barcode metadata & privacy - what is the risk really?
TRANSCRIPT
1
Barcode Metadata & PrivacyWhat is the risk really?
A presentation on scanners that can pull data from barcodes and QR code types
Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A, C|EI Presented 18 Jan 2017 - ISSA Colorado Springs Chapter
2
Agenda• Types of Barcodes• Types of Images• Boarding Passes• Scanners (online)• Analysis• Other Card & Data Sources• Mobile Application Scanners• Findings and Determinations• References & Questions
3
Types of Bar Codes• There are lots of different bar codes.
Some bar codes are numeric only (i.e. UPC, EAN, GS1 DataBar, ITF Interleaved 2 of 5).
Some bar codes are fixed length (i.e. UPC-A is 12 digits, UPC-E is 6 digits, EAN-13 is 13 digits, EAN-8 is 8 digits, and GS1 DataBar is 14 digits).
Some bar codes can have numbers and alphabetic characters (i.e. Code 93, Code 128, and Code 39).
One bar code allows you to encode all 128 characters (Code 128)
While 2D bar codes allow you to encode a lot of data into a small space (PDF417, Data Matrix, QR, and MaxiCode).
NOTE: Many readers have to comply with their customer's or industry's bar coding specifications; no choice is possible, just compliance. Look at the following samples of printed bar codes:
http://www.barcodehq.com/primer.html
4
Types of ImagesPDF417
PDF417 is a stacked linear barcode symbol format used in a variety of applications, primarily transport, identification cards, and inventory management. PDF stands for Portable Data File. The 417 signifies that each pattern in the code consists of 4 bars and spaces, and that each pattern is 17 units long. The PDF417 symbology was invented by Dr. Ynjiun P. Wang at Symbol Technologies in 1991. (Wang 1993) It is represented by ISO standard 15438.
PDF417 is one of the formats (along with Data Matrix) that can be used to print postage accepted by the United States Postal Service. PDF417 is also selected by the airline industry's Bar Coded Boarding Pass standard (BCBP) as the 2D bar code symbolism for paper boarding passes. PDF417 is the standard selected by the Department of Homeland Security as the machine readable zone technology for RealID compliant driver licenses and state issued identification cards. It is also used by FedEx on package labels.
https://en.wikipedia.org/wiki/PDF417
PDF417 is a multi-row, variable-length symbology with high data capacity and error-correction capability. PDF417 offers some unique features which make it the widely used 2D symbology. A PDF417 symbol can be read by linear scanners, laser scanners or two-dimensional scanners. PDF417 is capable of encoding more than 1100 bytes, 1800 text characters or 2710 digits. Large data files can be encoded into a series of linked PDF417 symbols using a standard methodology referred to as Macro PDF417.
5
Hundreds of images of boarding passes for airline flights (Google)
6
Scanners“Inlite's Barcode scanner software is the best barcode recognition solution for your product, Web Site or IT department.”
They sell technology that can extract data which can produce much more detailed information off of drivers licenses and other forms of government issued IDs.
7
Scanners
“ Enable your Windows application or Web Service to read barcodes from any image file, database, mobile phone camera, scanner or fax.”
8
Scanners
http://zxing.org/w/decode.jspx
9
Can retrieve date of travel, record locater, seat number, name of traveler, flight number.
10
11
Scanned a membership card which revealed my membership number. The scanner also provided the details regarding the barcode type and parameter data.
12
Mobile device scanners on iTunes & Android
13
Findings & DeterminationsThe data and information found on boarding passes is mostly the same that is stored on the barcode or QR Code which may include:
• Traveler Name – First & Last• Record Locater & Confirmation information• Flight Information (flight number, date of travel & seat number)• Frequent flyer miles and rewards status (silver, gold, platinum)
What data is not stored on boarding passes in the barcodes or QR codes:
• Address• Credit Card information• Contact information (email, telephone etc..)
14
Findings & DeterminationsData stored on other card or name tag types can be more concerning. Examples:
• I scanned a QR Code for several conferences name tags that I had to register for and found that all of the information I provided when I registered on the site was able to be retrieved using one of the scanners shown previously. This included:
Name (preferred name) Address Phone Number (if provided upon registration) Email contact Company information
• Data retrieved from membership cards did not include any data that was not presented in plain text on the card. (IE: membership number)
15
Findings & DeterminationsData can be used by an adversary to identify and collect additional information that could be used to target the victim in the future.
• Used social media & open source tools to track down one person in the U.S. & retrieved Address Phone Numbers Email contact Spouse, Children and friends names & social profiles Employer information Property records & home purchase information Gained knowledge of hobbies, favorite sports teams and political & religious affiliations
QR Codes may be distributed my malicious actors to links with sites that contain malware!
• As with normal phishing methods, don’t open links or attachments from people you don’t know.
16
ReferencesWhat’s in a Boarding Pass Barcode? A Lot
https://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/
PDF417 Fontware & Writer SDK 4.1 User Manual
http://www.morovia.com/manuals/PDF417-Font-ware-Writer-SDK-4/chapter.overview.php
The hidden data on a boarding pass
http://www.economist.com/blogs/gulliver/2015/10/security-check
Why You Should Eat Your Airplane Boarding Pass Once You Take Your Seat
http://www.slate.com/blogs/future_tense/2015/10/08/barcodes_and_qr_codes_on_airplane_boarding_passes_are_easy_to_hack.html
What’s contained in a boarding pass barcode?
https://shaun.net/whats-contained-in-a-boarding-pass-barcode/
Airlines Complete Move to Bar-Coded Boarding Passes
http://www.iata.org/pressroom/pr/Pages/2010-12-15-01.aspx
You don’t need to tear up your boarding pass and eat it after you fly
http://fusion.net/story/214993/boarding-pass-barcode-privacy-scare/
Privacy Impact Assessment for the Boarding Pass Scanning System
https://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_bpss.pdf
Staying Three Beeps ahead of TSA PreCheck
https://www.travelcodex.com/2013/01/staying-three-beeps-ahead-of-tsa-precheck/
A Bar Code Primer, ©1997-2015 Worth Data
http://www.barcodehq.com/primer.html
17
Questions?