If you are not familiar with the “Bob story” concept: I first heard about it on the Pauldotcom podcast, where Twitchy used to tell stories about how “Bob” went wardriving, created a fake AP and did other grayhat things. They may have taken the idea from somewhere, but this is where I’ve heard it first.

Before Christmas Bob decided to treat himself with a Wii Fit (yes, the only thing which came of it was a machine telling him that he is fat – don’t ask :-p). Looking around several places he finally decided to go with a supermarket, since it was the cheapest choice (by about 30 EUR). He picked it up and rushed trough checkout. After paying he realized that the anti-theft system wasn’t removed, but since it didn’t beep when exiting the store he figured that it should be ok.

So he rushes home and cuts one of the wires (sidenote: with very low-tech equipment it took less than two minutes to do that. Using something professional, yet still discreet enough to fit in a pocket, it would take less than 30 seconds). And behold: it started to beep. The beep was somewhat loud, but not so loud as to be heard outside of an apartment, especially when put in some kind of acoustic insulation. Most probably it would attract attention in a supermarket though. And thus the alarm system met ~~its maker~~ a hammer and was promptly silenced. Just for the fun of it, Bob decided to take it completely apart to see how it worked:

Ideas / lessons / thoughts:

  • The construction is not that robust and would quickly give way if a determined / knowledgeable attacker was picking away at it (physical force is optional)
  • It is powered by four small batteries. In fact, it is very easy to deactivate by using Philips a screwdriver and removing the batteries. In what Bob can only assume to be standard operating procedure, the battery access was oriented towards the box and became accessible only after the unit was removed from the box
  • It would be interesting to try the following experiment, cut the insulation in two places on one of the wires. Link together the two cuts with a good conductor (like a copper wire). Now cut it in the middle. If the system isn’t watching for fluctuations in the resistance, just for contact / no contact it should work (which is probably the case, since the alarm didn’t trigger until Bob fully cut trough the cable, even though he partially cut it before)
  • There are actually two pair of wires crossed rather than one long wire. The “normal” deactivation mechanism is probably a magnet which allows the case to be turned counter-clockwise (this is normally blocked by the combination of metallic plate (upper side of the picture) and the white ring (which was “teeth” oriented in one direction). Crafting a small deactivation device seems also rather easy.

My conclusion is that (similar to infosec) “you don’t have to outrun the bear, only your friend” – meaning that you only have to raise the bar a little to eliminate most of the problems. Then again, one should go into such endeavors with “eyes open” and knowing the limitation of the technology (which very few vendors will tell you). And, as always, it will annoy your customers!