I still don't think I've seen an actually useful application for a Flipper Zero. It's all just "use this to change store price tags" or "here's how to disconnect all bluetooth devices", but also "don't actually use this, because it would be illegal, this is just for educational purposes"
I use mine as a presentation remote, and as a USB interface for some micro controllers. Sure, I could buy a dedicated remote, or a bus pirate or other programming device, but I already have the flipper, so it suits me fine
That law probably wouldn't apply if someone brought their own label printer into the store and put their own price tags on to the merchandise, which is essentially what this is.
It's crazy that supermarkets invested in tags without even basic authentication. Hopefully they can sue the manufacturer for the cost of replacing them with moderately secure ones/reflashing the existing tags with secure firmware.
The extreme lack of cybersecurity for something as essential as (often legally binding) price indicators should shock the entire industry, although I feel like it comes to no surprise to anyone actually working on integrating these things.
I was in college when self checkout became a thing and it took us all of about 45 seconds to realize that you could just check everything out as bananas. Steak was weighed and priced at 4011 (banana code) as the stoned teenager cashier paid no attention. Everything on the receipt was literally Bananas
Yesterday I went to Walmart, and at the self-checkout the system quirked out and an attendant came by. She reviewed some sort of draconian overhead cam video of me trying to locate a tag out for a product to scan. Gave me "guilty until proven" innocent vibes. Are these systems actually effective?
There's a tiktok literally floating around right now where somebody sticks a banana band on a cyberpower PC at Walmart and checks out at the self-checkout.
Then the receipt checker at the door checks his receipt and waves him on through.
This was I think effective early on but now there are many systems to detect this "fraud". I say "fraud" because I honestly have zero sympathy for these companies who are doing anything but paying people a living wage to do a job and that goes for Walmart in particular.
I've had opportunity to hear many stories from people who have had largely unintended encounters with law enforcement. Many of these are for "shoplifting". That can be something as simple as forgetting something on the bottom of the cart. Walmart are super aggressive about this and rather than saying "sir, did you forget that thing or not want it anymore?" they prosecute.
Walmart is one of those publicly subsidized companies in the country. They don't pay employees enough so the government gives them food stamps. Those food stamps are largely spent at Walmart so Walmart is profiting on both ends. And then they displace checkout workers with self-checkout and pay for fraud detection systems and when people either intentionally or unintentionally didn't scan something correctly (or at all), they offload the costs of loss prevention onto the state by prosecuting. Walmart doesn't pay for that prosecution. TAxpayers do.
Walmart is a trillion dollar company. The stock has almost 3x'ed in less than 4 years. How long did it take to 3x to that level? About 23 years.
Systems like Everseen make that approach significantly riskier than it used to be. A live video of you checking out is run through image classification software, so if you scan a steak as 4011, it'll pause the checkout flow and call the SCO (self-checkout) attendant to watch the video of you scanning the item. They then have to approve the scan, at best leaving you publicly humiliated.
Are you me? I also did this at university in Britain circa 2010. I went for onions and carrots mostly. I'd go to the meat or fish counter and get lovely bits of fillet, then check them out weighed as onions.
It's always funny when people publish source code and have a disclaimer saying "You CANNOT use it for bad!". When is the last time a criminal read such a disclaimer and thought "Oh right, guess this isn't for me"?
Sure, at least the developer can say they did say so, but it doesn't matter. To me it seems more like avoiding responsibility. You published the tool, and by doing so you changed the world, even minutely, and in ways you cannot predict.
As hackers we bear the responsibility of tools we publish. Even if you believe knowledge is the most important and that everything _should_ be published, we should at least be well aware of the consequences. Great power, great responsibility.
Hardware stores sell chainsaws. There might be a disclaimer about proper usage or safety guidelines or some such, but you're right... someone who intends to use something to commit a crime, will do so regardless of the text asking them not to.
I'm sorry, but I'm so sick of seeing "omg hacker man" mystique surrounding flipper, which is exactly what they want because it drives sales. Ofc you can muck about with open and unsecured stuff...like duh.
But it annoys me to no end when I have reasonably intelligent friends parrot claims like "flipper can clone the nfc in your credit card and you can steal people's money wow much hack!"
I worked in retail many years, including doing store shelf tear downs and replacement and night shift stocking.
Back in the day we would get our planograms from HQ, then we’d print out all the labels on perforated paper, and walk the shelves moving product and updating the price tags, throwing out the old. The epaper tags are very clearly an improvement to that process in both time and waste. We would also check the prices using a Motorola price gun and do our fixes manually and then print out new tags or update the counts.
I’m surprised these tags are just IR blasted with no security. I would have expected they’d need some sort of code and you would simply save the code on your gun, pop a tag in front of a product, scan the product, then pair the tag all on your price gun in like 3 actions.
I also would have thought in these days we’d use Bluetooth beacons to triangulate the shelf slot too so that HQ could have a realtime map against their planos (it was not uncommon a product’s size would change and the layout would have holes or products that don’t fit on your real shelf).
Anyways, neat project! Triggered a walk down memory lane for me.
I use a similar trick with most software. Instead of buying the online one, I get it on The Pirate Bay. These days even open source software you can simply just apply Claude and get a different version.
People online will kick up a fuss about GPL and shit but in real life no one bothers. Shoplift. Close an OSS project. Who cares.
Sometimes I even ride without a ticket. In Europe/Asia especially if you act like clueless American they’ll let you off every time. Done it so many times haha. Some of these places even they will put fruits outside. You can just take extra and hide it. They can’t tell.
One time on drive to Bury St. Edmunds small town in the UK I saw a little farm shop with some sign saying to leave payment there. Zero enforcement. I just took the fruits. No flipper zero needed.
Good life hack. Social hacks like these are not so common but if you’re clever you can get a lot.
A lot of discussion about self-checkout fraud, but these tags are only for shoppers' convenience and don't control pricing - One tag goes in front of that SKU on display so you can see the price. At checkout, a barcode or plain old paper tag / printed barcode on the item itself gets scanned and that's where the price is looked up.
It's interesting how the README.md basically states in every other paragraph how you should not use this without authorization. The term (un)authorized and variations appear 18 times in there.
> Usually the advertised price must be honored, because it may have brought the customer to your store.
No.
In most jurisdictions this is covered by Contract Law 101 that lawyers learn in year 1.
A contract only forms when you have an offer, acceptance, consideration
The price on the shelf (or shown on the website or in a catalogue) is known as an “Invitation To Treat”.
“Invitation To Treat” means you are inviting the customer to come to you and make you an Offer. There is no obligation on the business to sell.
In the case of a supermarket in the context of this discussion, the agent scans the barcode, and the "real" price is displayed on the screen and added to your bill. This is the "Offer", the business is saying "we are willing to sell you this Tomato at this price, take it or leave it".
If you don't say anything and pay and leave, then "Acceptance" has occured and the "Consideration" is the act of payment itself.
(N.B. IANAL, so my description might not be precicely textbook, but that's the broad concept).
I don't know whether "usually" is accurate though; it may be that common law prevails as you say in most transactions despite the states with regulations.
41 comments
[ 6.3 ms ] story [ 70.6 ms ] threadWe've been able to take a price sticker off one object and put it onto another for a very, very long time.
It's not really a new issue and current law should already cater for it.
The extreme lack of cybersecurity for something as essential as (often legally binding) price indicators should shock the entire industry, although I feel like it comes to no surprise to anyone actually working on integrating these things.
Then the receipt checker at the door checks his receipt and waves him on through.
I've had opportunity to hear many stories from people who have had largely unintended encounters with law enforcement. Many of these are for "shoplifting". That can be something as simple as forgetting something on the bottom of the cart. Walmart are super aggressive about this and rather than saying "sir, did you forget that thing or not want it anymore?" they prosecute.
Walmart is one of those publicly subsidized companies in the country. They don't pay employees enough so the government gives them food stamps. Those food stamps are largely spent at Walmart so Walmart is profiting on both ends. And then they displace checkout workers with self-checkout and pay for fraud detection systems and when people either intentionally or unintentionally didn't scan something correctly (or at all), they offload the costs of loss prevention onto the state by prosecuting. Walmart doesn't pay for that prosecution. TAxpayers do.
Walmart is a trillion dollar company. The stock has almost 3x'ed in less than 4 years. How long did it take to 3x to that level? About 23 years.
Sure, at least the developer can say they did say so, but it doesn't matter. To me it seems more like avoiding responsibility. You published the tool, and by doing so you changed the world, even minutely, and in ways you cannot predict.
As hackers we bear the responsibility of tools we publish. Even if you believe knowledge is the most important and that everything _should_ be published, we should at least be well aware of the consequences. Great power, great responsibility.
I'm sorry, but I'm so sick of seeing "omg hacker man" mystique surrounding flipper, which is exactly what they want because it drives sales. Ofc you can muck about with open and unsecured stuff...like duh.
But it annoys me to no end when I have reasonably intelligent friends parrot claims like "flipper can clone the nfc in your credit card and you can steal people's money wow much hack!"
I worked in retail many years, including doing store shelf tear downs and replacement and night shift stocking.
Back in the day we would get our planograms from HQ, then we’d print out all the labels on perforated paper, and walk the shelves moving product and updating the price tags, throwing out the old. The epaper tags are very clearly an improvement to that process in both time and waste. We would also check the prices using a Motorola price gun and do our fixes manually and then print out new tags or update the counts.
I’m surprised these tags are just IR blasted with no security. I would have expected they’d need some sort of code and you would simply save the code on your gun, pop a tag in front of a product, scan the product, then pair the tag all on your price gun in like 3 actions.
I also would have thought in these days we’d use Bluetooth beacons to triangulate the shelf slot too so that HQ could have a realtime map against their planos (it was not uncommon a product’s size would change and the layout would have holes or products that don’t fit on your real shelf).
Anyways, neat project! Triggered a walk down memory lane for me.
We do not want a world full of hyper-dynamic pricing, we should destroy these.
People online will kick up a fuss about GPL and shit but in real life no one bothers. Shoplift. Close an OSS project. Who cares.
Sometimes I even ride without a ticket. In Europe/Asia especially if you act like clueless American they’ll let you off every time. Done it so many times haha. Some of these places even they will put fruits outside. You can just take extra and hide it. They can’t tell.
One time on drive to Bury St. Edmunds small town in the UK I saw a little farm shop with some sign saying to leave payment there. Zero enforcement. I just took the fruits. No flipper zero needed.
Good life hack. Social hacks like these are not so common but if you’re clever you can get a lot.
https://en.wikipedia.org/wiki/Tragedy_of_the_commons
No.
In most jurisdictions this is covered by Contract Law 101 that lawyers learn in year 1.
A contract only forms when you have an offer, acceptance, consideration
The price on the shelf (or shown on the website or in a catalogue) is known as an “Invitation To Treat”.
“Invitation To Treat” means you are inviting the customer to come to you and make you an Offer. There is no obligation on the business to sell.
In the case of a supermarket in the context of this discussion, the agent scans the barcode, and the "real" price is displayed on the screen and added to your bill. This is the "Offer", the business is saying "we are willing to sell you this Tomato at this price, take it or leave it".
If you don't say anything and pay and leave, then "Acceptance" has occured and the "Consideration" is the act of payment itself.
(N.B. IANAL, so my description might not be precicely textbook, but that's the broad concept).
I don't know whether "usually" is accurate though; it may be that common law prevails as you say in most transactions despite the states with regulations.