PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Expanding upon the obvious

From: Joshua Wright <jwright () hasborg com>
Date: Wed, 12 Dec 2012 09:02:36 -0500

On Dec 11, 2012, at 12:49 PM, Patrick Laverty <patrick_laverty () brown edu> wrote:


I think Stop & Shop grocery stores are doing something tangential to this. If you use their in-store price scanner, 
it will beep at you on occasion, telling you about deals on an item that just happens to be in the  aisle you're 
standing in! So while they might not know who *I* am (or they might), they sure know where I am in the store.


There is a big market for product manufacturers to collect information about shopper habits in retail establishments.  
In supermarkets where margins are thin, there is a clear revenue opportunity to sell information about what aisles 
shoppers walk down, how long they stop at any given spot (identifying the prime marketing points in the store), what 
they choose for a product at a given spot in the store among other competitors, etc.

Stores like Stop & Shop (and others) have developed systems to ease the checkout process while shopping, and leveraging 
those devices with proprietary or standards-based location tracking systems.  The IEEE 802.11 systems for location 
tracking are common, but ZigBee and IEEE 802.15.4 are seeing more active use since the chips are cheaper and simpler, 
and the perceived security is "better" (do these quotes make me look snarky?)  Other stores are using Bluetooth, or 
proprietary protocols such as Z-Wave.

As a pen-tester, this is good for me, since there are lots of opportunities for manipulating these systems using 
readily-available or custom tools.  Typically we don't see these systems as unauthorized internal network access 
threats, but it's common to identify weaknesses that threaten the reliability and fidelity of the system, which calls 
the value of the deployment into question.

-Josh
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: