Aaron Christophel's ESP32 Tool Can Take Over, Wipe Common ePaper Electronic Shelf Labels
Electronic pricing labels may be handy when it comes time to update them, but security isn't at the forefront of their design.
Hacker Aaron Christophel has published a video highlighting a flaw in electronic shelf labelling, showing how a simple ESP32-based battery-powered controller can be used to override or wipe the tags by sniffing for authorised system traffic.
Electronic shelf labelling is an incredibly convenient system. Typically based around low-power LCD or even-lower-power ePaper electrophoretic displays, the labels are updated wirelessly β allowing an entire store to update pricing instantly without having to send someone around to replace physical paper labels.
Sadly, several implementations of these systems have a flaw - as Christophel demonstrates in his latest video. "I went to an actual store and let the [attack device] firmware run and sniff for the stock sync messages," he explains. "After it has found the system ID and the frequency of the system I can enable the hijack, send out a bit longer sync message than the stock access point does to prevent it from sending at all as it will not send if there is any other radio coming."
While Christophel demonstrates the attack in a real store, he's keen to point out no damage was done: "I actually did not do any harm here," he says during the live demonstration. "So, I just refreshed the displays and did not change any content. But it's the same work to be done to simply send out an erase command of the chip, so it will erase itself so that the display is completely unusable."
The attack takes only a few seconds of scanning, and requires little more than an Espressif ESP32 module installed in a custom carrier board with suitable CC1101 radio module and a USB battery to keep the device ticking over in the field. A smartphone is used for control β and few people would get suspicious of someone fiddling with their smartphone as they shop for groceries.
Aside from the video demonstration, Christophel has published the access point firmware to GitHub β though without the attack code β while the carrier board design is available on PCBWay.