DoS: Denial of Shopping – Analyzing and Exploiting (Physical) Shopping Cart Immobilization Systems

Reverse engineering shopping cart wheels using radio frequency signals

• The speaker of a phone or headphones can be used as a crude antenna to control shopping cart wheels
• The FCC website and Google Patents are useful resources for reverse engineering devices
• 2.4 GHz signals can be sniffed using off-the-shelf equipment
• Loop stick antennas are not good at transmitting signals over long distances

The speaker of a phone or headphones can be used to control shopping cart wheels by emulating the electromagnetic signal that comes off of a coil of wire connected to a membrane to produce sound. This signal is considered a nuisance in normal operation, but it is the kind of signal that is needed to control the wheels. The speaker can be used to make a god-awful screeching sound, but it can also be used to lock and unlock the wheels. The speaker is a crude antenna that can be used to control the wheels from a short distance.

Many supermarkets and shopping centers have implemented devices that “lock” their shopping carts if they’re taken outside of an approved boundary (e.g, a parking lot). This talk examines some of the technology that’s used to do this, as well as ways to capture and spoof the control signals to defeat these devices. We will go over the anatomy of remotely lockable shopping cart wheels, their basic theory, and get into how they’re controlled. We’ll deconstruct some samples of the lock and unlock signals captured using a homemade antenna and a HackRF, and briefly discuss methods of rebroadcasting them – as well as the challenges inherent to this process. DISCLAIMER This talk is the result of a personal project. Any views, opinions, or research presented in this talk are personal and belong solely to the presenter. They do not represent or reflect those of any person, institution, or organization that the presenter may or may not be associated with in a professional or personal capacity unless explicitly stated otherwise. REFERENCES - The ARRL handbook for radio communications, 2007. Newington, CT: American Radio Relay League, 2006. Print. - https://www.tmplab.org/2008/06/18/consumer-b-gone/ - http://www.woodmann.com/fravia/nola_wheel.htm -The wonderful people over at /r/rfelectronics -FCC.gov