Barcode Metadata & Privacy - What is the risk really?
1. 1
Barcode Metadata & Privacy
What is the risk really?
A presentation on scanners that can pull data from barcodes and QR code types
Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A, C|EI Presented 18 Jan 2017 - ISSA Colorado Springs Chapter
2. 2
Agenda
• Types of Barcodes
• Types of Images
• Boarding Passes
• Scanners (online)
• Analysis
• Other Card & Data Sources
• Mobile Application Scanners
• Findings and Determinations
• References & Questions
3. 3
Types of Bar Codes
• There are lots of different bar codes.
Some bar codes are numeric only
(i.e. UPC, EAN, GS1 DataBar, ITF Interleaved 2 of 5).
Some bar codes are fixed length
(i.e. UPC-A is 12 digits, UPC-E is 6 digits, EAN-13 is 13 digits, EAN-8 is 8 digits, and GS1 DataBar is 14 digits).
Some bar codes can have numbers and alphabetic characters
(i.e. Code 93, Code 128, and Code 39).
One bar code allows you to encode all 128 characters
(Code 128)
While 2D bar codes allow you to encode a lot of data into a small space
(PDF417, Data Matrix, QR, and MaxiCode).
NOTE: Many readers have to comply with their customer's or industry's bar coding specifications; no choice is
possible, just compliance. Look at the following samples of printed bar codes:
http://www.barcodehq.com/primer.html
4. 4
Types of Images
PDF417
PDF417 is a stacked linear barcode symbol
format used in a variety of applications,
primarily transport, identification cards, and
inventory management. PDF stands for Portable
Data File. The 417 signifies that each pattern in
the code consists of 4 bars and spaces, and that
each pattern is 17 units long. The PDF417
symbology was invented by Dr. Ynjiun P. Wang
at Symbol Technologies in 1991. (Wang 1993) It
is represented by ISO standard 15438.
PDF417 is one of the formats (along with Data Matrix) that can be used to print postage
accepted by the United States Postal Service. PDF417 is also selected by the airline
industry's Bar Coded Boarding Pass standard (BCBP) as the 2D bar code symbolism for
paper boarding passes. PDF417 is the standard selected by the Department of Homeland
Security as the machine readable zone technology for RealID compliant driver licenses
and state issued identification cards. It is also used by FedEx on package labels.
https://en.wikipedia.org/wiki/PDF417
PDF417 is a multi-row, variable-length symbology with high data capacity and
error-correction capability. PDF417 offers some unique features which make it
the widely used 2D symbology. A PDF417 symbol can be read by linear scanners,
laser scanners or two-dimensional scanners. PDF417 is capable of encoding more
than 1100 bytes, 1800 text characters or 2710 digits. Large data files can be
encoded into a series of linked PDF417 symbols using a standard methodology
referred to as Macro PDF417.
6. 6
Scanners
“Inlite's Barcode scanner software is
the best barcode recognition solution
for your product, Web Site or IT
department.”
They sell technology that can extract
data which can produce much more
detailed information off of drivers
licenses and other forms of
government issued IDs.
7. 7
Scanners
“ Enable your Windows application or
Web Service to read barcodes from
any image file, database, mobile
phone camera, scanner or fax.”
11. 11
Scanned a membership card which revealed my membership
number. The scanner also provided the details regarding the
barcode type and parameter data.
13. 13
Findings & Determinations
The data and information found on boarding passes is mostly the same that is stored on
the barcode or QR Code which may include:
• Traveler Name – First & Last
• Record Locater & Confirmation information
• Flight Information (flight number, date of travel & seat number)
• Frequent flyer miles and rewards status (silver, gold, platinum)
What data is not stored on boarding passes in the barcodes or QR codes:
• Address
• Credit Card information
• Contact information (email, telephone etc..)
14. 14
Findings & Determinations
Data stored on other card or name tag types can be more concerning. Examples:
• I scanned a QR Code for several conferences name tags that I had to register for and found that all of the
information I provided when I registered on the site was able to be retrieved using one of the scanners shown
previously. This included:
Name (preferred name)
Address
Phone Number (if provided upon registration)
Email contact
Company information
• Data retrieved from membership cards did not include any data that was not presented in plain text on the
card. (IE: membership number)
15. 15
Findings & Determinations
Data can be used by an adversary to identify and collect additional information that could be used to
target the victim in the future.
• Used social media & open source tools to track down one person in the U.S. & retrieved
Address
Phone Numbers
Email contact
Spouse, Children and friends names & social profiles
Employer information
Property records & home purchase information
Gained knowledge of hobbies, favorite sports teams and political & religious affiliations
QR Codes may be distributed my malicious actors to links with sites that contain malware!
• As with normal phishing methods, don’t open links or attachments from people you don’t know.