CVE-2022-45914 - Electronic Shelf Label Protocol Vulnerability: Unauthenticated Modification of Label Values Using 433 MHz RF Signals

The Electronic Shelf Label (ESL) protocol is widely adopted by retail stores, hospitals, and other industries for digitally displaying information on electronic labels. Recently, a vulnerability (CVE-2022-45914) was discovered in the ETAG-213-V4.3 20190629 board with the OV80e934802 RF transceiver. This vulnerability allows attackers to change label values without authentication using 433 MHz RF signals. This could result in severe consequences, such as disrupting the organization of a hospital storage unit, or maliciously altering retail pricing.

In this post, we will analyze the exploit details, provide code snippets to demonstrate the vulnerability, and list the appropriate references.

Exploit Details

The ESL protocol, specifically the OV80e934802 RF transceiver on the ETAG-213-V4.3 20190629 board, allows attackers to intercept and modify data transmitted between the label transmitter and the label itself. The attacker could do this either by intercepting the data and transmitting new information, or by bypassing the ESL transmitter entirely and transmitting radio frequency signals simultaneously with a specially crafted portable device, such as an SDR (Software Defined Radio).

The vulnerability lies in the lack of authentication required when sending data to the labels. An attacker can send malicious data through RF signals in the 433 MHz band, which the labels will accept without verifying the source, leading to a change in displayed information.

Code Snippet

The following code snippet demonstrates how to intercept the OV80e934802 transceiver signal using an SDR device:

import pyrtlsdr
import numpy as np

# Create SDR instance and configure.
sdr = pyrtlsdr.RtlSdr()
sdr.sample_rate = 2.4e6
sdr.center_freq = 433e6
sdr.gain = 'auto'

# Read samples from SDR.
samples = sdr.read_samples(256*1024)

# Apply a filter to isolate the signal.
filtered_signal = apply_filter(samples)

# Extract data from signal.
data = extract_data(filtered_signal)

# Modify the data as needed.
modified_data = modify_data(data)

# Transmit the modified data.
transmit_data(modified_data, sdr)

print("Data successfully modified and transmitted.")

# Close SDR.
sdr.close()

For more information on this vulnerability, please consult the following resources

1. The Common Vulnerabilities and Exposures (CVE) database entry: CVE-2022-45914
2. Details about the ETAG-213-V4.3 20190629 board: ETAG-213 Product Sheet
3. OV80e934802 RF Transceiver specifications: OV80e934802 Datasheet

Conclusion

The CVE-2022-45914 vulnerability poses a significant threat to industries that rely on the Electronic Shelf Label (ESL) protocol, especially retail stores and hospitals. This vulnerability demonstrates the importance of implementing proper security measures at the protocol level, ensuring authentication and data integrity checks are in place to prevent unauthorized label modifications. Retailers, hospitals, and others using the ESL protocol should immediately contact their product suppliers and request guidance on mitigation techniques or upgrades that secure their systems against this vulnerability.

Timeline

Published on: 11/27/2022 01:15:00 UTC
Last modified on: 02/17/2023 03:31:00 UTC