Industrial control systems (ICS) can be exploited by barcode scanners, researchers at the IOActive cybersecurity services company said on Tuesday.
Hackers have previously shown that keystrokes can be remotely injected into the computer the scanner is connected to via an industrial barcode scanner, which could result in the computer becoming compromised.
IOActive researchers also looked at industrial barcode scanners and part of their research, described in Tuesday’s blog post, focuses on scanners used by airport baggage handling systems. The experts, however, warned that the same attack vector could be exploited in multiple ways, and also against other sectors.
This part of the research focused on products manufactured by SICK, a German-based manufacturer of sensors for industrial automation applications , specifically the company’s SICK CLV65X fixed mount barcode scanners, which are typically deployed for automated baggage handling systems at airports.
These devices can scan barcodes that include custom CODE128 barcodes for “profile programming.” Scanning such a barcode can result in changes to a device’s settings and this is done directly without a host computer being required.
The problem is that this process does not involve any authentication mechanism, allowing an attacker to create a malicious barcode which causes the connected device to become inoperable when scanned by a vulnerable scanner, or changes its settings in an effort to facilitate further attacks.
IOActive researchers used reverse engineering to determine the logic used to generate barcodes for profile programming, and confirmed that they are not linked to specific devices.
In late February 2020, IOActive reported its findings to SICK and the vendor issued an advisory on 31 May.
“An attacker with the ability to display special barcodes to the affected devices under his power, with ‘profile programming’ allowed, is able to modify the configuration without requiring any authentication,” SICK said in its advisory. “It may have an impact on transparency, honesty and confidentiality.”
SICK has advised clients to disable the default programming function for profiles. The company’s advisory provides detailed guidance on how to deactivate the feature.