#DEFCON: Exploiting Physical Shopping Carts for Denial of Shopping

  • DoS usually is an acronym that refers to Denial of Service, but according to researcher Joseph Gaby, it can also stand for Denial of Shopping.

    On August 8, at the DEF CON 29 conference, Gabay outlined his research into how physical shopping cart immobilization systems work, and how they can potentially be abused by hackers. He noted that there is some pretty cool technology that most people take for granted every time they go shopping that is embedded in physical shopping carts.

    Gabay explained that what physical shopping cart immobilization systems provide is a way for a retailer to prevent the theft of the shopping cart. The way it typically works is when the shopping cart is taken outside of an approved boundary, usually a parking lot, one of the wheels will lock itself using an internal mechanism, restricting the ability to take the cart any farther.

    “A bunch of very smart people spent a lot of time and money designing a system to prevent people from doing something that they didn’t want them to do,” Gabay said. “This is a technical challenge, and for me, I was curious to see whether or not I could overcome it and dissect it.”

    Discovering How Shopping Cart Immobilization Works

    The technology that Gabay looked at comes from Gatekeeper Systems and involves several components.

    There is a buried wire around the perimeter of the parking lot that sends out a signal. When the cart crosses over this signal, it senses it and uses an internal mechanism to lock up the wheel. Gabay said that store employees have a remote so that they can unlock it and bring it back into service.

    Gabay noted that in the U.S. any consumer product that is going out into public that has radio frequency (RF) systems has to be approved by the Federal Communications Commission (FCC). As it turns out, as part of the approval process there is testing and report data that needs to be submitted, which are then searchable in a public database. Using that publicly available information, Gabay was able to learn what frequencies the shopping cart security system was using, which included both the 2.4 GhZ and 7.8 KHz ranges.

    Gabay detailed how he built a small antenna and then took it to a parking lot where he knew the system was in place to capture some signals. The Gatekeeper system also has a device known as a CartKey, which a retail store employee can use to unlock a shopping cart that has gone outside the store perimeter. Gabay said he simply went onto eBay and bought a CartKey and then scanned the signals coming from it that were used to unlock a shopping cart.

    How to Unlock a Physical Shopping Cart

    By comparing the lock and unlock signals and decoding them, Gabay discovered that the unlock signal is just the inverse of the lock signal.

    In order to unlock or lock a cart, all he had to do was execute what is known as a replay attack. Gabay explained that a replay attack is when a hacker captures a signal and replays it back, trying to mimic the original device.

    “There’s lots of ways to protect against this with various authentication schemes or incrementing a number for the signal sent to the shopping cart wheels,” Gabay said. “They don’t implement any of this; it’s the same signal all the time, which is very good for us.”

    Replaying the captured signals could be executed with a phone’s speaker, though that works only at a very short range. Gabay noted that it would be difficult to expand the range for the replay, given the frequencies that the system uses.

    “It’s likely that Gatekeeper Systems did this on purpose, so you either don’t accidentally lock a whole bunch of carts or have people like us go out there and lock a whole bunch of carts all at once with nobody knowing what’s going on,” Gabay said.

    Practically, Gabay doesn’t suspect that there is all that much risk to his physical shopping cart attack research. He noted that it’s possible to lock or unlock carts within a few feet, but that’s about it. He concluded by suggesting that hackers don’t actually use his research to go disrupt shopping carts by locking them.

    “The only person whose day you’ll make worse is the random grocery store employee who has to go around unlocking carts, and that’s just not cool,” he said.