause I would never do anything stupid like this.

13:22 - That would be really dumb. This is a passport scanner at a port of entry, some country, somewhere.

13:31 - But many countries now offer you the ability to pull up your smartphone, fill out your customs form ahead of time.

13:41 - And that app creates… I don’t think I have one available, let’s see.

13:49 - UI. Yeah. It’s not working. I’m sorry.

13:57 - So, they’ll give you a QR code. Basically, instead of getting those old school paper customs forms where you fill out where you went, what flight you were on, what date you were gone, how much money you spent, you know, do you have any drugs, all that usual stuff, you just check off a bunch of boxes on a smartphone form.

14:12 - And it gives you a QR code, which the QR code contains the answers to all your questions.

14:17 - So what would happen if you scanned one of those machines with the EICAR string? Let’s see. And it’s going to be hard to see.

14:27 - So I’ll walk through it here in a second, but let’s.

14:32 - - [Person From Video] Yeah. - Stupid slides.

14:55 - I’m gonna have to back up here for a second. Sorry guys.

15:03 - Okay. So I can’t pause it and show you, but basically what happened was that machine gave a big fat red error message on the screen and then froze completely with just a total black screen.

15:18 - So like I said, I highly suggest you do not, do not try this at a border cause believe it or not, customs officers don’t really like people screwing around with machines at a port of entry.

15:34 - So what happened here? Don’t know for sure.

15:37 - But it did not like the input. Was not expecting the input that it was hoping to get and it froze the machine.

15:44 - Did not cause, as far as I could tell, thankfully, a general system outage across multiple terminals, which would have been real bad.

15:52 - You literally could walk over to the next machine and scan your QR code there and it worked.

15:57 - So what can we infer from that? These terminals aren’t super smart.

16:03 - They limit the amount of information they send back to a central database or central source, which makes sense because its terminals are literally just reading the questions you filled out on that form and filling out the form for you via QR code.

16:17 - But other systems are sending the interpreted QR code to a centralized location for processing.

16:23 - So let’s watch a few minutes of video and then we’ll explain what happened here.

16:34 - - [Person Recording] Thanks Richard. Now we’re stuck here because fucking Mike had to scan that goddamn barcode.

16:39 - He crashed the fucking machine. It’s fucked.

16:42 - He scanned that fucking EICAR thing. Now we’re fucked.

16:51 - Thanks Richard. Now we’re stuck here because…

16:55 - Minutes later. - [Attendant Over Speaker] Sir, one moment.

17:06 - - [Mike] Thank you. - [Person Recording] Good job.

17:36 - - [Mike] Are you recording a video? - [Person Recording] Yes, I am. Good job.

17:42 - - If they gave me the ticket back, I could go to the other one.

17:44 - - [Woman Recording] Yeah. Mr. Scan-it-on-fucking-everything.

17:48 - - [Attendant Over Speaker] Is someone assisting you, sir? - [Mike] No, there’s nobody here.

18:01 - I can use another machine, but my ticket’s in the machine, so.

18:06 - - [Attendant Over Speaker] Okay, one moment, sir.

18:07 - - [Mike] Okay, thank you. - [Person Recording] Fuck me.

18:10 - - So, so, he got one of those tickets from the parking garage when you go in and then he stuck the EICAR QR code sticker on the ticket and then inserted the ticket into the machine and the ticket wouldn’t remove, nothing worked, but there’s still two more videos.

18:29 - So let’s keep watching. - [Person Recording] 10 minutes later.

18:39 - Still fucked. - Hello hi there. - [Attendant Over Speaker] Yes sir, I am not able to reach anyone at this moment.

18:47 - Can I get your first and last name? - I’ll just go to, there’s a parking guy in the booth, literally 20 feet behind me.

18:53 - I’m just going to back up and go talk to him.

18:57 - Like he’s sitting there- - [Attendant Over Speaker] Sir, if you want to do that.

18:59 - - He’s sitting there staring at me. I don’t know why he doesn’t want to just come over.

19:01 - - [Attendant Over Speaker] Well he should have came out and help you, sir.

19:04 - Long as he’s sitting there. - Yeah that would be nice, but he’s kind of an idiot apparently, so.

19:08 - Anyway, I’ll just back up and go see him. - [Attendant Over Speaker] Okay sir, you can do that or I can just open the gate and let you out.

19:14 - I’ll go talk to the guy. Cause I mean- - [Person Recording] Let’s just open the gate then.

19:19 - - If you can open the gate you can do that too, but I mean, I haven’t paid yet, so.

19:24 - - [Attendant Over Speaker] If I can get your name and number, first and last name and a phone number.

19:30 - - I’ll just go to the guy back here. It’s fine.

19:31 - Don’t worry about it. - [Attendant Over Speaker] Okay.

19:42 - - [Person Recording] Okay so, basically Mike crashed the entire fucking payment system in this entire fucking parking garage.

19:48 - So no one can get out. Apparently they can get in, but that’s about it.

19:55 - Fucked. So the attendant’s going up there to unlock the gate.

20:09 - Go in front of this fucker. Fucking hosed, bud.

20:17 - Hosed. Fucked up big time, buddy. - [Mike] Yeah.

20:31 - - Okay. So what happened here? What can we infer based on what we saw in those clips? People are still able to get into the garage.

20:40 - So clearly the ticket machines that print a parking ticket on the way in don’t require instant interactivity with the database that’s hosted somewhere else, probably in a data center in some remote area.

20:53 - And it makes sense if you think about it because you don’t want to slow the line down on the way in if there’s any sort of network congestion or delay, the inbound machines likely just record a timestamp of entry, generate a unique bar code tied to that timestamp, and then send it back to a database, and set intervals every couple seconds, couple minutes, who knows.

21:17 - This would be great for areas that don’t have the greatest internet connectivity.

21:20 - So like, you know, parking terminal, think three levels down in a garage, isn’t going to have the greatest network connectivity, right? Or in some cases they’re relying on cellular based links and don’t really want to waste bandwidth.

21:37 - They want to save that for the exit phase, which is what messed everything up.

21:42 - So some people were able to exit as you saw in the last clip, but those were monthly parkers who had a different type of pass card to exit.

21:51 - So there’s probably an entirely different system that deals with that.

21:55 - And if you look at the lot of parking machines that have a separate reader for monthly parkers to scan their badge.

22:01 - So there’s probably just a local file that cross references unique IDs, tied to those ProxCards or whatever ID card they use to get out.

22:09 - And it looks for a match and that opens the gate.

22:13 - But for people who had to pay to exit, there was no way to get out.

22:18 - The machines ate their tickets and gates wouldn’t open.

22:21 - So after that last video clip my friends here talked to the the attendant.

22:28 - And basically he said his PC wasn’t working anymore.

22:31 - He couldn’t do anything. He had to come out to manually open the gate.

22:36 - He’d never seen anything like it. So clearly what’s happened is the QR string was transmitted to some database somewhere else and it caused…

22:46 - Do I have notes on that? I don’t. Oh yeah.

22:51 - So string got transmitted to another computer somewhere else.

22:55 - And whatever AV was running on that machine triggered an antivirus alert and dropped it into a quarantine cycle to clean the virus.

23:03 - And the whole system went down. They were in there 15, 20 minutes trying to get out the garage.

23:10 - And so were lots of other people. So.

23:17 - Oh, did it again. I’m sorry. So why does this attack work? Well, pretty simply, much like we’ve seen in the past decade or so with industrial control systems and SCADA systems where companies have just bolted on internet connectivity to these devices with very little or zero thought of the security implications of doing so, you know, they sell these to companies as money saving measures.

23:48 - You know, you don’t have to send a repair person out to some remote pumping station because you can do it all remotely now cause they’re all connected to the internet.

23:57 - They don’t really spend very much time thinking out people might be able to fuck with this stuff.

24:03 - But the bigger part is that most of these smart machines are all running Windows or Windows Embedded underneath.

24:11 - So what does that mean? So like, let’s go back to a couple of famous Windows Embedded malware attacks.

24:20 - So Target and Home Depot are two of the most famous ones.

24:24 - Attackers were able to design malware specifically built to skim credit card numbers on those Windows Embedded cash registers and then exfiltrate all that data somewhere else.

24:36 - I mean, everybody knows, What’s the one of the first security measures you put on a Windows machine? You install antivirus, right? So if your antivirus is just some typical out of the box, antivirus commodity product.

24:48 - And if you haven’t done any customization or any tuning of it, which is often the case.

24:55 - It should see the EICAR string think that it’s being tested and do exactly what it’s supposed to do in order to show that it’s working properly.

25:05 - And that’s quarantine the system and clean it up.

25:09 - So in most cases, an antivirus hits a quarantine cycle, what does it do? A lot of AV makes the system completely unresponsive, makes it unavailable, throws it into a reboot cycle to do like a low-level clean.

25:25 - And this is what’s happening here with a lot of these scans.

25:31 - So. Why are devices and systems scanning QR codes anyways, when they should only be scanning like a UPC code? Well, there’s lots of different barcode formats out there.

25:44 - And I’ll talk about that in a couple of minutes, but you don’t always set the standard UPC code.

25:51 - There’s dozens of different types of barcode performance.

25:53 - So they usually build in that type of functionality to be able to cover all their bases, right.

25:58 - So my gut tells me that most owners have no idea that’s even a thing on the systems they have, and it’s probably not easy to turn it off, not without going back to the manufacturer and saying, you know, we need to disable these types of inputs scans.

26:15 - Why would you even ask that? You wouldn’t even think to ask that question.

26:20 - So, like I said earlier, you know, added functionality by developer.

26:23 - These companies want to be all things to all people.

26:26 - So they just build it in and hide it from those people that don’t need it, but it’s there if you need it.

26:32 - So let’s talk about attack surfaces. What other things might you be able to scan with the EICAR string? So coupons, here’s a carwash coupon, A lot of newer or very modernized car washes, the really cool ones with the neon lights and the 16 colors of foam they spray on your car.

26:55 - They have the ability to accept coupons that you present to the payment machine.

27:01 - And those coupons are often QR codes. And why are they QR codes? Because each QR code can be unique to the person presenting it.

27:09 - It’s not like just a coupon code, right? It allows them to track.

27:15 - It allows the marketing people to track the effectiveness of advertising campaigns, right? So they know if this person used this coupon then they’ll probably do it again.

27:23 - So you might want to offer them another, but if someone else didn’t use it, then it may not be worth spending the resources on them.

27:29 - So what happens if you scan the EICAR string there instead? What else? Price checking scanners.

27:40 - Maybe, maybe not. Really all depends what the scanner does with the data and what the underlying system is.

27:47 - So Target, for example. Newer Targets, the newest price code scanners at Target are all Android based tablets.

27:55 - Not like this one on the screen. This is an older one, but while the Target Android ones can read the EICAR string and you could see it if you go up and present it, it’ll actually interpret the string and show it on the screen.

28:09 - Nothing happens. But other price code scanners? Maybe.

28:16 - So this is a discontinued older one that you’ll see in a lot of stores.

28:21 - And you can see here that it’s running Windows CE 5. 0, and it says right on the top, ‘fast and intuitive barcode reading of all linear and 2D barcodes. ’ So linear barcode is just another way of saying like a one dimensional barcode, like a UPC code.

28:43 - And 2D means just that two dimensional barcodes like a QR code.

28:49 - And like I said, it’s running Windows. So many of the new ones.

28:53 - You go back, you go to like a point of sale vendor, people that provide these types of products to small stores and stuff.

29:02 - Most of them all transitioned over to Android, but like we saw in Rob’s tweet way back.

29:08 - There’s plenty of Android based antivirus products out there that detect the EICAR string and will think there’s a virus.

29:14 - So what else? Luggage tags. Probably not.

29:21 - All the luggage tags that I’ve seen in my travels and the ones I can find online, all use the 1D barcode format with a short identifier strings.

29:31 - Typically it’s just two letters to signify the airline and then a six digit string of numbers to uniquely identify that piece of baggage.

29:44 - That doesn’t mean there aren’t systems behind the scenes that can interpret a 2D barcode.

29:48 - So, if you stuck the EICAR strain to your suitcase, who knows what would happen and you probably never know what would happen unless you can find a friend who works inside airport IT.

30:00 - So if you’re watching this talk and you work inside an airport infrastructure, and you would like to try it out, I would love to find out if it worked.

30:08 - Feel free to let me know. So the next one is my favorite.

30:14 - Hard to see with the screenshot here, I know.

30:17 - But, automated license plate readers on police cars and parking enforcement, private parking lots, ALPR.

30:26 - Most of the police cars, municipal enforcement, private parking enforcement, They all have Toughbooks in there cars.

30:34 - You walk by these cars and see Toughbooks, right? Most Toughbooks are always running Windows.

30:40 - And if you look at the software, I know it’s really hard to see, but you can see that this is running Windows.

30:44 - The software that’s provided by a very large company.

30:49 - Obviously not going to name names, but you can figure it out for yourself.

30:54 - The company claims on its website, that it works with all license plates.

30:59 - No matter where they’re from, which means there’s gotta be a lot of flexibility, and leeway for how it’s scanning things, right? Because there’s thousands of different kinds of license plates, different fonts, different spaces, and different states and provinces, things like that.

31:12 - So what if you stuck on EICAR sticker next to the license plate and it picked it up? It might.

31:23 - I have another slide, but I’m pretty sure I remember a story way back when someone printed a SQL string on their hood in the UK and it crashed the speeding ticket cameras.

31:33 - Does that ring a bell, anybody? It’s ringing a bell for me.

31:36 - But amazingly, I have yet to be able to find a parking enforcement officer, a police officer, who will actually let me actually try to see if I can crash their system.

31:43 - No matter how I phrase it or how nice I try to be, no matter how I frame it around security research, none of them are interested.

31:52 - But what else? QR codes are being much more prevalent or much more used in things like big events, sporting games, concerts, things like that.

32:07 - So could you present the EICAR string to them as your ticket and crash a central system? It’s very possible.

32:17 - Hospitals. Hospitals are likely very susceptible to this attack.

32:24 - Lots of backend systems provided to hospitals are Windows based.

32:28 - I know this for a fact. And I have someone close to me who works in healthcare IT and deals with this kind of stuff all the time.

32:36 - And their backend systems are all Windows based.

32:41 - So here’s like a patient bracelet with a type of QR code.

32:45 - Here’s for those of you with children, when your a kid is born, they put a bracelet around the kid and a bracelet around you just to track the baby through the hospital.

32:56 - Make sure you leave with the right child. Lots of QR codes on those ones.

33:04 - So these are QR codes on blood transfusions just to make sure the right person gets the right blood and follows the chain of custody of that blood as it moves through the hospital.

33:19 - So yeah, they should probably start looking for this.

33:23 - Extending this attack. So how do you want to make sure, if you’re going to test your own systems, because this is the only time you should be doing this, right guys? There are, like I said earlier, there are a lot of 2D barcode types out there.

33:39 - So you should try and figure out which one your target is using.

33:44 - So here’s EICAR as a Data Matrix QR code. Here’s the Aztec format.

33:53 - You see this a lot on like Amazon packages, UPS boxes, things like that.

34:00 - That’s the EICAR strain right there. It doesn’t look any different than any other one.

34:04 - MaxiCode, you used to see on a lot of, it was either UPS or FedEx a long time ago, I think it was UPS.

34:11 - I don’t see that on their boxes anymore. I really haven’t been paying attention to UPS and try not to use them.

34:18 - MicroPDF417. That’s another barcode format that you’ll see in a lot of places.

34:22 - There’s the EICAR string there. The Han Xin barcode format obviously is one you probably don’t see much here, but you might see it overseas a lot.

34:33 - You might see it on electronics components, things like that that are manufactured overseas.

34:40 - These are some of the ones that I was able to actually encode the complete EICAR string into.

34:45 - There are lots of other barcode formats out there, but most of them will not take the EICAR string because the character space is very limited.

34:55 - In some cases it’s just numeric, in some cases it’s just alphanumeric, some cases it doesn’t use the extended Unicode character set.

35:01 - So there was no asterixis, slashes or whatever.

35:04 - So what I suggest you do is just go online and look for a barcode generator.

35:09 - There’s some really good ones that will show all the dozens of dozens of different barcode formats out there.

35:13 - And you can put in whatever information you want.

35:17 - There are some that are used specifically for bank transfers, where you put in account details and a receiving bank, sending bank.

35:25 - You could hide the EICAR string in one of those pretty easily.

35:30 - But beyond the EICAR string, could you take some malicious JavaScript and have a system parse it? Or could you do something as simple as sending someone to a malicious URL? Yeah, QR code.

35:44 - You sure can. So this is from (indistinct) many years ago.

35:48 - Where this is, if you interpret this QR code is just the, the standard cross-site scripting alert script that you would write to test for the existence of a cross-site scripting attack.

36:03 - So you could use this to try and maybe see if something is vulnerable to a cross-site scripting overload.

36:11 - There are cases of malicious QR codes being used in the past in places like Russia, to fool people into signing up for premium SMS scams.

36:24 - So like $6 a message type scams, that’s happened in the past.

36:29 - But what other systems might you be able to attack beyond just like barcode scanners? What would happen if you decided to encode the EICAR string into an RFID tag? Automatic teller machines often use Windows underneath.

36:51 - Could you use the payWave/smart card? You know, the little chip, proximity chip thing that you’re seeing in a lot of places around the world just to quick, you know, tap and go, could you code the string onto a chip and scan it into the ATM or the data machine? So I’m not going to try and find out, but maybe someone else will, who owns an ATM for experimentation will.

37:20 - Railroads. A lot of railroads have been using RFID tags on cargo containers to track cargo movement and have been doing it for decades.

37:30 - I first learned about this more than 20 years ago as I was living in Toronto at the time.

37:37 - And there was a main rail line going right by the house I was living at.

37:41 - And we would often go like, just watch the trains and stuff.

37:44 - And there was a little hut. And there was a big Yagi antenna pointed at the tracks.

37:52 - And you could see when train rolled by, it was pointed in such a way, or it was just pointing at the front edge of the containers and doing some reading at the time they stick RFID tags on the containers to be able to tell customers where their cargo is.

38:08 - So if someone wants to know, you know, I’ve got something that’s gotta be in Los Angeles in a week and it’s just leaving New Jersey, I want to see where that thing’s moving through the rail network.

38:18 - And the way I was able to confirm it was, I was a much younger guy.

38:22 - I was much more willing to go ask questions.

38:26 - There was a rail crew working in that little mini hut.

38:29 - I went up and asked them what they were doing.

38:30 - And they literally were happy to explain, ‘Oh yeah, this was an RFID system.

38:34 - Look, here’s the manual you use. ‘ So don’t be afraid to ask people because they typically just think that you’re a hacker spirit.

38:42 - You just want to learn how things work, right? So, but beyond that, so now a whole bunch of retailers are using RFID tags to both combat theft and to make checking out a way faster.

38:54 - So I don’t know if you’ve been in a Uniqlo anytime in the recent couple of years, But you literally just walk up to the cash register with your bundle of clothes and you just set it down.

39:05 - And they, they know within like a second, what it is you got, what sizes they are, and they tally it all up.

39:13 - They don’t have to scan each one anymore. It makes things really fast, but you can get, so here’s some of the Uniqlo tags, they use three different types of RFID tags in their stores.

39:27 - So come back to that in a second, but you can buy on even on Amazon right now.

39:33 - Let me see if I have a picture of it. I do. Okay.

39:37 - Come back to that a second, but you can clone RFID, like, I mean, look at the RFID Thief that Bishop Fox made many, many years ago.

39:48 - I’m pretty sure Proxmark3 can do it, but you can buy just about anything on AliExpress or Amazon these days.

39:59 - That’s a roll of RFID tags you can write to, I think you buy on Amazon for two bucks.

40:06 - So it would be very simple to encode the EICAR string into some RFID tags and go see if you could make things stop working.

40:19 - Is this shit legal? Well, I am not a lawyer.

40:22 - So, but the question really is what is the legality around walking around with a giant barcode on your backpack and causing random camera systems to crash.

40:32 - I mean, you didn’t give them the permission to scan your barcode and why should they be scanning barcodes anyways, right? But if you decided to start actively scanning things like you walk up to the cash register, you scan it with the EICAR string and it causes things to crash and they catch on to what you’re doing.

40:54 - That’s probably not going to work out well for you.

40:57 - You know, maybe a mischief charge, computer mischief charge, who knows.

41:02 - But do you want to try it out for yourself? I mean, how can you do this? Sticker Mule, love Sticker Mule.

41:09 - Great place to get small runs of stickers, done cheaply, but there are lots of other sites out there that will do stickers for you cheap.

41:18 - Laser labels work great. Remember QR codes are pretty flexible, are very fault tolerant as to, you know, how rough the scan will be, because you have to remember, like if you put something on a UPS package and it crosses miles of conveyor belts, you know, sometimes those stickers, those QR codes are going to get slightly roughed up.

41:38 - So there’s quite a bit of error correction inside QR codes to help.

41:43 - So you can print them all at home yourself.

41:48 - So embroidered patches, like I showed in an earlier picture, I sell them.

41:55 - I do not sell them for a lot of money. I’m not doing this to make money.

42:00 - Figure out how to find them yourself. So I’m not going to shill them here, make them yourself.

42:05 - I can share the design with you. If you want to make a whole bunch yourself, reach out to me.

42:08 - I’ll tell you who my manufacturers overseas and introduce you to them.

42:12 - You can make a whole bunch of patches yourself, but if you’re at DEFCON, DEFCON proper and not watching this online, come see me at the end of the talk.

42:22 - And I’ll give you a patch for free because I got hundreds of them, hundreds, and I have a new special never really seen before and never released giant EICAR QR string.

42:41 - So come on up, see me. And you can get a patch for free.

42:47 - If you’re watching this online, reach out to me on Twitter or something and think I’ll go create a special coupon code for you or something.

42:55 - So with that being said, as part of the in-person talk, time for questions.

43:01 - For the rest of you, did you find something interesting trying this out at home yourself? Let me know either on Twitter or you can email at richard@goatse. cx.

43:10 - Yes, that’s my real email address, goatse. cx.

43:13 - Some of the old timers will probably get a kick out of that email address.

43:17 - And if you’re not a gray beard like me, then don’t go looking up what goatse. cx is.

43:26 - So thanks for listening. I really appreciate it.

43:28 - It was fantastic to be able to talk to you all today.

43:30 - And I look forward to hearing from some of you in the future.

43:36 - Cheers. .