Page 1 of 2

Walmart and Kmart 802.11 networks...

PostPosted: Fri Feb 07, 2003 8:49 am
by dmzguy
Being the geek that I am, I do not find it strange at all to type out my shopping list in microsoft Word and take my laptop with me to buy groceries in to stores, it has been a common occurence with me for the past couple years. However, having recently become a "stumbler," I happened to notice several Cisco AP's in my local SuperWalmart 4 to be exact, named AP1, AP2, AP3, and AP4. (used binoculars from outdoor section to read sticker off of APs) After my discovery i started checking out other stores, and regular Walmart and Super Kmart in my area also have AP's, they are not broadcasting the ssid, nor do they have any of the default ssids configured. I was hoping to start a thread for anyone insterested in finding out more about these networks, the AP's in Walmart were cisco and appeared to be 340 or 350 series. Any one with any information on these devices is encouraged to post to this thread, and/or email me @ vr_assassin@yahoo.com.

PostPosted: Fri Feb 07, 2003 9:37 am
by Mr.White
I think they may be for those Telexon guns. You know, those Buck Rogers price guns.

Re: Walmart and Kmart 802.11 networks...

PostPosted: Fri Feb 07, 2003 10:12 am
by peekitty
As if Kmart doesn't have enough problems with the feds taking a percentage from the sale of Martha Stewart products....

PostPosted: Fri Feb 07, 2003 11:03 am
by renderman
(used binoculars from outdoor section to read sticker off of APs)


Now that's Brilliant.

I saw an AP bolted to the wall at my local home depot hooked to a telex or teletronix yagi pointing into the store.

Have'nt gotten kismet working yet to detect it, but NS does'nt see it. Any one else seen this anywhere else?

PostPosted: Fri Feb 07, 2003 11:10 am
by agentgrn
Originally posted by renderman
Have'nt gotten kismet working yet to detect it, but NS does'nt see it. Any one else seen this anywhere else?
Some of this stuff might also be proprietary. When I worked at Staples around a decade ago, we had one of those little price guns too. Expensive litte bugger. It definitely pre-dated any of the 802.11x standards, and it wouldn't surprise me in the least if those systems are still available and undetectable by common means.

PostPosted: Fri Feb 07, 2003 12:54 pm
by peekitty
Originally posted by renderman
I saw an AP bolted to the wall at my local home depot hooked to a telex or teletronix yagi pointing into the store.

Have'nt gotten kismet working yet to detect it, but NS does'nt see it. Any one else seen this anywhere else?
Yep, they all seem to have them, and the activity LED is usually working overtime, so I was puzzled when Kismet didn't detect it. So puzzled in fact, that I made use of one of their rolling ladders and had a closer look. I got close enough to read the MAC address off the unit, but waving the Zaurus around like a maniac still produced nothing. That's when I turned to the wisdom of the NS forums, there were several threads on this subject and the concensus is that the Aironet devices are either not 802.11 or they're on 900MHz. I also saw some speculation that they're somehow part of the PBX system HD uses.

PostPosted: Fri Feb 07, 2003 1:54 pm
by c0nv3r9
Had I mentioned that BJs Wholesale Clubs use wifi? for credit/debit transactions on their gas pumps, I would assume.. although I have not and will not sniff the traffic to find out...

PostPosted: Fri Feb 07, 2003 1:58 pm
by Jaffo
Most of them are going to be using the price guns and, if you've seen them, the Gift-Registry guns. ;) Some of those store the data and it gets downloaded when you return the gun, but I would bet some broadcast it too.

But, the other big use (that no one has mentioned so far) is going to be the remote/mobile Registers. Probably what HomeDepot was using. Ever seen those? They *might* plug in to a DC outlet, but that's it. They are most often seen out in the Gardening section (if it's an Indoor/Outdoor area) or maybe a clearance area, something like that.

There was a hubub about this some time back, where someone stated he could lift the CC numbers and such by sniffing with his laptop from out in the parking lot. Well yeah, if they aren't using x.509 or something to secure the data. That will give any intelligent stumbler pause...next time you stop to check a signal in a Walmart parking lot, keep that in mind if Security (or the Police...) stop by to see what you're doing.

PostPosted: Sat Feb 08, 2003 3:02 pm
by Panick
A lot of stores have 802.11 devices in them for the little scan guns or mobile checkouts (which are more common in stores like Home Depot). Wal-Mart's system is connected to a massive corporate WAN for tracking inventory at it's stores (and tracking shoplifting statistics and stuff like that). I can only assume that other stores have similar setups.

There were older vendor specific (and very expensive) systems in place before 802.11 became big and some stores still use them. Most of them operated in the 900Mhz range although there were some that operated in the 2.4Ghz range. Most retailers have moved to systems compatible with 802.11b for obvious cost reasons (it costs a lot less than the old stuff).

I have only found a few stores that have APs that are broadcasting beacons (I can only assume these are misconfigured or have been tampered with), most have the beacons turned off. Wal-Mart's system has servers in some stores that monitor inventory (although it's curiously absent in others). There is no password on the system to look at the inventory but you need one to do anything else on the system. I have seen a similar system at Walgreens.

I worked at Wal-Mart for a few years and took great interest in their wireless setup, but I doubt that there's anything of any interest there for the average person (Internet access in the stores that have it is usually firewalled off from the wireless portion of the network).

I hope that answers some questions.

walmart ssids....

PostPosted: Sat Feb 08, 2003 9:09 pm
by dmzguy
you said that most of the stores that you knew of were not broadcasting the beacons, do you happen to know the ssids that they were running on this device, it could prove helpful, thanks again!

PostPosted: Sun Feb 09, 2003 10:44 am
by Jaffo
hrmmmm. Helpful for what? Accessing the network without permission?

I am sure the Walmart Legal department keeps a butt-load of lawyers on deep-freeze; "Thaw in case of Litigation!"

Re: walmart ssids....

PostPosted: Mon Feb 10, 2003 3:50 pm
by Panick
Originally posted by dmzguy
you said that most of the stores that you knew of were not broadcasting the beacons, do you happen to know the ssids that they were running on this device, it could prove helpful, thanks again!


It varies heavily from store to store. The most common SSIDs are made up of the store's number (all Walmart's have a 4 digit number associated with them). I think the management was given a lot of leeway for the SSIDs though because some stores had things like "walmart1" or the name of the city the store was in. I even knew of one that had an SSID that was "nemec", it turns out that was the last name of that store's general manager.

Like I said, it makes little difference as Walmart was at least smart enough to firewall the wireless APs off from the rest of the network. I believe some of them were also setup to be MAC limited (only allowing specific MACs to associate). An occasional one does broadcast beacons though. And I'll tell you for a fact that Walmart takes a dim view of people dicking with their networks (though they are a lot more concerned with shoplifters).

PostPosted: Tue Feb 11, 2003 5:16 pm
by Dr3D1zzl3
kmart uses symbol technologies AP's standard 11mb 802.11b

as to why you didnt pick it up on kismet?

that is pretty odd should have appeared as normal.


i think a year ago they finaly rolled out WEP on there ap's before that it was free and clear.

Hell they might have turned off all there AP's as they are a rather large liability.

PostPosted: Tue Feb 11, 2003 10:43 pm
by -=heineken=-
I got this with kismet driving by a walmart warehouse...

N 43.601326 W 79.752068 ( walmart ) BBS ( 00:a0:f8:4e:59:9f ) 19:44:52 (GMT) [ 0 60 51 ] # ( ) 0001 0800

PostPosted: Wed Feb 12, 2003 6:33 am
by fitzStewart
Originally posted by -=heineken=-
I got this with kismet driving by a walmart warehouse...

N 43.601326 W 79.752068 ( walmart ) BBS ( 00:a0:f8:4e:59:9f ) 19:44:52 (GMT) [ 0 60 51 ] # ( ) 0001 0800


Did you catch any of the other dozen or so ap's in there? In a warehouse environment, ap's typically have 40,000 square feet coverage. With the typical Walmart dc being in the 500, 000 to 1,000,000 square feet range, well, you can do the math.