Saturday, 3 December 2011

The Bar Code Hack

A certain academic library, close to my house, has dumb terminals and IBM compatible micros set up throughout the building for the public to use. The IBMs also have light pens attached. On those computers, patrons can access and change infor-mation about themselves, using the bar codes on their library cards for
security.

One fine day I decided I wanted to hack the sys-tern. I knew from random trying that BYE from the Main Menu brought me to a screen that asked for my bar code number. Naturally, I was not allowed staff access, so scanning my library card did noth-ing. I needed a staff card - preferably one with high access levels, like the library card of the li-brary director, or some supervisor or someone like that. I was not about to become a pickpocket to get a card. There was a better, more flexible, more hacker-like way of solving the problem. I would use computer technology to defeat the computer.

When you look at a bar code, you will generally see little numerals printed below the stripes. This is the number that the bar code is encoding. On a h-brary card (or the bar code put on library books), the number is about sixteen digits long. There is an initial grouping which identifies the bar code as belonging to that
particular library, followed by some zeros, and then a concluding seven or eight digits. This kind of numerical arrangement applies to your checkbook account number, and many other numbers used to identify you.

Now, the only part of the number that really matters is the last group of eight digits, following the zeros, since the library identification portion doesn't change from one person to the next. This meant that if I wanted to try a brute force entry of every bar code number until I found one with high access levels, I wouldn't have to try trillions and trillions of numbers - only a hundred million or SO.

Naturally I wouldn't be able to type in those bar code numbers from the keyboard (and who would want to, anyway?). You see, the computers do not allow people to walk over and type in bar code numbers. If they did, then anyone who knew anyone else's code number could easily access the pri-vate records of anyone else.

That meant, even if I found out the bar code nuniber of the library direc-tor, I still wouldn't be allowed into the backstage areas of the library program. I would still need the director's library card.

A way you might be able to get around this is to scan your bar code, and look at what happens. Did the computer put a carriage return at the end of the number? If not, see if you can back up and alter digits.

If a carriage return was added, try scanning your bar code again, this time sending a break or pause signal as soon as you do. You might be able to make the computer think it's receiving the entire bar code, although you will be able to change and add numbers to suit your needs. If you pushed con-trol-S to pause the bar code - and it worked - try pressing control-C and see if this stops it from reading in more digits from the scanner.

The bar code will be read in and placed on the screen rather quickly, so it may be difficult to stop it halfway through. If there's a printer attached to the computer, try sending output to it. This might slow down the bar code enough to let you break it at the right time. Also, if it is a computer you're working on (not just a terminal) there might be a "Turbo" button that you can press to take it out of turbo mode. If there is no button (but you know it's in turbo mode because there is a "Turbo" light lit up), there will be some way of disabling turbo mode through either the software (break into the DOS shell and see if there's a SPEED command
or something similar), or through the keyboard (often something like Ctrl-Alt-Minus sign will take it out of Turbo).

Another difficult thing to do is to try giving the scanner only a partial or erroneous code. Occa-sionally bar code readers can be duped into think-ing a bar code of a kind it's not supposed to be able to read is the correct type. Then it may read that code and stop halfway through, to wait for the rest of the input. Lastly, if there is a way of accessing terminal parameter menus, by all means do so:
often there is some sort of switch which toggles automatic send-ing of input, or the key code used to send input. By disabling the automatic send, you can manually input the bar-coded information.

All of these above suggestions imply that you have managed to get ahold of the bar code number of someone important in the library hierarchy -someone whose ID number you can use to access the rear end of the system. If you do happen to know the number, then you can try to print up a bar code for it, either by using bar code generating software, or by carefully examining bar codes until you have determined what thickness and pattern of lines are used to represent the different digits.

But I didn't have anyone's number. The pur-pose of my hack was tofind one. So I had to find a way of using the light pen to scan in a hundred million bar codes that I didn't have, until one was discovered that could access the library program's secret side.

I could've used a bar code program to print out all of those different combinations of digits but that would have been a huge waste of time and effort. The light pen (also known as a "wand," "bar code reader," or "scanner") works like this. Light is emitted from an LED inside the pen, focused through a sapphire sphere (which acts as a lens) onto the bar code. The light is then reflected off the page, and now focused through the sphere onto a photo-sensor, which converts the reflected light into bursts of voltage. The electrical output of the photo-sensor is amplified, thus generating a signal proportional to the series of black and white lines of the bar code label.

The pen is attached to the computer either via some external box, or an internal card. This box/card decodes the on-off firing pattern of the voltage into usable ASCII characters. At the time of decoding, voltage corresponding to white lines is approximately 0.11 volts, and 0 volts for the black lines. My plan was to send
voltages into the scan-ner, making it think it was reading a bar code, when really all it was doing was being victimized by a clever hacker's brute force attack.

If you are programming a computer or signal generator to create fake codes for you, some fidget-ing around might be necessary before you arrive at the correct numbers for that particular system. Also, the time it takes to generate a complete code will have to be adjusted accordingly: usually scan-ners will accept bar codes at
up to 45 inches per second. Perhaps you can manage to locate appro-priate technical manuals or some source code list-ings, or call up the company and ask to speak to a technician about what ideal values are for voltages and timing. If it is a computer you are working with, rather than a dumb terminal, it is possible the bar code decoding program is memory resident. You might be able to circumvent that program, or trick it into reading input from a disk file you supply. A good idea would be to copy the contents of the fixed drive, then at home see if there's a way of making the scanner decoder think the keyboard is the cor-rect RS232 serial interface to look at for input data.

Finally, remember that there will be a check digit at one end of the bar code, or both ends, al-though it will almost never be printed on the label itself. If the check digit is printed on the bar code label, study some sample bar codes and try to work out the method used to generate the check digit. You don't need to look at only bar codes on library cards - which you would probably have difficulty finding enough of - you can examine bar codes on books and come up with the same result.

For example, the check digit formula used by the Universal Product Code found on supermarket food packages is the following: 210 minus three times the sum of the alternating digits (starting with the separated digit to the left of the bar code), minus the sum of the remaining digits. The check digit is the last digit in your answer.

Figure 6
The UPC check digit system. The initial digit may appear in either of the spots
marked with a 0. The subsequent digits are placed under the bar code, with the
check digit appearing in either of the two
places marked with a check mark.

The UPC check digit formula is:
210 - 3 (a + c + e + g + i + k) - (b + d + f + h +j)

For this sample bar code, theformula is:
210 - 3 (O + 2 + 4 + 6 + 8 + 0) - (I + 3 + 5 + 7 + 9) = 125

The last digit of the answer is 5.
Thus 5 is the check digit.

Back to the target of my attack, that academic library near my home. The light pen at one of the computers was attached with a telephone-style modular clip. It could easily be removed. I bought a receiving jack of appropriate size and used a cable to connect it to the modem port of one of my smaller portable computers. Then I modified an auto-dialer program to spit out bar code numbers in the range I needed. I was all set.

A few days later it was Saturday, and it was a gorgeous day. I had expected to pull off this stunt on a Sunday because I'd seen the results of a user survey which indicated that less people came into that particular library on Sunday than any other day of the week - the last thing I needed was a bunch of onlookers. But it was such a beautiful day I figured everyone would be at the beach. I was right; practically no one was there.

I detached the light pen from the library's com-puter and connected the plug into my portable's jack. I typed BYE, which brought me to a prompt which asked for my bar code before it would allow me to go backstage. Then I started the program running. It worked fine - the program was send-ing bar code numbers through the
modem port and into the light pen cable. The library's computer had no way of knowing that the data it was receiving was not coming from an actual bar code. I closed the cover of my little portable, and hid the whole thing under a newspaper. Then I sat there and read a magazine while it went through the numbers. After a while I did find a bar code number as-sociated with a privileged account, and I was able to use it to change the status of my own library card to a virtual superuser.

That was great in and of itself, but having superuser status allowed me to go one step further. Since I now had access to patron records, I could find out the addresses, phone numbers, student 113s, social security numbers and birth dates of eve-ryone with a card at that library. This meant I had background information
on virtually every student at the school, and every professor and staff mem-ber. I could also find out what books were checked out to people, and therefore the subjects and hob-bies that interested them. Using all this information it was a simple task getting into many network accounts I should not have been able to get
into otherwise.