UK technology news site, The Register (no relation to this website) says the two researchers projected Countdown’s barcode scheme onto a screen during their presentation and helped the crowd spot its weaknesses. They then created useable discount codes which were distributed onto an unpublished Android app, through a barcode printer and applied to t-shirts.
Several delegates from Kiwicon reportedly told The Register (UK) that they had known about and exploited the discount scheme prior to the demonstration.
A spokeswoman from Countdown told the NZ Herald that the company was aware of the issue, and had developed a technical solution which was beign rolled out. The Register (UK) was doubtful that this would be the end of the problem, reporting that the researchers felt fixing the flaw would require the algorithm to be rewritten.
Countdown has declined to comment further. We spoke to the researchers about the implications of their discovery:
Q: You made hacking Countdown’s discount codes look very easy. Was that algorithm extraordinarily flimsy or is this representative of broader weakness in New Zealand retailers’ barcodes?
A: A barcode only makes a piece of information easy for a computer to read, they are not intended to be used to obfuscate or hide the contents of the information.
Q: Is it possible to explain, in layman’s terms, what made that algorithm so vulnerable? If so, can you have a go?
A: The discount amount and expiry date of the voucher are contained within the barcode of the receipt. We suspect this was an old system that is now being used in an automated environment that it was never intended for. The cashier at the service station would have normally validated that the receipts are genuine.
Q: Should many New Zealand retailers be concerned about this specific issue?
A: This issue only directly affects Z pay at pump systems. It is not a new discovery of something previously believed to be secure.
Kiwicon is a conference for hackers and people interested in computer security which was held in Wellington on December 10 and 11 last year. In its FAQs, the organisers explain that the role of hackers can include testing security systems:
“They are people who enjoy exploring, understanding, and using technology creatively. Many hackers are interested in the security of computer systems, but as technology develops, hackers of different kinds are pushing the limits of cars, gadgets, and various media. However, the general perception of a ‘hacker’ is synonymous with ‘computer criminal’, and indeed some computer criminals are hackers. However, the prevention of electronic crimes and the defenses of modern networked systems are ensured by computer security professionals; the best of whom will often self-identify as hackers!”
Kiwicon’s organisers have pointed out that specific guidelines exist for those wishing to disclose gaps in New Zealand ICT security systems and the organisations which receive such disclosures. A non-profit organisation called the New Zealand Internet Task Force has released a PDF document which explains how each party can work together in “coordinated disclosure” to strengthen ICT security within New Zealand.
Among other recommendations, this report indicates organisations should have a coordinated disclosure policy; obtain a PGP key so that flaw-finders can communicate with them securely; check any flagged vulnerabilities have not been exploited; and when the vulnerability is fixed, consider making it public.