China-Made Handheld Barcode Scanners Ship with Spyware

Credit: wk1003mike/Shutterstock.Credit: wk1003mike/Shutterstock.

Who scans the scanners?

Some Chinese-manufactured shipping-barcode handheld scanners — of the type used by many United States retailers and warehouses, as well as delivery services such as UPS and FedEx — were found to have sophisticated spyware preloaded on them, according to San Mateo, California-based security company TrapX. Dubbed "Zombie Zero," the information-stealing malware is likely part of a state-sponsored industrial-espionage campaign.

The malicious software is located in the scanners' Windows XP Embedded operating systems, according to TrapX's report. When the handheld scanners connect to a company's Wi-Fi network, the Zombie Zero malware activates, hacking into company servers and stealing information, from shipping manifests to corporate secrets. All the information goes to servers in China.

MORE: 12 Things You Didn't Know Could Be Hacked

TrapX was able to trace Zombie Zero back to a Chinese factory that sells proprietary shipping and logistics scanning hardware and software to companies around the world. Eight unnamed companies recently received scanners with advanced malware pre-installed on them.

In stage one of a Zombie Zero attack, the malware uses a number of advanced tricks to escape from the handheld scanners to infect a targeted company's servers. The malware then seeks out company servers that have the word "finance" in the host name, in order to locate corporate financial data, customer data, shipping and manifest information, and more. 

In stage two, Zombie Zero then connects to command-and-control servers in China in order to download even more malware onto compromised company servers; the new malware then establishes a local command-and-control server within the infected company's own network.

TrapX determined that one of the remote command-and-control servers was located in the Lanxiang Vocational School in Jinan, Shandong, China, south of Beijing, and the other was located at a facility in Beijing itself.

TrapX notes that the scanner factory is located near the Lanxiang Vocational School, previously linked to the Operation Aurora cyberespionage campaign that stole information from dozens of major American corporations in 2009. (Only a few companies, including Google and Adobe Systems, have admitted being targeted by Operation Aurora.)

In its report, TrapX focused on one unnamed manufacturing company that used 48 scanners, 16 of which were infected, made by the Chinese factory in question. An internal firewall initially stopped the scanner-based malware from spreading throughout the company network, but the malware adapted its attack method and was successful on a second try.

The targeted company had installed security certificates for network authentication on the handheld scanners. But because the malware was already installed on the devices, the certificates were "completely compromised," TrapX said.

By the end of Zombie Zero's attack on the company, "exfiltration of all financial data ... was achieved, providing the attacker complete situational awareness and visibility into the logistic/shipping company's worldwide operations."

TrapX said the malware wasn't only on the handheld scanners. It also found malware in scanner software available for download from the Chinese's manufacturer's website, possibly putting more companies than the originally targeted eight at risk of a "zombie" infection.

This isn't the first time that a Chinese product has been found with malware pre-loaded on it. Last month, the Android smartphone Star N9500, a Samsung Galaxy S4 knockoff, was found to have spyware baked right into its operating system.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
    Your comment
  • gsxrme
    Hacking the US is an act of war. If the US government finds out where the server is located we should drop a nice little bomb on the building that holds the fooking server.

    *Message sent*

    Hopefully our next leader has a pair and stands up against china and russia a little better.
  • hfitch
    This is why the Us government doesn't want to allow Chinese telecommunications vendors and data providers in America. They blocked most of their attempts to set up 4g sites in America. They also banned companies from buying their servers. The problem is a lot of chips and data equipment is in a lot of what we use everyday. Open your toaster up I guarantee you will see something with made in China in it. Also a small chip running your toaster as well. I wouldn't be shocked one day you find out they been putting listening devices in household smart appliances.
  • nukemaster
    The US can not bomb China because half the work is made in china. Hack them back.

    I do not think people realize that the only reason electronics are as cheap as they are is because they can be made for less in these countries.

    Do you want to know what a 100% American manufactured notebook would cost?

    Do not get me wrong, this sucks and all, but bombing them will not help anything.