Edit store price tags using Flipper Zero (opens in new tab)

> Fixed, basic auth would just get leaked (probably first by Home Assistant tinkerers who find some discarded electronic shelf tags somewhere and want a new display for their house).

You know what, that is a great idea for a project of mine, where I want to display outside temp and weather forecast in the hallway next to the wardrobe. I have been musing about it for a while now: how to make it small and not stand out, how to handle power delivery, etc.

I was already leaning towards eink, and if I can get one of these price tags cheap plus hide an IR blaster in a corner that would be ideal. All controlled by Home Assistant of course. I'm going to search the usual Chinese online marketplaces tomorrow.

Thank you!

>It doesn't really change anything.

Yes it does, unlike before, a shits-and-giggles attacker could change all the tags in an aisle into "you're gay" without showing anything on surveillance cameras.

He wouldn't gain anything but the store would lose.

> It doesn't really change anything.

> Previously, a criminal could just print their own shelf tags.

Between your 'previously' and now is a period of at least two or three decades, where shelf tags have only be for your information in the store, while the real price came from computerized POS-Terminals with attached barcode-readers. Which of the two has priority for the customer may depend on country, law, store policy & good will.

Furthermore stores are completely cam covered nowadays, so much luck with being seen fumbling with your gadget in front of that label, or being seen on 'tape' putting another one over it, or things like that :-)

I suppose you're right, even with auth there a risk the store would lose it and the tags would need to be trashed or manually reset. Stores aren't the most tech savvy of businesses.

On that note, I worked at a store where each department would borrow the store floppy and copy their weekly orders+sales onto it, then the store manager would read them on the office computer in one big excel file. This was in the late 2000s, so floppy was already pretty outdated, but it worked so it never changed.

I got called to the managers office one day. The store manager and assistant manager couldn't get the master spreadsheet to save and needed my computer skills. I spent like an hour fiddling with things before ejecting the disk and realizing they had hit the write lock switch on the floppy, so the spreadsheet wouldn't save.

I was the hero of the day and the manager bought a thumb drive from the photo department so this wouldn't happen again.

>Previously, a criminal could just print their own shelf tags.

Yep. For the physical "hackers" among us, a price sticker gun (those little orange or white stickers with a number on them that mom and pop shops use) was one of our first tools to mess around with

And previous before that was the days of /b/tards on 4chan making coupons for feee stuff

I’m sorry but this entire premise is dubious at best hilarious at worst.

I’ve worked retail on and off for a decade and been friends with AP in most places and no one has ever mentioned this happening. Never been told to watch for it, or heard a rumor about it from another store.

It’s just not something that happens.

>But I also have not seen them widespread at the physical outlets I shop at.

Me neither. If it parallels the arc of those restaurant buzzers [USA perspective]:

-Big chains first (Olive Garden) with quality industrial systems

-Then, small businesses with dinky systems sold on Bezos site

What do you think, someone would have to be fired if e.g. Best Buy tags were super flaky and reset at random nationwide?

The visual risk of walking out without paying is much greater than the risk that anyone actually investigates AND tries to track him down for it.

Back when I was a kid it was common to still just have simple price tag stickers on every single item. We’d pull off a cheap sticker and put it on an expensive item. If they noticed, we’d just shrug and say “oh Nevermind then” when they found the right price.

The only problem was most cashiers actually knew all the prices of stuff and paid attention, believe it or not they even knew how to make change back in those days /s. So you couldn’t always get super aggressive.

That's _bananas_.

Seriously. Especially since self-checkout is almost always with a card tied to your identity, not cash.

Depending on the value, the police probably aren't going to show up at your address, but use that card again at the store in the future and you might find the security guard coming over. Or, like many stores, they wait for you to do it repeatedly until it adds up to enough for a felony instead of just a misdemeanor, and then they bring felony charges...

The stores have cameras. Likely someone is well aware those weren't all bananas, and has it on video.

Play stupid games, win stupid prizes.

I’d be interested in your book!

I was of the impression that, in our golden age of individualized surveillance, merely interacting with the kiosk was enough to leave a facial-geometry calling card these days.

I feel like I may have heard this from one of those Illinois BIPA class action suits [0], which reliably have a whiff of crackpot to them from a technical perspective. But it surely seems an obvious enough sort of application…

[0] https://www.law360.com/articles/2372764/home-depot-s-self-ch...

I know people who regularly stole this way. They would usually work in pairs and one would leave a full cart near the exit and the other would walk out confidently. Worst case they figured they would just act the fool and either leave the cart or pay. Irked me that they did this but not enough to rat. I bet these days doing that with any kind of regularity would have you starring on much higher quality film.

What's the books name?

This gives the ability to use the excuse "I didn't know how to use the machine, I thought I used it correctly, nobody ever trained me on this", where as just walking out does not

(Not a lawyer, I'd imagine you know better here than I do)

I think the point was that they COULDN'T have just walked out with them, BUT, by learning then going through the motions of a typical check out this A+++ hacker was able to bypass a normal security layer.

Too bad the store owners introduced a way to give customers more control over how merchandise exits their store.

It's hacking, there a difference. He learned the system and exploited a vulnerability!

if a store does not want to hire capable staff to perform an essential function, they should not expect laypeople to perform that action for free (or at higher cost, as we've seen with grocery prices in the US as human cashiers are reduced) at the same level as a trained staff member.

we do not have to accept this decision to reduce staff and raise prices as a matter of course. plus, if you see somebody stealing food, no, you didn't.

Some retail chains, of which Dollar General is the poster child, have one price displayed on the shelf and a different, much higher price at the checkout register.

Links:

> Missouri Attorney General Andrew Bailey has filed suit against Dollar General, claiming deceptive and unfair pricing at its more than 600 retail stores throughout the state. The lawsuit alleges that Dollar General violated Missouri’s consumer protection laws by advertising one price at the shelf and charging a higher price at the register upon checkout.

> The joint investigation revealed that “92 of the 147 locations where investigations were conducted failed inspection. Price discrepancies ranged up to as much as $6.50 per item, with an average overcharge of $2.71 for the over 5,000 items price-checked by investigators.”

https://progressivegrocer.com/dollar-general-accused-decepti...

> All told, 69 of the 300 items came up higher at the register: a 23% error rate that exceeded the state’s limit by more than tenfold. Some of the price tags were months out of date.

> The January 2023 inspection produced the store’s fourth consecutive failure, and Coffield’s agency, the state department of agriculture & consumer services, had fined Family Dollar after two previous visits. But North Carolina law caps penalties at $5,000 per inspection, offering retailers little incentive to fix the problem. “Sometimes it is cheaper to pay the fines,” said Chad Parker, who runs the agency’s weights-and-measures program.

https://www.theguardian.com/us-news/2025/dec/03/customers-pa...

It sucks that we have to do extra labor and expose ourselves to this kind of legal risk all because a grocery store doesn't want to staff workers. It's not even like they pass these savings onto us...

Hey, something I'm somewhat qualified to answer! So, yes, these systems are actually effective. The systems and procedures are designed to look low key, but essentially perform PRISM-like mass surveillance behind the scene. These systems are managed by former US IC personnel.

What happens is that your identity is tied to these purchases and after a certain threshold you get flagged as a thief, essentially. At that point, you will get very increased attention (via checkout, purchases, and floor walkers), and after another threshold, will be trespassed and/or prosecuted.

But, you'll probably get away with a banana or few before you trigger the loss prevention threshold.

The self checkout at my preferred grocery store (Hy-vee, an upper midwest chain) has started using these overhead cameras to confirm that you're purchasing everything you ostensibly have in your cart. Except it always flags us for the Starbucks drinks we're carrying (Hy-vees usually have a mini Starbucks shop inside them). More annoying though is that it flags us for the 5 gallon water jug refills that we manually punch into the self-checkout kiosk, because the surveillance system isn't satisfied unless the heavy ass jugs of water leave the cart, slide across the scanner and then get placed in the bagging area – anything else is possible theft.

All this has done is train us to keep the carts out of the camera's viewing angle. It doesn't care if you keep pulling handfuls of groceries out of hammer space, as long as there's no cart in the frame.

I'm in Australia but similar sounding system is in operation at our two major supermarkets.

I scanned a drink, heard the beep, put it in the bag. I scanned a loaf of bread, heard a beep, put it in the bag.

Now, instead of the typical "Unexpected item in the bagging area" it now shows the overhead replay and locks the system out until an employee comes over to review.

Combined with their exit gates that don't open if they think you've not paid for something, and cameras that track you through the store it's feeling very unfriendly.

I do not spend money at businesses that treat me like a criminal.

Sam's club has 'the arch', and one time when I did self checkout I did miss an item (thought I scanned it and I didn't apparently) and so far that's the only time they've actually checked the cart, the rest I was just waved through.

So seems pretty good. Obviously erring on the side of having an employee double check makes sense when their profit margins are generally single digits. One missed tshirt means they lost money on your $300 cart.

That video was staged, at Target electronics need to be paid for in the electronics department where there is no self-check out. In addition Target has the best Loss Prevention in the business, including let shoplifters continue until they accumulate enough goods that their crime is a felony.

Every self checkout around here has an employee staffing ~6 terminals. They're supposed to be watching for things like that. Usually theyre just staring vacantly into space, which I get, that job pays nothing and provides 0 mental stimulation.

When you see a TV being purchased, though, it wouldn't be hard to just watch that it in fact got checked in as such.

Most self-checkouts I've come across have weight validation – "Unexpected item in the bagging area".

Categorising things as "bananas" tricks the checkout into accepting the weight of an item, and you pay the appropriate price per bananagram.

That is something you can do in cahoots with a regular cashier and the reason places like Costco check your receipt. The cashier just has to fake scan an item, and nobody would notice. Receipt checking makes it possible to get caught.

Corporations broke the social contract first.

trust goes both ways. you can be cynical about people who take things without paying, i guess. i prefer to be cynical about the corporations who run and stock these grocery stores with substandard products at artificially inflated prices that benefit shareholders and disadvantage people who need to eat food to live.

Think about blaming the grocery store replacing workers with no one in particular before you blame some college pranksters.

Grocery stores in general consolidating, laying off workers, leaving them without pay/benefits, taking advantage of greedflation, etc., is a bigger drain on society.

Not careful enough

> Usually the advertised price must be honored, because it may have brought the customer to your store.

This is not the case for groceries in Massachusetts at least. If there’s a discrepancy between the tag’s price and the scanned price the store must charge the customer the lowest of the two: https://www.mass.gov/price-accuracy-information

It definitely varies by jurisdiction, but the register price always loses to any printed price in the US states I’ve lived in. This is a protection since retailers have used pricing mistakes to unfairly profit. Watch your receipt like a hawk at the dollar store[0]

[0] https://www.theguardian.com/us-news/2025/dec/03/customers-pa...

How is the transport medium changing anything?

To me this is about having protocols that are suitable so not anybody can write to these labels without knowing a store secret or using replay attacks.

Very much depends where. In QC, if it rings higher than tagged in the store you get the first one for free and the next ones at the lower price. They take it VERY seriously as a result and will take the tag down while they make a new one to ensure nobody else gets a freebie.

Stores hate giving the product away and pricing errors are much lower in my experience.

That may not be true if the faked display contents are reasonable. Price labels on shelves are leading: https://www.consumentenbond.nl/juridisch-advies/rechten-bij-...

Supermarkets all throughout my country have these labels add "35% off" to any goods that they need to remove from shelves (either because they expire soon or because they want to replace the product with something different). That's done outside of normal advertising campaigns, just in the price tags on the shelves (and the digital systems, if they actually work).

Supermarkets here are already on thin ice because they frequently do not charge the price listed on shelves already, without malpractice.

Of course, if you happen to have a cart full of wrongly discounted stuff that someone needs to go out and correct, the store will probably look through security footage. If you play the game well and can make it look like a glitch in the system, a store would probably not bother, though.

Back in the day people used to swap/edit price tags a lot. Also making fake coupons with the same knowledge. It was a pretty common and easy form of shoplifting since all barcodes used to do was just encode the pricing/discount information.

What they do is swap bar codes, or they code organic fruit as regular, or they "forget" to scan in the self checkout, but yes.

spain

Are these hacks or cracks. I'd say the latter.

Very neat! Where did you acquire the tags and for how much?

> it may be that common law prevails as you say in most transactions despite the states with regulations

As already mentioned IANAL, but I would take an educated guess as follows:

The specific regulations to which you refer are in effect consumer protection regulations.

Ergo, they are there to protect the consumer against malicious behaviour by unscrupulous traders such as false or misleading information.

Any reasonable judge in a courtroom will likely agree that incorrect display of pricing on a shelf (or website or catalogue) is (in the absence of evidence to the contrary) likely to be an inadvertent error with no malicious intent. And therefore the common law would prevail.

I think you are right, it just feels useless.

Who do you think feels the effect of fraud/theft at retail stores? The "rich" owners feel a little of it, sure, but they have a proven strategy for keeping their profits up by reducing costs: fire employees and make those who remain do more work for the same pay. So you think this is "not actually a bad thing" because you're screwing over <insert big company here> but really you're just screwing over the workers.

Presumably they want nobody to ever publish or even explore "bad" things.

Because as we all know, if something "bad" is possible, but no one has published a GitHub about it, no one will ever be able to do the bad thing! Society is saved at last!

You can't Categorical Imperative me. I'm a hacker.

Yeah, that's the social engineering part. It's a hacker trick. "Cmaan, I'm a little guy I'm a little birthday boy" https://x.com/eshear/status/1941696051884458278?s=20

Not your buddy, pal. ;3

There is much better hardware available to security researchers (chameleons, hackrf, and actually research-grade (much more expensive) equipment).

The flipper is basically an Arduino pre built with a bunch of static antennas. It's fine and in a decent form factor, but I really haven't found it useful.

Do you have any links to actual research (not children playing "researcher") done with flipper hardware?

Flipper zero themselves try to present the flipper zero as a device that "hacks things with a button press".

And they love the free advertising they get along the same lines by youtubers desperate for clicks.

Ultimately it just sells more devices. The flipper zero can't "hack" anything. It can only be used as a tool to perform hacking, by a skilled individual who is doing all the work/discovering an exploit.

I'm tired of the "security research" angle when it's all just kids playing with ESP32 deauther attacks presented to them on a silver platter.

I should not have to put up with children going "JUST SECURE YOUR NETWORKS BRO" because they spent $30 on some eBay "maurauder" dongle to be a pissant.