DEF CON 29 -Joseph Gabay - DoS Denial of Shopping: Analyzing and Exploiting Shopping Cart Systems

Aug 5, 2021 17:35 · 4149 words · 20 minute read

- Hello, and welcome to DoS: Denial of Shopping, Analyzing and Exploiting Physical Shopping Cart Immobilization Systems.

00:07 - In this talk, we’ll be talking about shopping cart security wheels, as well as the basics of RF reverse engineering and some of the tools and techniques that you can use to capture signals in the wild, analyze them and replay them later for fun and profit.

00:20 - Before we go much further, I want to give a brief disclaimer, this is a personal project.

00:25 - There’s no reflection here on my employer or any other organization unless explicitly stated otherwise.

00:32 - That out of the way, you might be wondering, who are you and how’d you get in here? Well, my name’s Joseph Gabay and amongst other things, I am a hacker, a maker, flat moon conspiracy theorist, collector of silly domain names and random certifications.

00:46 - By day, I build robots. By night, I hack shopping carts.

00:51 - And really this is just an example of something that caught my interest and I decided to go down the rabbit hole on because I think as you’ll find out in this talk, there’s some pretty cool technology that you really take for granted every time you go shopping.

01:06 - So for those of you who aren’t familiar with shopping carts security wheels, and they’re not everywhere, usually you only see them in pedestrian accessible parking lots where there’s a risk of somebody walking off with a shopping cart.

01:20 - What it is is basically an invisible sense for shopping carts, no really.

01:26 - When you take a shopping cart outside of an approved boundary, usually a parking lot, one of the wheels will sense this and lock itself using an internal mechanism and you can’t take the cart any further.

01:39 - You might be wondering why shopping cart wheels? Why was this a rabbit hole I decided to go down? And really the first time I saw one of these signs, a warning that these devices were in use, I got real curious, how does the wheel know that it’s outside an approved boundary? How does the wheel actually lock and stop itself? How does the wheel get power? And all of these questions were turning over in my mind until I eventually started doing some research and that led to more questions and that led to a Defcon talk.

02:11 - But I really think it can be summed up by Terry Pratchett’s quote, it’s not worth doing something unless someone somewhere would much rather you weren’t doing it.

02:20 - Fundamentally, I see this as a challenge, just like someone can see a particularly difficult lock as a challenge in the locksport community.

02:29 - A bunch of very smart people spent a lot of time and money designing a system to prevent people from doing something that they didn’t want them to do.

02:37 - And this is a technical challenge. And for me, I was curious to see whether or not I could overcome it and dissect it.

02:45 - And that’s what this talk is. So how does the system work? It’s a magnetic loop system where there’s an underground perimeter wire that’s sending out a signal.

02:57 - Now you might recall from physics class that when you push current through a wire, it produces a magnetic field in a radius around it, according to the right hand rule.

03:06 - So there is a buried wire around the perimeter of the parking lot and that’s sending out the signal.

03:13 - When the cart crosses over this signal, it senses it, and it uses an internal mechanism to lock up the wheel and the store employees have a remote that they can come by later and unlock it and bring it back into service and we’ll get into that in just a little bit.

03:29 - So I was actually fortunate enough to have a grocery store nearby me replacing their sidewalk, and you can actually see this buried wire in action and let me zoom in a little bit, and you can see highlighted where that wire is.

03:44 - And I don’t know, it’s rare that you get to see how this works cause it’s usually cut into the asphalt and buried.

03:51 - So that’s the wire right there. That’s how the magic happens.

03:55 - How does it work inside the wheel? Well, let’s take a look at the anatomy of a shopping cart wheel.

04:00 - There’s two main parts. There’s the outer housing and you’ll notice that on the inside diameter here, there’s pairs of ridges and that becomes very important later.

04:09 - And down on the bottom, you have the whole internal assembly and that houses all the electronics, the motors, all that, but the thing to note here is that ring going around the outside.

04:19 - That’s a flexible ring and it can expand or contract as that plunger goes up and down.

04:26 - Here’s a closeup of that mechanism here and basically there’s a motor that drives that little plunger up and that causes the ring to expand and if it drives it down, it causes it to contract.

04:38 - When the ring is in the expanded position, the ridges on the inner diameter of the outer housing and the outer diameter of the inner ring interlock and prevent the wheel from rotating.

04:51 - It’s really a clever mechanism. I’ve got to give gatekeeper system some major credit for that.

04:57 - Taking a look at the other side of the inner assembly, we can see what also makes it tick.

05:03 - We have a lithium battery here. That’s just a three volt non-rechargeable lithium battery and assuming it’s in standby mode, that should last for a good long while.

05:13 - Obviously running a high current application like that motor a whole bunch is going to reduce the life of the wheel, but modern microcontrollers can sip on a few microamps of current and do stuff like monitoring RF systems.

05:27 - So I can really see this lasting for quite a while.

05:31 - Below that, you have the PCB assembly that houses all of the electronics, as well as the antennas and other radio equipment.

05:38 - And then you have a motor which connects to a gearbox that drives the mechanism we saw on the last slide.

05:44 - Taking a closer look at the PCB, we see a few interesting things.

05:48 - First of all, there’s two separate antennas.

05:51 - Up top highlighted, you can see a PCB trace antenna for 2. 4 gigahertz.

05:57 - We’ll talk more about that later. And on the underside of the PCB, you can see that little black cylinder.

06:03 - What that is is it’s just an inductor that…

06:07 - And that’s the element that senses the magnetic field from the buried wire.

06:11 - These systems generally use a very low frequency.

06:14 - And in this case, as we’ll find out later, this is running at 7. 8 kilohertz.

06:21 - Going back to the top view, we see a couple other things.

06:24 - You see the microcontroller, which is a Texas Instrument CC 2510 microcontroller.

06:29 - It has a built-in 2. 4 gigahertz transceiver, and is designed around the idea of low power standby modes for the radio to maximize the life and that makes sense in this application.

06:41 - To the right of it, you can see there is a whole mess of what looks like amplifiers and transistors, and I’m not entirely sure what’s going on there, but I’m fairly sure that that’s the amplifier circuit that turns the signal from the inductor that it picks up from the magnetic field and turns into something that the microcontroller can reliably use.

07:01 - Below the microcontroller are a couple more transistors and that is the motor driver circuit that actually drives that DC motor to lock and unlock it.

07:10 - And to the left of it, it’s kind of covered up by one of the arrows, you can see a 10 pin JTAG port and you can do plenty of fun things with the JTAG port.

07:19 - You can try dumping firmware, you can load it up into a debugger.

07:23 - You can do some pretty interesting things, but all of that’s outside of the scope of this talk.

07:31 - So let’s say we want to learn more about how this works at a signal’s level.

07:36 - There’s a couple of good places to start. The first one is of course fcc. gov, any consumer product that is going out into the wild that has RF systems has to be approved by the FCC.

07:49 - You basically have to undergo some pretty rigorous testing and submit a test report, proving that it’s not going to cause any undue interference to nearby devices or pollute the airwaves.

08:02 - All of these documents are public record though and you can see from the screenshot up there, there’s a lot of juicy things.

08:09 - You’ll generally be able to find out what frequency something uses, sometimes information about the modulation method, as well as in this case, the user manual for the wheel and the remote system, which had a lot of good information.

08:22 - So when we go on, we can see what we learned from these documents.

08:27 - The two big things we learned is that the low frequency is below nine kilohertz, which provides a bit of a problem that we’ll go into on capturing that signal as well as the 2. 4 gigahertz ISM band which we already knew.

08:42 - An interesting tidbit that we learned from it is that it uses either MSK or FSK for modulation on the 2. 4.

08:50 - And we’ll see later that it uses FSK, which is frequency shift king.

08:56 - Let’s talk about the VLF signals, the sub nine kilohertz signal and why it’s so difficult to capture that.

09:04 - So generally speaking in radio applications, you want your antenna to be a…

09:09 - You want your antenna’s link to be a multiple of the wavelength of the signal you’re trying to catch.

09:14 - For high-frequency signals, this is usually fairly small, it’s in the millimeters or centimeters range, fairly easy to do.

09:22 - As you get to lower frequency signals, that wavelengths gets big.

09:27 - Below nine kilohertz, you’re looking at something in the tens of kilometers, which is a little bit outside of my capacity to build an antenna for.

09:35 - And further complicating this, most software defined radios and RF amplifiers are designed to work with frequencies above one megahertz because anything below that and you’re running into the problems I just mentioned.

09:49 - Now some wonderful hackers out of France at templab. org were also playing around with these shopping cart wheels around 2008.

09:57 - And they had a very interesting observation, which is nine kilohertz is in the audio range.

10:03 - We can use regular audio amplifier and audio processing equipment to work with these signals.

10:10 - Before I go into that, I want to give a brief apology to any RF engineers in the audience.

10:15 - I’m about to do some pretty janky things to capture this signal.

10:20 - I’m sure there’s better ways I could have done this and I’m sure there’s worse ways, but if there’s something I missed or an approach that I could’ve taken, please, my contact info is at the end of this talk, shoot me an email.

10:32 - I’d love to learn how I could have done this better, but let’s move on to some abominations.

10:39 - So right here is a homemade antenna I made.

10:42 - It’s called a loop stick antenna because it’s a stick with a whole bunch of loops of conductor around it.

10:46 - This is a ferrite core with a bunch of magnet wire wound around it.

10:51 - And that’s wired into a 3. 5 millimeter headphone jack.

10:56 - I included a little resistor there and that actually tricks a phone or audio device into thinking that what’s plugged into it is a microphone line and not a speaker line so it’ll let you record audio from that antenna.

11:10 - And with that, I plugged it into my phone and took it to the local shopping center that has one of these, plopped it on the buried line and hit record in a spectrogram app.

11:22 - And I was actually very surprised to see that we see a signal and a fairly clear signal so I’m in.

11:33 - Loading this into a spectrogram app, we can see that there is indeed a very low frequency signal there at 7. 8 kilohertz as well as one at 15. 6 kilohertz, but that’s just the resonance of the 7. 8 kilohertz signal, and we can fairly safely ignore that.

11:51 - Zooming in a bit and we loaded this into Audacity because as far as anything is concerned, this is just a regular audio file.

11:59 - So we load it into Audacity and we can see the wave form of the signal and start diving into it and see what’s going on.

12:07 - Zooming in a bit further, we see that the lock signal takes about an eighth of a second and is followed by an eighth of a second of silence by another lock signal and this signal just gets repeated for infinity and beyond.

12:22 - Zooming into an individual one of these signals, we can see that it is an eight bit signal composing of 10 parts.

12:29 - You have a start bit that signals microcontroller that’s starting to send the signal and you have a series of long or short blips that correspond to ones and zeros.

12:38 - And after eight of these, you have another longer blip.

12:42 - That’s the stop bit and tells the microcontroller we’re done transmitting.

12:46 - And from that, that’s all you need to lock a shopping cart.

12:51 - What about unlocking a shopping cart? Unfortunately, in order to get samples for this, I needed one of the actual CartKeys to take samples from.

13:01 - Thankfully eBay is a magical, magical place and these CartKeys are available on eBay.

13:09 - So I went ahead and bought one and I played around with a bit and you can see that’s the CartKey model two up there.

13:16 - I purchased both a CartKey one and a CartKey two.

13:20 - The big difference is the CartKey two implements the 2. 4 gigahertz signal for unlock only.

13:26 - The CartKey one only uses the 7. 8 kilohertz.

13:30 - So let’s go ahead and see what these signals look like.

13:36 - So I used the same loop stick antenna and phone set up here and just sat it next to the CartKey as I hit the lock and unlock signals and this is what it looks like.

13:46 - You can see the unlock signal looks slightly different from the lock signal just in terms of how many times it’s repeated and the spacing between them.

13:54 - But when we zoom in and compare them directly, we can see that for both devices, the lock and unlock signal is the exact same.

14:04 - If we compare the lock and unlock signals and decode them, interestingly enough, we see that the unlock signal is just the inverse of the lock signal where there’s a one and there’s a zero and when there’s a zero, there’s a one.

14:18 - Interesting, but let’s go a bit further. Let’s see if we can use this.

14:24 - So we’re trying to perform what’s called a replay attack.

14:27 - And for those of you who aren’t familiar with it, a replay attack is when you capture a signal and replay it back, trying to pretend you’re the original device.

14:38 - There’s lots of ways to protect against this, various authentication schemes or incrementing a number that’s sent.

14:44 - Being shopping cart wheels, they don’t implement any of this.

14:48 - It’s the same signal all the time, which is very good us.

14:52 - So another interesting thing of note is you can perform this attack without an antenna.

14:59 - You can use either a pair of headphones or even your phone speaker as a really crappy antenna.

15:05 - Because if you think about it, what a speaker is is a coil of wire attached to a membrane with a magnet on it and you send signals through the wire and it causes the membrane to vibrate back and forth producing sound.

15:19 - And because you’re sending current through a wire, you do get a bit of a magnetic field.

15:25 - Now generally, this is undesirable and its parasitic EMF.

15:29 - But in this case, that’s close enough to the very loop of wire for the original signal where it works.

15:36 - So you can take an MP3 file of those signals, play it on your speaker phone, hold it up next to a cart and it’ll lock or unlock.

15:44 - Also big shout out to the folks at TempLab again.

15:47 - They gave this idea and they have a couple demos of doing just that.

15:51 - Please go check them out. So here’s a video of me doing exactly this.

15:56 - In this case, I didn’t use the speaker or headphones.

15:59 - I just plugged my antenna back in and instead of receiving, I’m using it to transmit.

16:04 - So let’s take a look at what this looks like.

16:08 - Here I go locking it, playing the lock MP3 file.

16:12 - When I play the unlock MP3 file, you can see the roomba contracting.

16:15 - And this is literally just off screen, but that headphone jack is plugged directly into that loop stick antenna.

16:25 - So it’s fairly short range as it is. Loop stick antennas aren’t particularly good transmitters and that was a pretty small one.

16:32 - And I was curious to see how much further I could get it to go.

16:36 - So I picked up a large solenoid coil at the MIT Flea as well as a 10 watt audio amplifier.

16:43 - I hooked it all up and played the signal and I got it to work and I was getting a range of maybe two to three feet at 10 watts.

16:52 - And that’s not great, but pretty good. Unfortunately, we’re hitting an area of diminishing returns here because we’re fighting against the laws of physics.

17:02 - Magnetic signals, the K, according to the inverse square rule, which means to double the range, you need to quadruple the power.

17:14 - It gets kind of tricky to pump a lot of power through a small bit of magnet wire like that, not without things getting hot and melty so there is an upper limit to how far you can lock or unlock a cart using this approach.

17:29 - So let’s take a look at the 2. 4 gigahertz signal now.

17:33 - Much easier to work with and we can use a HackRF, which is a software defined radio that operates in the range of one megahertz to six gigahertz, which is a fantastically large range and will be pretty good for any signal you might encounter in the wild.

17:48 - So using Gqrx, I played around a bit and I found the frequencies that it was transmitting on it.

17:54 - You can see the unlock signal being broadcast here.

17:58 - Loading this into ultimate radio hacker, which is another great program for this, you can see that it is a series of three pulses and down here, you can see that it uses frequency shift key modulation.

18:12 - If we zoom in on that, we can decode it and we can see that it’s 010, and then a bit of space, 010.

18:19 - And all of this is happening on a center frequency of 2. 417 gigahertz and it’s using a frequency shift king.

18:27 - There’s two frequencies. One frequency is a zero, the other frequency’s a one.

18:32 - Pretty basic, pretty easy to implement and pretty fool proof.

18:37 - So let’s try replaying this. The HackRF can act as a transmitter as well, and URH can export files as WAV files, which means we can import them into Audacity.

18:51 - It results in a absolutely insane sample rate of eight megahertz, but it works.

18:57 - You have to get a little spicy with some of your settings to make everything work, but it works.

19:05 - So from here, I was able to slice and dice the wave form that I just captured as well as make new commands from pure tone.

19:11 - So say I want a tone of this frequency for this long and duplicate how the original unlock signal worked.

19:21 - And I can export this as a wave file. And don’t you know, URH lets you directly play wave files through HackRF, it’s great.

19:29 - This is the reconstructed signal I made with some of the length data, but this is just made from scratch in Audacity.

19:36 - And if I play it through the HackRF through this interface here, this is what we get.

19:42 - And it takes a bit longer to do it and they’re up close right now just because I want it for the video, but this will work from across the room.

19:52 - So a much, much better range. Now you’re probably wondering because you’re all hackers, can you lock it from a long range? Is there a lock signal on the 2. 4 gigahertz spectrum end? The answer is unfortunately, I don’t think so.

20:08 - It’d be a lot easier to transmit, but I tried all the different combinations of three bits, ones and zeros and none of them triggered a lock when I broadcast them.

20:18 - It’s likely that gatekeeper systems did this on purpose so you either don’t accidentally lock a whole bunch of carts or people like us don’t go out there and lock a whole bunch of carts all at once with nobody knowing what’s going on.

20:33 - So what can we do with this knowledge? Yeah, not a whole lot.

20:37 - We can lock carts that were within a few feet of.

20:40 - You can unlock shopping carts that have been locked, but if your goal is to walk off with a shopping cart, there’s a lot easier ways to do it than pulling out a software defined radio and MP3 files and being a hacker.

20:55 - At the end of the day, don’t be a dick with this.

20:58 - The only persons whose day you’ll make worse is the random grocery store employee who has to go around unlocking carts and that’s just not cool.

21:09 - Very briefly, here’s the references and some of the software I used.

21:13 - And I’d also like to extend a special thanks to the Electronic Frontier Foundation and its Coders Rights Project for giving me advice and guidance as I prepared this talk to make sure I didn’t cross any legal lines and get myself into trouble.

21:26 - They’re a fantastic resource for hackers and are happy to work with the community for answering questions about responsible disclosure and the intricacies of computer law, which is not a simple field.

21:40 - So huge, huge, thanks to them. If you’re ever in a spot of questions, give them a call.

21:49 - So thank you for coming to this talk. If you have any questions, anything I missed, please feel free to reach out to me.

21:55 - For projects and hobby contacts, Joseph@begaydocrime. com.

22:00 - For any professional inquiries, Joseph@tethys. cc.

22:05 - You can check me out on Twitter, I’m @stoppingcart.

22:08 - Real pleased with that. I post yearly thereabouts so follow me if you want.

22:14 - And any files I’m able to share will be up on begaydocrime. com/carts.

22:20 - Thanks for coming. .