The Datasheet for the ‘2D Barcode Scanner Breakout Board’ gives a series of barcodes which can be used to e.g. disable or enable recognition of different kind of code, or to change UART settings or prefix/suffix characters that have been set by the host. From a security perspective it would be good stop the module from recognising these codes once a system has been deployed. Is there an undocumented serial command or similar which can be used to achieve this?
Not strictly, though you could disable continuous scanning mode and use trigger mode only instead to mitigate some https://cdn.sparkfun.com/assets/b/5/0/e/e/DY_Scan_Setting_Manual-DE2120___19.4.6___.pdf
Where is it being to deployed so that someone would have the knowledge/background/motivation to change your scanner’s settings? If it were tied to a pricing DB or what-have-you it wouldn’t change much, except perhaps require the default/reset might be needed
The main security risk is it being rendered inoperative, rather than being able to access any data etc. (Of course changing the length of expected input can be used to create buffer overruns in some systems which have exploited things before, but that’s less likely and hopefully the system code is immune to this anyway). The default/reset code is easy enough if you know but it’s not really something that can be done in the field by a normal user if they don’t know about this.
If someone is going to go through that amount of effort to create a buffer overrun…they are a very determined individual! I’d think it’d be easier for the culprit to just burn the kiosk or w/e lol…
While there isn’t really anything in place to prevent such it seems like a really unlikely scenario. A couple people have had similar concerns in the past SparkFun 2D Barcode Scanner Breakout - Disable Setting Barcodes that I don’t believe ever manifested