I was in college when self checkout became a thing and it took us all of about 45 seconds to realize that you could just check everything out as bananas. Steak was weighed and priced at 4011 (banana code) as the stoned teenager cashier paid no attention. Everything on the receipt was literally Bananas
shrubble 5 minutes ago [-]
I saw a video where someone took banana bar code stickers wrapped around a bunch of bananas and put them on the TVs in their shopping cart and then checked out via self checkout.
I predict that self checkout will only remain in the more trustworthy areas…
compton93 5 minutes ago [-]
That's crazy. But coming from someone who wrote a book on retail fraud and worked as a retail fraud analyst for several years... you could have just walked straight out with those items.
Transacting was your way of leaving a calling card for the investigators/analysts to find you... You stole regardless of how you did it.
DangerousPie 26 minutes ago [-]
Congratulations, you have discovered the concept of shoplifting!
miki123211 14 minutes ago [-]
IANAL and this depends on the jurisdiction, but in many places, the penalties for shenanigans like these are far steeper than for outright theft, as it's considered to be financial fraud.
dfxm12 7 minutes ago [-]
It sucks that we have to do extra labor and expose ourselves to this kind of legal risk all because a grocery store doesn't want to staff workers. It's not even like they pass these savings onto us...
austhrow743 3 minutes ago [-]
You know you can just walk out the door with the items without using the scanner at all right?
stavros 36 minutes ago [-]
Couldn't you also not just check stuff in? These are all obvious drawbacks, it's not really a high-scrutiny environment.
manarth 15 minutes ago [-]
Most self-checkouts I've come across have weight validation – "Unexpected item in the bagging area".
Categorising things as "bananas" tricks the checkout into accepting the weight of an item, and you pay the appropriate price per bananagram.
junon 6 minutes ago [-]
This is a more expensive form of shoplifting though, idk why even bother with the banana thing, as hilarious as it is.
kvuj 10 minutes ago [-]
People like you are why we are living in an increasingly lower trust society, with for example having items behind locked door in shops.
Reminds me a bit of the shopping cart theory.
comrade1234 25 minutes ago [-]
Since its IR is it line of site? How would you go about changing every tag in the store to say 'Palestine $0.00', for example?
DoctorOW 8 minutes ago [-]
I wonder if since IR is invisible you could theoretically, in an intellectual exercise, blast IR light in a room and mass change them surreptitiously if that was your goal.
weli 2 hours ago [-]
This is pretty dangerous. At least in my country the displayed price must be honored and they cannot refuse the sale.
rickdeckard 2 hours ago [-]
Usually the advertised price must be honored, because it may have brought the customer to your store.
For prices displayed on the shelf-label inside the store the law is usually not that strict (YMMV), as a shop-owner can refuse sale on check-out (otherwise I could put a pricetag on e.g. a shopping-basket and the shop-owner would be legally required to sell me the basket...).
Besides, most shops I've seen (in Europe) already moved from Infrared communication to RF (NFC or proprietary), for centralized shelf-label management without handheld devices. So all this study (and the underlying reverse engineering of the IR-protocol) might do is probably accelerate the transition from IR to RF-based ESL...
rimunroe 50 minutes ago [-]
> Usually the advertised price must be honored, because it may have brought the customer to your store.
This is not the case for groceries in Massachusetts at least. If there’s a discrepancy between the tag’s price and the scanned price the store must charge the customer the lowest of the two: https://www.mass.gov/price-accuracy-information
master-lincoln 50 minutes ago [-]
How is the transport medium changing anything?
To me this is about having protocols that are suitable so not anybody can write to these labels without knowing a store secret or using replay attacks.
mschuster91 24 minutes ago [-]
> How is the transport medium changing anything?
it's mostly about efficiency. IR based, an employee needs to physically walk around. RF based, place a transmitter or two in the building and the system now works fully automated.
wyldfire 25 minutes ago [-]
In your country merchants are not obligated to honor fraudulently altered price displays.
rjmunro 8 minutes ago [-]
In which country?
dewey 56 minutes ago [-]
Probably mostly dangerous for the user, or are people routinely writing their own price signs in the store and then "buying" it for less? Walking up to the lot at the car store and crossing out some zeros? Don't see how this would be any different.
xingped 18 minutes ago [-]
Back in the day people used to swap/edit price tags a lot. Also making fake coupons with the same knowledge. It was a pretty common and easy form of shoplifting since all barcodes used to do was just encode the pricing/discount information.
ModernMech 52 minutes ago [-]
What they do is swap bar codes, or they code organic fruit as regular, or they "forget" to scan in the self checkout, but yes.
dewey 47 minutes ago [-]
So it's just stealing with extra steps.
walrus01 31 minutes ago [-]
This is a big reason why retail product barcode stickers (not barcodes printed directly on a package as it comes from the manufacturer) are now commonly printed on frangible stock with built in slices in it which breaks apart in 3, 4 or more pieces if you try to peel it off.
rithdmc 17 minutes ago [-]
Hardly matters when one may print their own barcode on labels and cover the frangible one.
gruez 10 minutes ago [-]
printing your own sticker requires way more prep than ripping one off a pack of ground beef and sticking it on a pack ribeye steak.
gus_massa 1 hours ago [-]
I guess they can use the cameras to show you were tampering with the labels and call the police. Somewhat related xkcd https://xkcd.com/1494/
stavros 3 hours ago [-]
I am overjoyed to see this story here, we haven't gotten a lot of these hacks lately. Well done!
encom 1 hours ago [-]
Hacks? In my Hacker News? The nerve!
_joel 1 hours ago [-]
Are these hacks or cracks. I'd say the latter.
IshKebab 14 minutes ago [-]
I wouldn't. It doesn't appear that anything was cracked. Rather they just reverse engineered the protocol.
voidUpdate 3 hours ago [-]
I still don't think I've seen an actually useful application for a Flipper Zero. It's all just "use this to change store price tags" or "here's how to disconnect all bluetooth devices", but also "don't actually use this, because it would be illegal, this is just for educational purposes"
rickdeckard 2 hours ago [-]
Beside of how the media often tries to present it, the value of Flipper Zero is not for everyone to "become a hacker with this simple app".
Its value is to provide a standardized hardware platform for (white hat) hackers for probing, prototyping, refining and sharing of security research in the fields its hardware supports (Sub-GHz RF, NFC, IR, and custom external boards via simple Input/Output pins).
Prior to that, everyone who wanted to research e.g. RF security had to either build/assemble something custom or buy much more expensive equipment. This created a barrier to collaborate on research, as everyone had to buy/build the same setup.
On top of that, Person A researching some RF topic selected an RF-transceiver from Company X, Person B used a component and a proprietary SDK of Company Y, so consolidating both work streams for a better foundation for all RF-related research required alot of time and effort from someone, breaking workflows of at least one group of researchers, etc.
In contrast, security research which utilizes Flipper Zero can be reproduced and built upon by everyone. All the work is harmonized on the same Hardware architecture, so it's easy for someone familiar with the platform to dive straight into a new idea without having to build a new breadboard, select a chipset, buy additional probing equipment etc.
kotaKat 2 hours ago [-]
I'm tired of the "security research" angle when it's all just kids playing with ESP32 deauther attacks presented to them on a silver platter.
I should not have to put up with children going "JUST SECURE YOUR NETWORKS BRO" because they spent $30 on some eBay "maurauder" dongle to be a pissant.
lan321 1 hours ago [-]
It's probably good to have kids with no big plans messing with your security now and then. Keeps you on your toes, and you can't really pass it off as an act of god if a teenager pwns you.
rft 1 hours ago [-]
And a minority of those kids will get curious about the How and Why. Those are the security nerds of the future securing the networks against both the kids they were themselves and actual malicious actors.
Source: Early interest in wifi security, including in other people's networks, lead me down an education and career in security
gausswho 57 minutes ago [-]
Hacker News. Where you either die a pissant or become the villain with a fistful of RSUs.
kotaKat 45 minutes ago [-]
I sure wish I was wealthy and had a fistful of RSUs. You wanna send me some? I make 5% over my area's 80% median income and I can't even get housing because I "make too much money" despite being $3000 too rich.
I'm pretty tired of being the network guy in the field playing remote hands having to be on the front lines of all of this bullshit having to explain to decision makers that a bunch of shitty kids are running around and there's no real solution that we can just "fix" this with.
I'm tired. If they're not deauthing our networks they're breaking into rooms with the goddamn card copying and fuzzing functionality and stealing shit.
master-lincoln 44 minutes ago [-]
the alternative is to put up with crackers abusing your insecure network for their own benefit
StingyJelly 2 hours ago [-]
[flagged]
OuterVale 2 hours ago [-]
I use mine for all sorts. I volunteer at a second-hand shop so use it to set up remotes for donated media devices, I've used it to run scripts to apply the same changes to many computers that aren't on a group policy via BadUSB, I've used it for toys-to-life games, and very much more. There are plenty of genuine uses if you're cluey.
vbezhenar 44 minutes ago [-]
Yeah, I bought it and it collects a dust since then. Fun device but I have no idea how to use it in my life.
rjh29 3 hours ago [-]
Turns out it's what they said it was all along, an educational device.
avian 3 hours ago [-]
This one provides the source and asks you to build it yourself so at least it has some credibility for the "education use only" claim.
I've seen similar things posted on here before that had a binary build only and zero technical documentation. It was really hard to see any kind of research or education value in those.
cucumber3732842 3 hours ago [-]
It's useful for dealing with the industrial equivalent of IOT garbage
imp0cat 2 hours ago [-]
[flagged]
master-lincoln 46 minutes ago [-]
As if devices created in Russia would all be "useless" or only for illegal purposes.
I smell prejudice
estimator7292 38 minutes ago [-]
Cool racism bro
Rendered at 12:31:00 GMT+0000 (Coordinated Universal Time) with Vercel.
I predict that self checkout will only remain in the more trustworthy areas…
Transacting was your way of leaving a calling card for the investigators/analysts to find you... You stole regardless of how you did it.
Categorising things as "bananas" tricks the checkout into accepting the weight of an item, and you pay the appropriate price per bananagram.
Reminds me a bit of the shopping cart theory.
For prices displayed on the shelf-label inside the store the law is usually not that strict (YMMV), as a shop-owner can refuse sale on check-out (otherwise I could put a pricetag on e.g. a shopping-basket and the shop-owner would be legally required to sell me the basket...).
Besides, most shops I've seen (in Europe) already moved from Infrared communication to RF (NFC or proprietary), for centralized shelf-label management without handheld devices. So all this study (and the underlying reverse engineering of the IR-protocol) might do is probably accelerate the transition from IR to RF-based ESL...
This is not the case for groceries in Massachusetts at least. If there’s a discrepancy between the tag’s price and the scanned price the store must charge the customer the lowest of the two: https://www.mass.gov/price-accuracy-information
To me this is about having protocols that are suitable so not anybody can write to these labels without knowing a store secret or using replay attacks.
it's mostly about efficiency. IR based, an employee needs to physically walk around. RF based, place a transmitter or two in the building and the system now works fully automated.
Its value is to provide a standardized hardware platform for (white hat) hackers for probing, prototyping, refining and sharing of security research in the fields its hardware supports (Sub-GHz RF, NFC, IR, and custom external boards via simple Input/Output pins).
Prior to that, everyone who wanted to research e.g. RF security had to either build/assemble something custom or buy much more expensive equipment. This created a barrier to collaborate on research, as everyone had to buy/build the same setup.
On top of that, Person A researching some RF topic selected an RF-transceiver from Company X, Person B used a component and a proprietary SDK of Company Y, so consolidating both work streams for a better foundation for all RF-related research required alot of time and effort from someone, breaking workflows of at least one group of researchers, etc.
In contrast, security research which utilizes Flipper Zero can be reproduced and built upon by everyone. All the work is harmonized on the same Hardware architecture, so it's easy for someone familiar with the platform to dive straight into a new idea without having to build a new breadboard, select a chipset, buy additional probing equipment etc.
I should not have to put up with children going "JUST SECURE YOUR NETWORKS BRO" because they spent $30 on some eBay "maurauder" dongle to be a pissant.
Source: Early interest in wifi security, including in other people's networks, lead me down an education and career in security
I'm pretty tired of being the network guy in the field playing remote hands having to be on the front lines of all of this bullshit having to explain to decision makers that a bunch of shitty kids are running around and there's no real solution that we can just "fix" this with.
I'm tired. If they're not deauthing our networks they're breaking into rooms with the goddamn card copying and fuzzing functionality and stealing shit.
I've seen similar things posted on here before that had a binary build only and zero technical documentation. It was really hard to see any kind of research or education value in those.
I smell prejudice