Pierluigi Paganini
January 15, 2016
Bar codes are used all over the world, but to be fair, it’s a very outdated technology, and from time to time we get to know new holes in the technology. At last Kiwicon conference edition, two researchers that want to keep their identities confidential showed how to print their own fuel vouchers.
To better understand these fuel vouchers work, I’m using a web archive link to explain it:
“When you shop at Countdown, FreshChoice or participating SuperValue supermarkets and spend $40 or more, you’ll be given a fuel discount voucher with your receipt, valid at any participating Z service station.
Present the voucher next time you fill up with petrol, diesel or automotive LPG at Z and you’ll receive a discount on the per litre price of your fuel. Not only that, but you’ll still collect Fly Buys points for every 20 litres of fuel you purchase.”
This means that the client needs to consume at least $40 to get a fuel discount that can be used the next time the client goes to the fuel station.
With the demonstration of the folks at Kiwicon anyone could just create their own vouchers without spending at least $40 and get fuel discounts as many times as they want.
The developed algorithm affects petrol stations operated by New Zeeland national energy provider Z. In addition, this algorithm only allows codes to be reused, but we don’t know if it’s possible to generate new codes to be used.
Z petrol station disabled entering manual barcodes in the past because these codes were being shared online.
The two researchers generated their fuel discounts in many different hosts, with different platforms, including an unpublished Android app, a barcode printer, and even on t-shirts.
Barcode generating app (above), with the barcode printer. Image: Darren Pauli / The Register.
The duo also demonstrated that with a click of a button on their smart watch, they could produce codes that could be scanned at the fuel station to get fuel discounts.
They showed live a barcode printer, printing out valid discounts, and even scanned a t-shirt that had a manipulated code.
All this is possible because there is a pattern behind the generation of codes used by Z what makes it possible to predict more valid codes.
“So you’re staring at these codes in Excel and you start to notice a bit of a pattern,” one of the researchers says. “You can kind of see what’s happening here – there isn’t any kind of crypto.”
“All they are doing is x minus 50 equals discount. They are totally unprotected – there is nothing unique about any part of it.”
The researchers said that they didn’t use any of the codes on the fuel stations, and warned another not to do it neither since this can be considered a theft.
The researchers and Z worked together before the presentation and came to the conclusion that the flaw is on the design of the algorithm to generate barcodes, and not exactly in Z method.
Z also added that they will keep accepting codes for fuels discounts because the majority of their customers are not trying to take advantage of them.
To conclude, even if someone was trying to exploit this in real life, Z fuel stations could detect suspected/unusual activity with their routine monitoring.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – fuel discounts, hacking)
