 Hey guys, what's going on? We're ready for our next talk We're almost down to the end And it's going very well. I think so our next talk is basically called DOS denial shopping Analyzing exploiting physical shopping cart emulation systems by Joseph Gabbay. All right his first talk Please give him a big shout out All right And you know Here you go Joe. Thank you very much Yeah, not only is this my first time speaking at DEF CON this is actually my first time attending DEF CON and Even at the you know safe mode version of it This has just been a absolutely fantastic experience and I've met some really really amazing and really really smart people So I'm having an absolute blast and it's a real pleasure to be up here So without further ado welcome to DOS denial of shopping Analyzing exploiting physical shopping cart and mobilization systems before I get into The talk I have a brief disclaimer. This is a personal project I've done this on my own personal time with my own personal equipment for my own personal reasons This shouldn't reflect on my employer my friends or really anybody else but myself now with that said let's get into it So for those of you not familiar with shopping cart security wheels, they're basically invisible fences, but for carts They're designed so if you try to take a shopping cart outside of an approved area Usually a parking lot or some of them have them in the front of the store One of the wheels will lock up preventing you from taking the cart any further It's not something that you see every day Usually you only see it in supermarkets that are pedestrian accessible where they're worried about people walking off On to the sidewalk with shopping cart wheels, but the first time I saw them I got very very curious So at this point most people have two questions the first one is who am I and how did I get in here? The answer to that is I'm a hacker and I'm a hacker My name is Joseph Gabay by day. I design robots by night. I hack shopping cart wheels bit of a weird tagline I'm still workshopping it, but I'll take it where it is for my day job I design robots and robotic systems and For fun. I do a huge variety of things I usually like tinkering and taking things apart and this project like many of my others is really just a vehicle to learn new skills and Figure new things out. This was a great foray into radio frequency reverse engineering and the associated things and That's what I'm here to talk to you about today. The second question people usually have is why shopping cart wheels? For me, I hadn't seen these systems for a very long time until I came to Boston where I'm living now and The first time I saw one of the signs warning of these I got really really curious I couldn't figure out how they worked. How do they know when they're outside of the approved area? How do they actually lock the wheel? Are they using GPS? Do they have a battery system? Is it all passive? There's a huge huge amount of design challenges for a system like this And I knew that inside there are going to be some very clever solutions But why did I choose to hack them and go through all this effort of taking them further apart? I think Terry Pratchett said it best when he said it's not worth doing something unless someone somewhere would much rather you weren't doing it and I think this really speaks to the ethos of a lot of us here as hackers some very smart people spent a lot of Time and a lot of money designing a system to prevent someone like me from walking out of a store with a shopping cart I never really wanted a shopping cart But I feel it's important to me as a hacker and as a techie that I have the knowledge that if I wanted a shopping cart I could have one Right and you see it all over I see it similar to a lock sport competitive lock picking. It's never about what's behind the lock It's about the knowledge that you can defeat a technical security challenge that somebody else has set out and gatekeeper systems in Their marketing materials say that's about a hundred eighty million dollar a year a loss center So there's decent financial incentive to get this right So it should make for a good challenge and you know when I tore it apart and saw what was inside I was definitely very impressed So let's say we want to learn about how a random device we have works in this case It would be a shopping wheel, but this is a good starting point for any sort of reverse engineering work There's a couple really good resources. I checked out first FCC.gov is always a goldmine Any device that uses radio frequencies and is going to be even remotely available to the public has to have a huge huge amount of Information disclosed to the FCC Mostly test reports information about what frequencies it uses what modulation it uses and all of this information is public record You can go to FCC.gov type in the FCC ID of a device And it's has to be printed on the device if you look at the outside of these wheels there's a little engraved in label FCC ID w 3z whatever and You pull it up and you get all of this information including user manuals for the devices which have a lot more information than you'd expect Other sources are Google patents for any patent device If you want to see how internal mechanisms work or get an idea of the general principles of operation Google patents has that all laid out if you know how to search And in this case, this is specific to this project, but other hackers There's a French group of hackers called temp lab who back in 2008 were playing around with the shopping cart wheels a little bit They didn't get as far as I have and they focus mostly on the signal capture and replay But they were the folks who gave me the inspiration to attack this from an audio amplifier angle rather than a radio amplifier angle So I do owe them a great deal. I'm standing on their shoulders in some ways I have a link to their site and their work at the end of this talk. So please please check them out So how do these systems work? in normal operation you have a buried wire around the perimeter of the parking lot or Installed into the supermarket or wherever you want to basically have the cart check-in with something That wire is pulsing out a very low frequency radio signal And as we'll learn later at 7.8 kilohertz which is very very low for most radio things it at that point It's less of a radio system and more of a magnetic loop system where you have two magnets coupled to send signals And as you'll recall from physics class when you ever you when you have a wire and you pump a current through it You get a magnetic field going around it according to the right hand rule And that's what's going on here is they're pumping electricity through that buried wire You're getting a magnetic slash radio that kind of gets weird in the near near field area You get that signal out and the cart is listening for that when the cart senses that it's been crossed over the boundary An internal mechanism activates and prevents you from taking it any further Past that point the store staff has a remote called a cart key We'll look at that in a little bit and they can go by and they can unlock the wheel and return the cart to service And in this talk we'll be talking about ways to pretend you have a car key when you really don't So let's take a look at this wire I was fortunate enough to live somewhere a few years ago that was having their sidewalk redone and they used one of these systems So I was actually able to see up close and personal what that buried wire looks like and you can see in that very Sloppily highlighted area that little bit of wire. I believe that is 14 gauge wire I'd have to check the spec again. It's in the user manual available on FCC.gov if anyone's curious But that's the actual wire that's sending out that signal that causes the carts to lock So let's take a look at what's going on inside these wheels because they're a very clever piece of engineering There's two parts you have the outer housing there And you'll notice that there's the little ridges on the inside diameter of that housing And then you have the inner assembly and that houses all of the electronics and the other parts the locking mechanism the important thing to note here is in that lower assembly you have a Flexible ring with ridges on the outer diameter and when you combine them they look like this now The key to the locking mechanism is that little plunger you see in the top here So when that little plunger is driven by a motor we'll talk about that in a second it causes that inner ring to expand and contract and when it's expanded the Ridges on the outer diameter of the inner assembly lock with the ridges on the inner diameter of the outer housing Who I said that right? Thank God and prevent the wheel from turning any further So it's a real clever mechanism and it doesn't require any sort of external braking thing It's all internal which is pretty cool So taking a look at that inner assembly that houses all of the electronics We see three main parts there is a three-volt lithium battery This is a non rechargeable battery. It's the same sort of battery for the coin cell that you see in your badges here Just a three-volt lithium Non rechargeable all of this is weatherized and super sealed. It was a pain in the butt to get taken apart I still have a couple cuts on my hand from it blood sweat and tears went into this project But yeah, so once that battery is done the wheel stops working Most microcontrollers nowadays can run on ultra low power modes basically waiting for a wake-up signal for radio So the lifespan of these wheels is actually fairly long Assuming you're not doing any high current application like driving that motor a whole bunch Underneath that you have the PCB assembly that holds all the radios and the electronics as well as the microcontroller We'll do a zoom didn't look about we'll do a zoom didn't look at that in a second and Lastly under that you have a little DC motor and that connects to a gear train which actually drives that plunger up and down Taking a look at the PCB. We have a couple cool things going on first of all There are two separate antennas highlighted up above. There's the 2.4 gigahertz antenna that is just done on the PCBs that's really all you need to do it and The microcontroller, which is a Texas Instruments CC 2510 has a built-in 2.4 gigahertz Transceiver so you don't need any separate radio chips or anything additional to support it You basically just connect the antenna to the microcontroller and you're off to the races The second one you can see on the backside that little black cylinder is an inductor And that inductor is acting as the antenna for the 7.8 kilohertz signal at that low frequencies You're not really in the antenna range anymore but that's basically serving the same purpose of picking up that magnetic signal and off to the right of the microcontroller in the top picture There's a whole bunch of transistors and amplifiers I'm not entirely sure how it works, but that's very likely an amplifier circuit That's amplifying the very weak signal you get from that magnetic coupling and turning it into something that the microcontroller The microcontroller can interpret and use if anyone's got an idea of how an amp like that would work Grab me after the talk. I'm very curious But I'm moving on we have that microcontroller We have below the microcontroller a couple more transistors acting as a bridge to drive the DC motor to lock and unlock it and Lastly of note to the left we have a JTAG port JTAG ports are used for programming and debugging the microcontroller You can do some other fun things off of it. It is notable that they did not implement Firmware read back protection into the microcontroller so you could hook up to this JTAG port and dump the firmware off of this wheel for later nefarious purposes or Educational reasons your pick I haven't had the time to do this yet So it's left as an exercise to the reader if anybody does happen to do this and find something interesting Please my emails at the end of the talk. I'd be very curious to see what you find So now that we know how the wheel works, it's time to start capturing some of the signals and seeing what we can do with them I decided to start with capturing the signal coming out of the buried wire in the parking lot There's a couple challenges around this. The first one as I've mentioned is that the signal is at 7.8 kilohertz this is very very low when it comes to radio stuff and most radio amplifiers and software defined radios Don't really support Frequencies below 1 megahertz, which is two orders of magnitude too high. So that's a problem The other problem comes from finding an antenna to work with us generally in radio applications, and I'm not a radio engineer so I Surely won't get this perfectly, but generally you want your antenna to be Close-ish or an integer multiple of your radio frequency your radio wavelength The wavelength of this signal in this case is about 32 kilometers So despite my best efforts, I wasn't able to build Tens of mile long antenna for this project if I did I'd have a great transmission radius and I'd walk every shopping cart on the east coast But a little outside of my budget for this talk Now this is where the folks at temp lab were a huge boom because they realized that 7.8 kilohertz is well within the audio range So you can use just regular audio amplifiers and audio processing tools To deal with this signal, and you don't actually have to treat it as a radio signal So this is where I would like to give a brief apology. Do we have any RF or electrical engineers in the audience? All right, I'm sorry guys. I'm not really sorry. Please please send your hate mail to me after this I'd love to learn how I could have done this better, but I'm about to do some very janky radio things right here so I Needed to capture this signal and I had an idea I Built myself a loopstick antenna using a ferrite core a bunch of magnet wire and a cordless drill I did do a smart thing and after consulting the a RLL ARL handbook a whole bunch added a couple tuning capacitors and tried to do a decent job at it, but But and I wired all of this into a 3.5 millimeter headphone jack You'll also notice there's a resistor in there to trick my phone into thinking that that jack belongs to a microphone And not a set of speakers. I think you can see where this is going. So I Decide to take a little field trip and see what could go wrong So I went to my local redacted store that has one of these systems and I Plopped this monstrosity down on the scene where you could see this wire and I opened up a Audio spectrogram app and what do you know? There's a signal if we zoom in a little bit. We can see that just as expected We see a signal at 7.8 kilohertz this somehow worked We also see one at 15.6, but that's just due to resonance. That's that's totally expectable and Because it was an audio app. I could open up a voice recorder And I recorded this as a mp3 file and I loaded it into audacity and Here we go. Here's the signal You can see from here. It is the signal to lock it follows a Pattern where it's an 8th second series of pulses followed by an 8th second rest period And it just keeps repeating that pattern four times a second forever And that's what it takes to lock a shopping cart if we zoom in We can see and first of all I should note that there's no frequency shift modulation This is all just happening at 7.8 kilohertz It's very very basic, but this is what the message looks like We have at the start and end of it some longer pulses Those are start and stop bits to let the receiving end know when the message is starting and stopping and in the middle We have eight payload bits now if you were a shopping cart wheel This would be some very exciting news, but one zero zero zero one one one zero and That is all that's right That's all that's required to lock a shopping cart wheel is sending this at 7.8 kilohertz So that's that's all I could get from what was easily available to go any further. I needed to Get some more equipment now through the magic of eBay. I honestly could not believe it I managed to get my hands on one of the actual cart keys that these store employees use to control these carts Now interestingly About this and this is something that I learned from both the fact that there is a 2.4 gigahertz antenna in hardware as well as Some things that I learned from checking out the other Applications on FCC dot gov from the same company because one company shares the same Three or five letters start code so you can see an entire family of products on FCC dot gov And that's how I came to know about the existence of these That it broadcasts the unlocks signal at 2.4 gigahertz and what that means is there is a long range easily transmittable control method for these and we're gonna explore those in a little bit But right now I was mostly curious about what it's doing on that low frequency band of the 7.8 kilohertz so I repeated this and The two things I got doing this with a remote instead of a parking lot is a lot fewer weird looks As well as these two beautiful captures Now they're slightly different and they look a different But each one of those kind of bars is actually just several of those quarter-second pulses Up close and they just have a burst of them and a longer space and then another burst if we zoom in and look at the lock And unlock signals in comparison we see that they have the exact same format the same start bits the same stop bits and Those of you who are particularly observant or are reading the PowerPoint presentation We'll notice that the unlock signal is just the logical inverse of the lock signal So where there's a one there's a zero and where there's a zero there's a one Just just an interesting bit of symmetry. I noticed and that probably aids in preventing us signals from being mistaken You know to make the lock signal as different as possible from the unlock signal so We have all this let's try a replay attack a replay attack is basically where you take a system that doesn't have any sort of fancy Authentication, you know, there's no authentication in this. It's not incrementing a number It's just the same signal being broadcast over and over and being received I suppose gatekeeper systems who's one of the main manufacturers of these didn't anticipate anybody taking a Interest in their systems and wanting to reverse engineer them who would have thunk But anyways, so for a replay attack what I wanted to do is take the signals I just recorded and through some method rebroadcast them and see if I could get the wheel to respond to my commands pretending I was a cart key I Ended up using that antenna that I built previously I just wired in as a speaker instead of a microphone and we'll see the results of that in a second But here's an interesting aside again credit to temp lab for this discovery but you can actually use a Set of headphones or your phone speaker as a crappy antenna to control these cartwheels When you think about it all a speaker is is a coil of wire connected to a membrane to produce sound Normally the little bits of electromagnetic signal that comes off of this is considered a nuisance as parasitic EMF But in this case, that's the kind of signal that we're trying to emulate here so yeah, you'll make a god-awful screeching sound with it, but you can control and Do whatever you want with these shopping cartwheels and there's a link at the end of this talk I have on my website the two MP3 files you can download load them on your phone Turn your speaker on hold them up to a wheel and you can get them to lock in a mock. Oh Yeah Use use the powers for good or evil. I'm a hacker not a cop So let's let's see this working in real life and this isn't with my phone or speakers This is using the loopstick antenna just wired as a speaker, but yeah So here I am hitting the lock signal and you can see that Wheel expanding when that would normally lock it and then when I hit the unlock and play that signal it unlocks and re-contracts I really have to give it out to a gatekeeper system. This is a really really clever design I'm I really like how they did this and I feel bad for just doing what I'm doing to them But only only a little bit So as any good hacker would ask now my question is how far can this go, you know What what is the longest range I can form a replay attack like this and I'm sure some of you are thinking where this is going So I tried a few things. I picked up this absolutely massive solenoid coil at the MIT flea Because what's bigger than a loopstick antenna a bigger loopstick antenna I also tried some different external audio amplifiers rather than just using my cell phones built-in one I got a 10 watt at it audio amplifier and hooked that up And I was able to get really two or two three feet effective range with that setup past that I was really fighting against diminishing returns for a few reasons and Unfortunately, they're kind of butting up against those pesky little laws of physics the one law. I'm unable to break but basically what's happening is It's hard to transmit things especially at frequencies that don't like to be transmitted at loopstick antennas aren't are okay receivers But they're not particularly good at transmitting signals just based on their geometry and how they work as well as the fact that with radio You're dealing with the inverse square rule So to double your range you need to quadruple your transmission power and you can see how if you want to say Send this signal a thousand feet how absolutely insane that would get and how quickly would scale up So unfortunately There's not not too much you can do at long range with this Which brings us to the 2.4 gigahertz signal? 2.4 gigahertz, which is what Bluetooth and Wi-Fi all work at is much much easier to broadcast at obviously This you can just use regular off-the-shelf equipment to sniff in this case I used a hack RF which is a SDR that goes from 1 megahertz to 6 gigahertz tremendous range They're made by great Scott gadgets great company great tool But this should be more than enough to let us sniff that 2.4 gigahertz control signal So that's exactly what I did. I loaded up GQ RX Which let me scrub through the channels and I centered it around 2.4 and just looked around while pressing the button Until I saw a signal and eventually I saw this So you can see we've got some sort of signal It's a little hard to see what exactly is going on But it's happening across two frequencies and that tells us it's likely some sort of frequency shift keying that's happening But more importantly, we know the center frequency when we know the range So we can take a bit more of an exact look in that in something like ultimate radio hacker so I did the same thing and took the same capture in ultimate radio hacker and This is what it looks like so you have The three pulses you have series of three pulses here and it's happening across two different frequencies You have you know low high low low high low being repeated and That's our signal Unlike the seven point eight kilohertz signal, which was an eight-bit payload. This is this signal is just three bits It uses to FSK modulation as I've previously said and up here is just the actual details on what frequencies it uses in case anybody's curious about those technical details, but it's just broadcasting zero one zero zero one zero and Because I want to be a little bit cheeky I was able to export this capture as a wave file and Loaded into audacity albeit at a absolutely absurd sample rate of eight megahertz but turns out audacity just lets you input really big numbers into its text fields and It just works so from here. I was able to slice and dice the Audio waveform just like any other audio signal and rearrange things I was also able to make synthetic commands because I knew the two frequencies and I knew the timing and duration so I was able to reconstruct signals from pure tones and Then I can export it as a wave file and ultimate radio hacker will actually let you play a wave file Through a software to find radio and that's exactly what I did So here's what the signal that I reconstructed looks like It's the two frequencies we discovered earlier And I just measured out how many microseconds each one was as well as the interval between them And I just made this three-bit pattern and set it to repeat forever and I played that back to the hack RF and This one takes a little bit longer, but we can see what happens I go ahead and click play and if we go over to the workbench here I have a wheel that I modified to run off a bench top power supply After a few seconds it closes now the interesting thing about this method is 2.4 gigahertz is incredibly easy to broadcast You know, I was able to you know could unlock this wheel from across my workshop and quite frankly I'd be able to do it basically as far as I was able to transmit a Wi-Fi signal Which is pretty far especially for those who have worked with microwave systems before you can get 2.4 real far and Real directionally too Now the question. Oh, yeah, I'm in Now the question is can we lock carts on 2.4 gigahertz? Unfortunately, I think the answer is no to this. I Tried every possible three-bit permutation. So in audacity I constructed 0001 010 etc. And I tried all of them none of them triggered it to lock This is Working as intended because if I were gatekeeper systems, I wouldn't implement a locking function over something that could go ultra long range So this was probably done intentionally either to prevent accidental malfunction or to prevent malicious interference will call it But it is interesting of note that these wheels do have some advanced functionality. That's unexplored This was on the back of that cart key and it lists some other codes Based on what I was able to find on the FCC filings. It's very likely that these codes operate on 7.8 kilohertz And it would make sense because you have an 8-bit payload there as opposed to a 3-bit payload so you can actually fit numbers like 23 But gatekeeper systems from their marketing material does have some other interesting Features like you can set up a cart to lock when it exits the front door if it hasn't gone through a checkout lane first To prevent people from filling a cart and running out So it's likely that these functions are meant to interact with you know that advanced functionality I haven't really seen any of that advanced advanced functionality in the wild I've mostly seen the systems that lock when you take it out of the shopping Cart area But these systems are mostly designed to be invisible unless you're actively looking for them And I guarantee you everyone in this room will start seeing them everywhere from now on as well as I Don't know it seems like a lot more expensive of a proposition To have a system like that with a lot more Ways it could go wrong and impact a customer experience So I wouldn't be surprised if that was a more uncommon method or one that didn't work with every sort of wheel So that is all I've got to talk to you about shopping cart wheels like think thank you all for letting me talk to you about Shopping cart wheels for 20 minutes. This this has been great Here's a list of all the references as well as some of the tools I've used I'd also like to give a huge special thanks to the folks at the electronic frontier foundation and their coders rights project As I was doing this I had a few questions on what was exactly legal for me to explore and what was legal for me to share with you fine folks And I managed I reached out to them and they got back to me and they answered all of my questions And they were absolutely absolutely great If any of you are working on a sale of reverse engineering or vulnerability disclosure things and you have questions and want to make Sure, you do it the right in legal way reach out to the EFF. They're great, and they're here for hackers like us So thank you all for coming if you have any questions anything I missed or Anything I've done wrong and oh boy. I've done things wrong You saw that RF setup right there You can send your emails to Joseph at be gay do crime comm for any professional inquiries Joseph at tethis.cc may be more to your liking I'm at stopping cart on Twitter. I post new content yearly and As I said before the MP3 files to lock and unlock shopping cart wheels are available at be gay do crime comm carts Thank you. Thank you I'll be sticking around the con floor for a little bit longer. I can take some questions here I believe some time or if you want to catch me after the talk, but any questions Going once twice Bueller question. I've been advised by the EFF not to discuss that Yeah, one of the big takeaways from this is if your goal is to walk off a parking lot with a shopping cart There's a lot easier ways to do it I will bring up the fact that Transmitting at 7.8 kilohertz is very difficult and you're dealing with that inverse square law So imagine the effective range of a buried wire Broadcasting the signal it's not very high Realistically speaking you could just lift the wheel up Four or five inches over that line and it won't trigger it so like This is an academic experience in hacking, you know if if your end goal is a shopping cart There's a lot easier ways out there than hauling out your hack RF and doing some Fun hackery. I mean, I'm not judging you. You're welcome to do it. However you want. Uh, I'm the one who spent like Two years researching this on and off and like playing with it So I'm in no position to judge any of you here. I want you to do with your shopping carts All right, if that's it. Thank you all for coming and listening to my talk