Barcodes Are Input, Too…

barcodeLately I’ve been collecting barcodes. Not the ones off of cereal boxes, soda bottles, or that sort of thing… I’m not a weirdo! ;) But I have been collecting the store-generated barcodes from grocery stores, gas stations, etc. It’s interesting to see how what does or doesn’t get encoded and trying to think of ways to abuse it.

At one location — a grocery store — I noticed their barcodes encode a somewhat generic department/category identifier, followed by a price, and then a Luhn check-digit. Very simple. So, of course, I began wondering how easy it would be to take advantage of this. Barcode swapping is obviously nothing new. I just think it’s kind of neat that with just a tiny change to a few lines of the barcode, something can go from $8.79 to $3.79…

Since I obviously don’t want to go to jail for defrauding a store, though, I probably wouldn’t ever try such a thing. Or, if I did, it would be more along the lines of changing the price from $3.79 to $3.80, just to serve as a proof of concept. Does it still count as fraud if I pay them more…? ( #NotALawyer )

Think of how much trust is put into, say, membership IDs, identity bracelets at hospitals, etc. If it scans, it must be legitimate, right? And are they just checking for a valid-looking barcode and logging it somewhere or is it actually doing look-ups in a database?

There real fun, though is with sending unexpected input. After all, barcodes are typically just a quick and fast replacement for hand-keying values on a keyboard… So what happens if my coupon, membership card, etc. gets scanned and instead of a numeric-only barcode, I’ve encoded the message “KevinWasHere”? Or maybe encode some SQL-Injection commands in there? What if the encoded price is changed from 3.79 to -3.79…?

I would assume that most POS systems have safeguards in place to limit access to the system via traditional means. Maybe it’s all just a touch-screen and no physical keyboard. That might help stop a cashier from using the register to check Facebook, for example, but who needs a keyboard when you’ve got a barcode scanner…? What happens if the barcode scanner is tricked into sending the Escape key? Even if the barcode scanner is programmed in a way that would generally make abusing it difficult, it’s very common for the barcode scanners themselves to be programmed and reprogrammed purely by scanning certain barcoded commands in a certain order. If someone gets access to your company’s “price checker” kiosk, what damage could be done?

None of this stuff is worth jail time, of course. People should only consider messing around with this sort of thing if you have legitimate access to a system and want to ensure proper input validation is being enforced for barcode scans.

That being said, there’s nothing stopping you from using apps on your phone or whatever to scan barcodes given to you on receipts, confirmations, etc. and getting a better idea for what makes them tick. Does it have your account number, DOB, or other potentially sensitive information encoded? How else would you know unless you check?

Share Your Thought