barcOwned—Popping shells with your cereal box

DEF CON 26

Presented by: magicspacekiwi (Colin Campbell), Michael West
Date: Sunday August 12, 2018
Time: 13:00 - 13:20
Location: Track 3

Barcodes and barcode scanners are ubiquitous in many industries and work with untrusted data on labels, boxes, and even phone screens. Most scanners also allow programming via barcodes to manipulate and inject keystrokes. See the problem? By scanning a few programming barcodes, you can infect a scanner and access the keyboard of the host device, letting you type commands just like a Rubber Ducky. This culminates in barcOwned—a small web app that allows you to program scanners and execute complex, device-agnostic payloads in seconds. Possible applications include keystroke injection (including special keys), infiltration and exfiltration of data on air-gapped systems, and good ol' denial of service attacks.

Michael West

Michael West, aka T3h Ub3r K1tten, is a National Technical Advisor at CyberArk who likes cats. His homelab has over 640 kilobytes of RAM. Michael presents regularly at Dallas Hackers Association and enjoys combining his software dev background with infosec to build tools for others. His interests include OSINT, amateur radio, and scanning long barcodes on the beach. @t3hub3rk1tten, https://mwe.st, https://barcowned.com

magicspacekiwi

magicspacekiwi, aka Colin Campbell, is a Web Developer with a focus on user experience and considers security an important (but often neglected) part of that experience. They've managed to log over 1500 hours in Overwatch while being stuck in plat. Ask them about their nginx configs.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats