Priceless: Hacking Electronic Shelf Labels​

Disagree with the latest price hikes of your local store? Then this talk is for you!

As price labels, commonly called electronic shelf labels (ESL tags), play a major role in store architecture, they increase the potential attack surface and attract attention from adversaries. To understand how these products work, we examined Android apps, web-based management software, Bluetooth Low Energy (BLE), and 2.4 GHz traffic, as well as their hardware components. In the process, we identified architectural and implementation weaknesses across every part of the ESL infrastructure.

In recent years, more and more convenience stores have upgraded their infrastructure by going digital and they will continue to do so. This includes introducing ESL tags, which enable dynamic pricing based on demand and reduce labor costs. Depending on their size and budget, stores can choose from two major types of ESL tags that either use BLE or work on other radio frequencies. The former requires only a smartphone to interact with, while the latter relies on an infrastructure of access points and a central management system.

In this talk, we will take you on a journey through the last couple of months of reverse engineering products from two different manufacturers. Throughout this process, we analyzed two different BLE ESL tags and one ESL tag that works with an access point. We successfully performed attacks such as battery drainage and arbitrary writes, which led to denial-of-service and achieved complete takeover of the management system that controls products and templates. The possibilities were endless. We identified systematic vulnerabilities in multiple ESL products and propose a general mitigation strategy for the manufacturers.

When sharing our findings with the manufacturers we have been unable to get their ear leaving these issues unpatched and up to the store owners to mitigate.