SlideShare a Scribd company logo

iBeacon security overview

Localz
Localz

Beacons leverage a common wireless standard that can be detected by nearly every modern smartphone. Because of this wide and wireless coverage, concerns have been raised on the security of beacons. By default, Beacons are open and static. For example, Apple’s iBeacons constantly broadcast a single repeating payload: UUID, Major ID and Minor ID. Once deployed, anyone can detect these Beacon IDs. This gives rise to two specific risks: Beacon Spoofing & Piggybacking. This doc is a summary of the risks and general controls available to mitigate attacks.

Technology
1 of 14
Download to read offline
Secure Beacons Overview & Options © 2015 Localz Pty. Ltd.
Beacon Security B E A C O N S E C U R I T Y Bluetooth Low Energy (Smart) Beacons leverage a common wireless standard that can be detected by nearly every modern smartphone. Beacons can be detect from a range of up to 70 meters. Because of this wide and wireless coverage, concerns have been raised on the security of beacons. © 2015 Localz Pty. Ltd.
Static Beacon IDs By default, Beacons are open and static. For example, Apple’s iBeacons constantly broadcast a single repeating payload: UUID, Major ID and Minor ID. Once deployed, anyone can detect these Beacon IDs. This gives rise to two specific risks: Beacon Spoofing & Piggybacking. There are additional but unrelated security concerns related to Beacon provisioning and configuration updates. However, we’ll save those for another paper. 1234… 1234… 1234… 1234… 1244… 1244… 1244… 1244… 1245… 1245… 1245… 1245… B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Beacon Spoofing Beacon Spoofing is possibility of detecting and cloning beacon IDs. Another beacon (or phone) could be created with the same beacon ID. Malicious users can use spoofed beacons to trigger events and messages in a different physical space than intended. A store entrance beacon triggering a welcome message could be copied by an attacker and replayed at the entrance to a train line. Consumers with the store app would receive the welcome message at train entrance. This could create consumer annoyance and confusion. Example risk: Beacon ID detected and copied cloned Beacon ID Later on . . . Store entrance Train entrance cloned beacon placed elsewhere B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Beacon Piggybacking Beacon Piggybacking or Hijacking is possibility of using beacons deployed for one application in another, unauthorised, application. Beacon IDs can be detected and their profile included in applications deployed by third parties. Providing a consumer has this third party app installed, these hijacked beacons can then be used to trigger events, messages and analytics unrelated to the intended deployment. A coffee house, Small’s Coffee, deploys beacons for their mobile app. A competing coffee house, Big Coffee, visits small’s coffee to detect and copy beacons. Big Coffee deploys their own mobile app that includes beacon IDs from Small’s coffee. When consumers with the Big Coffee app installed visit Small’s Coffee, they receive a message for discount coffee at Big Coffee. Example risk: Small’s Coffee Small’s CoffeeBeacon ID detected Beacon ID included in competing app Big Coffee App “Get a discount at Big Coffee” App installed on consumer phone Later on . . . B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Risk Mitigation There are four general controls to mitigating beacon risks Geolocation Validation + Cloud Validation + Hardware ManagementSoftware Seed ++ B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Geolocation Validation After identifying a registered beacon the mobile device validates the phone geo location (during each session) to ensure it is near the intended physical space. This type of control prevents spoofing of beacons outside of the retail store. Further, the control is simple, inexpensive to deploy and permits the use of native iBeacon mode for greater compatibility. + B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Software Seed Beacons are provisioned with changing IDs which prevent direct copying and piggybacking. A seed value is used to determine the ID sequence and change interval. The seed is synched to mobile devices via a SDK. When a beacon is detected, the mobile device checks with the SDK to determine if it is valid and what, if any action, is permitted. Although this approach helps to mitigate against spoofing and piggybacking, the seed value can be easily extracted and copied by a determined attacker. For this reason, several providers offer cloud based propositions. + Seed value similar in concept to… B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Cloud Validation Beacons are provisioned with changing IDs which prevent direct copying and piggybacking. A seed value is used to determine the ID sequence and change interval. The seed is synched to a cloud based service. When a beacon is detected, the mobile device checks with the Cloud service to determine if it is valid and what, if any action, is permitted. This approach provides a high degree of mitigation against spoofing and piggybacking. However, testing indicated that reliance on cloud services introduces latency that can significantly detract from the user experience - especially in retail environments with poor mobile reception. + Seed value B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Hardware Management Beacons are provisioned and managed by hardware controllers. Connected WiFi/Bluetooth devices such as BluVision’s BluFi and Kontakt’s Cloud Beacon are used to remotely manage and update the beacon fleet via cloud services. These devices can be used to change Beacon IDs at will, with corresponding changes sent to mobile apps. This approach provides a high degree of mitigation against spoofing and piggybacking. However, additional hardware is required. Further, this hardware must be able to connect over Bluetooth to covered beacons, which may limit effectiveness (e.g., will not work if beacons are placed in remote parking lots. + B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Other Controls B E A C O N S E C U R I T Y Hardware Validation: • There are additional controls to deter spoofing attacks that rely on beacon hardware manufacturer identifiers • This type of control is available from several manufactures but to our knowledge has not been widely deployed in production • Though challenging, it is possible to spoof nearly any aspect of a Bluetooth broadcast protocol - cloning may still be possible Hybrid Controls: • Many beacon vendors provide SDKs that combine one or more security controls • A common configuration leverages a combination of Cloud Validation and Software Seeds • Software seeds can be updated periodically via API calls © 2015 Localz Pty. Ltd.
Additional Considerations Rotating Beacon IDs: • Any scheme which relies on rotating beacon ID runs some level of risk that such changes will not be synchronised with mobile apps • Synchronisation may be lost due to: • Loss of internet connection • Failed background updates (register/ deregister) • A limit on iOS registrations • Failed beacon configurations • Where there is a lack of synchronisation, the app will not deliver the intended experience B E A C O N S E C U R I T Y iBeacon Alternatives: • Several secure beacon methods rely on alternative Bluetooth Low Energy protocols • Several of these approaches force iOS apps to use Bluetooth as an accessory and/or UIBackgroundMode • If implemented incorrectly, these modes can cause material battery drain • These approaches can be rejected by Apple for production deployment: stackoverflow.com/questions/15980481/my-app-has- been-rejected-because-of-uibackgroundmodes Geofence Triggers: • Piggyback style risks cannot be fully mitigated. It is possible to trigger background messages and events without the use of beacons • Geofence (clustered) registrations can be used to initiate messages and events using course location technologies • For example: location push messages could be triggered by third party apps on approach to a competitor store © 2015 Localz Pty. Ltd.
Comparison Control Geolocation Validation Software Seed Cloud Validation Hardware Management Benefit • Least expensive mitigation • Simple to configure and operate • Can be enabled/disabled on demand • Permits use of native iBeacon mode for greater compatibility • Helps mitigate spoofing and piggybacking attacks • No reliance on internet connections • No additional hardware required • Provides high degree of mitigation against spoofing & piggyback attacks • No additional hardware required • Difficult for determined attackers to compromise • Provides high degree of mitigation against spoofing & piggyback attacks • Provides a device to remotely monitor & update the beacon fleet • Changes can be deployed or backed out on-demand • Permits use of native iBeacon mode for greater compatibility Disadvantage • Does not protect against piggybacking attacks • Geolocation reliance does not provide same level of precision as other anti-spoofing controls • Location lookup may cause delay on initial start of session • Difficult to change or backout in case of issue • Beacon IDs can be easily identified by determined attackers • More complex deployment • Some schemes may not work reliably for Apple apps - not a native iOS iBeacon standard • Difficult to change or backout in case of issue • More complex deployment • Latency can diminish user experience • Requires reliable internet connections - may not work in all store environments • Some schemes may not work reliably for Apple apps - not a native iOS iBeacon standard • Most expensive deployment option • Requires additional hardware • Does not work for beacons out of range (i.e., parking lots) • Requires periodic internet connection for WiFi/BT devices B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
© 2015 Localz Pty. Ltd. tim.andrew@localz.com✉ ✉pete.williams@localz.com @localzco

Recommended

The Power Of The Partner Ecosystem
The Power Of The Partner EcosystemThe Power Of The Partner Ecosystem
The Power Of The Partner EcosystemNetAppUK
 
Constitution and Bylaws of the Brazilian Jiu Jitsu Club of WSU. Academic Year...
Constitution and Bylaws of the Brazilian Jiu Jitsu Club of WSU. Academic Year...Constitution and Bylaws of the Brazilian Jiu Jitsu Club of WSU. Academic Year...
Constitution and Bylaws of the Brazilian Jiu Jitsu Club of WSU. Academic Year...Nicole Kerr
 
How Salesforce CRM works & who should use it?
How Salesforce CRM works & who should use it?How Salesforce CRM works & who should use it?
How Salesforce CRM works & who should use it?Suyati Technologies
 
Most Advanced GTM Deployment. Ever!
Most Advanced GTM Deployment. Ever!Most Advanced GTM Deployment. Ever!
Most Advanced GTM Deployment. Ever!Phil Pearce
 
Startup InsurTech Award - Anorak Technologies Limited
Startup InsurTech Award - Anorak Technologies LimitedStartup InsurTech Award - Anorak Technologies Limited
Startup InsurTech Award - Anorak Technologies LimitedThe Digital Insurer
 
NetMatrix TLE Terminal Line Encryption. SPVA certified, DUKPT, 3DES, DES, AES...
NetMatrix TLE Terminal Line Encryption. SPVA certified, DUKPT, 3DES, DES, AES...NetMatrix TLE Terminal Line Encryption. SPVA certified, DUKPT, 3DES, DES, AES...
NetMatrix TLE Terminal Line Encryption. SPVA certified, DUKPT, 3DES, DES, AES...Alex Tan
 
IAM Solution
IAM SolutionIAM Solution
IAM Solutionvikasraina
 
Definitive guide-to-web-personalization-marketo
Definitive guide-to-web-personalization-marketoDefinitive guide-to-web-personalization-marketo
Definitive guide-to-web-personalization-marketoHéliot PERROQUIN
 

Recommended

The Power Of The Partner Ecosystem
The Power Of The Partner EcosystemThe Power Of The Partner Ecosystem
The Power Of The Partner EcosystemNetAppUK
 
Constitution and Bylaws of the Brazilian Jiu Jitsu Club of WSU. Academic Year...
Constitution and Bylaws of the Brazilian Jiu Jitsu Club of WSU. Academic Year...Constitution and Bylaws of the Brazilian Jiu Jitsu Club of WSU. Academic Year...
Constitution and Bylaws of the Brazilian Jiu Jitsu Club of WSU. Academic Year...Nicole Kerr
 
How Salesforce CRM works & who should use it?
How Salesforce CRM works & who should use it?How Salesforce CRM works & who should use it?
How Salesforce CRM works & who should use it?Suyati Technologies
 
Most Advanced GTM Deployment. Ever!
Most Advanced GTM Deployment. Ever!Most Advanced GTM Deployment. Ever!
Most Advanced GTM Deployment. Ever!Phil Pearce
 
Startup InsurTech Award - Anorak Technologies Limited
Startup InsurTech Award - Anorak Technologies LimitedStartup InsurTech Award - Anorak Technologies Limited
Startup InsurTech Award - Anorak Technologies LimitedThe Digital Insurer
 
NetMatrix TLE Terminal Line Encryption. SPVA certified, DUKPT, 3DES, DES, AES...
NetMatrix TLE Terminal Line Encryption. SPVA certified, DUKPT, 3DES, DES, AES...NetMatrix TLE Terminal Line Encryption. SPVA certified, DUKPT, 3DES, DES, AES...
NetMatrix TLE Terminal Line Encryption. SPVA certified, DUKPT, 3DES, DES, AES...Alex Tan
 
IAM Solution
IAM SolutionIAM Solution
IAM Solutionvikasraina
 
Definitive guide-to-web-personalization-marketo
Definitive guide-to-web-personalization-marketoDefinitive guide-to-web-personalization-marketo
Definitive guide-to-web-personalization-marketoHéliot PERROQUIN
 
Managing bitlocker with mbam
Managing bitlocker with mbamManaging bitlocker with mbam
Managing bitlocker with mbamOlav Tvedt
 
Bitrix24 CRM
Bitrix24 CRMBitrix24 CRM
Bitrix24 CRMBitrix, Inc.
 
TrendMicro
TrendMicroTrendMicro
TrendMicro1CloudRoad.com
 
Salesforce Marketing Cloud: Creating 1:1 Journeys
Salesforce Marketing Cloud: Creating 1:1 JourneysSalesforce Marketing Cloud: Creating 1:1 Journeys
Salesforce Marketing Cloud: Creating 1:1 JourneysSalesforce Partners
 
Avaya IP Office Customer Call Reporter
Avaya IP Office Customer Call ReporterAvaya IP Office Customer Call Reporter
Avaya IP Office Customer Call ReporterMotty Ben Atia
 
Frank Opelka- Value Based Health Care
Frank Opelka- Value Based Health CareFrank Opelka- Value Based Health Care
Frank Opelka- Value Based Health CareLevi Shapiro
 
AXA Europe- Unlocking value from digital health
AXA Europe- Unlocking value from digital healthAXA Europe- Unlocking value from digital health
AXA Europe- Unlocking value from digital healthLevi Shapiro
 
Salesforce Marketing cloud
Salesforce Marketing cloudSalesforce Marketing cloud
Salesforce Marketing cloudCloud Analogy
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
Introduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssIntroduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssAndrew Wong
 
Digitální exportní akademie - Den 2 - See-Think-Do-Care - Případová studie Un...
Digitální exportní akademie - Den 2 - See-Think-Do-Care - Případová studie Un...Digitální exportní akademie - Den 2 - See-Think-Do-Care - Případová studie Un...
Digitální exportní akademie - Den 2 - See-Think-Do-Care - Případová studie Un...Sun Marketing
 
jsForce in Action
jsForce in ActionjsForce in Action
jsForce in ActionSalesforce Developers
 
Harman automotive cybersecurity business overview
Harman automotive cybersecurity business overviewHarman automotive cybersecurity business overview
Harman automotive cybersecurity business overviewHARMAN Connected Services
 
User-Access-Management in hybriden Landschaften mit SAP Identity Provisioning...
User-Access-Management in hybriden Landschaften mit SAP Identity Provisioning...User-Access-Management in hybriden Landschaften mit SAP Identity Provisioning...
User-Access-Management in hybriden Landschaften mit SAP Identity Provisioning...IBsolution GmbH
 
Best practices for salesforce cpq implementation
Best practices for salesforce cpq implementationBest practices for salesforce cpq implementation
Best practices for salesforce cpq implementationAnjali Mudgal
 
Ponencia sobre SEO para Ecommerce en Posiciona18
Ponencia sobre SEO para Ecommerce en Posiciona18Ponencia sobre SEO para Ecommerce en Posiciona18
Ponencia sobre SEO para Ecommerce en Posiciona18David Ayala Gil
 
How Marketing Cloud Latest Features Can Improve Your Campaign Performance
How Marketing Cloud Latest Features Can Improve Your Campaign PerformanceHow Marketing Cloud Latest Features Can Improve Your Campaign Performance
How Marketing Cloud Latest Features Can Improve Your Campaign PerformanceCloud Analogy
 
Enterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneEnterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneLai Yoong Seng
 
Synchronized Security Presentation
Synchronized Security PresentationSynchronized Security Presentation
Synchronized Security PresentationGraham Prior
 
Marketing Automation Checklists
Marketing Automation ChecklistsMarketing Automation Checklists
Marketing Automation ChecklistsJosh Hill
 
Beacon Security
Beacon SecurityBeacon Security
Beacon Securitykontakt.io
 
iBeacons: Security and Privacy?
iBeacons: Security and Privacy?iBeacons: Security and Privacy?
iBeacons: Security and Privacy?Jim Fenton
 

More Related Content

What's hot

Managing bitlocker with mbam
Managing bitlocker with mbamManaging bitlocker with mbam
Managing bitlocker with mbamOlav Tvedt
 
Salesforce Marketing Cloud: Creating 1:1 Journeys
Salesforce Marketing Cloud: Creating 1:1 JourneysSalesforce Marketing Cloud: Creating 1:1 Journeys
Salesforce Marketing Cloud: Creating 1:1 JourneysSalesforce Partners
 
Avaya IP Office Customer Call Reporter
Avaya IP Office Customer Call ReporterAvaya IP Office Customer Call Reporter
Avaya IP Office Customer Call ReporterMotty Ben Atia
 
Frank Opelka- Value Based Health Care
Frank Opelka- Value Based Health CareFrank Opelka- Value Based Health Care
Frank Opelka- Value Based Health CareLevi Shapiro
 
AXA Europe- Unlocking value from digital health
AXA Europe- Unlocking value from digital healthAXA Europe- Unlocking value from digital health
AXA Europe- Unlocking value from digital healthLevi Shapiro
 
Salesforce Marketing cloud
Salesforce Marketing cloudSalesforce Marketing cloud
Salesforce Marketing cloudCloud Analogy
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
Introduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssIntroduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssAndrew Wong
 
Digitální exportní akademie - Den 2 - See-Think-Do-Care - Případová studie Un...
Digitální exportní akademie - Den 2 - See-Think-Do-Care - Případová studie Un...Digitální exportní akademie - Den 2 - See-Think-Do-Care - Případová studie Un...
Digitální exportní akademie - Den 2 - See-Think-Do-Care - Případová studie Un...Sun Marketing
 
Harman automotive cybersecurity business overview
Harman automotive cybersecurity business overviewHarman automotive cybersecurity business overview
Harman automotive cybersecurity business overviewHARMAN Connected Services
 
User-Access-Management in hybriden Landschaften mit SAP Identity Provisioning...
User-Access-Management in hybriden Landschaften mit SAP Identity Provisioning...User-Access-Management in hybriden Landschaften mit SAP Identity Provisioning...
User-Access-Management in hybriden Landschaften mit SAP Identity Provisioning...IBsolution GmbH
 
Best practices for salesforce cpq implementation
Best practices for salesforce cpq implementationBest practices for salesforce cpq implementation
Best practices for salesforce cpq implementationAnjali Mudgal
 
Ponencia sobre SEO para Ecommerce en Posiciona18
Ponencia sobre SEO para Ecommerce en Posiciona18Ponencia sobre SEO para Ecommerce en Posiciona18
Ponencia sobre SEO para Ecommerce en Posiciona18David Ayala Gil
 
How Marketing Cloud Latest Features Can Improve Your Campaign Performance
How Marketing Cloud Latest Features Can Improve Your Campaign PerformanceHow Marketing Cloud Latest Features Can Improve Your Campaign Performance
How Marketing Cloud Latest Features Can Improve Your Campaign PerformanceCloud Analogy
 
Enterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneEnterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneLai Yoong Seng
 
Synchronized Security Presentation
Synchronized Security PresentationSynchronized Security Presentation
Synchronized Security PresentationGraham Prior
 
Marketing Automation Checklists
Marketing Automation ChecklistsMarketing Automation Checklists
Marketing Automation ChecklistsJosh Hill
 

What's hot (20)

Managing bitlocker with mbam
Managing bitlocker with mbamManaging bitlocker with mbam
Managing bitlocker with mbam
 
Bitrix24 CRM
Bitrix24 CRMBitrix24 CRM
Bitrix24 CRM
 
TrendMicro
TrendMicroTrendMicro
TrendMicro
 
Salesforce Marketing Cloud: Creating 1:1 Journeys
Salesforce Marketing Cloud: Creating 1:1 JourneysSalesforce Marketing Cloud: Creating 1:1 Journeys
Salesforce Marketing Cloud: Creating 1:1 Journeys
 
Avaya IP Office Customer Call Reporter
Avaya IP Office Customer Call ReporterAvaya IP Office Customer Call Reporter
Avaya IP Office Customer Call Reporter
 
Frank Opelka- Value Based Health Care
Frank Opelka- Value Based Health CareFrank Opelka- Value Based Health Care
Frank Opelka- Value Based Health Care
 
AXA Europe- Unlocking value from digital health
AXA Europe- Unlocking value from digital healthAXA Europe- Unlocking value from digital health
AXA Europe- Unlocking value from digital health
 
Salesforce Marketing cloud
Salesforce Marketing cloudSalesforce Marketing cloud
Salesforce Marketing cloud
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
Introduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssIntroduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for Businesss
 
Digitální exportní akademie - Den 2 - See-Think-Do-Care - Případová studie Un...
Digitální exportní akademie - Den 2 - See-Think-Do-Care - Případová studie Un...Digitální exportní akademie - Den 2 - See-Think-Do-Care - Případová studie Un...
Digitální exportní akademie - Den 2 - See-Think-Do-Care - Případová studie Un...
 
jsForce in Action
jsForce in ActionjsForce in Action
jsForce in Action
 
Harman automotive cybersecurity business overview
Harman automotive cybersecurity business overviewHarman automotive cybersecurity business overview
Harman automotive cybersecurity business overview
 
User-Access-Management in hybriden Landschaften mit SAP Identity Provisioning...
User-Access-Management in hybriden Landschaften mit SAP Identity Provisioning...User-Access-Management in hybriden Landschaften mit SAP Identity Provisioning...
User-Access-Management in hybriden Landschaften mit SAP Identity Provisioning...
 
Best practices for salesforce cpq implementation
Best practices for salesforce cpq implementationBest practices for salesforce cpq implementation
Best practices for salesforce cpq implementation
 
Ponencia sobre SEO para Ecommerce en Posiciona18
Ponencia sobre SEO para Ecommerce en Posiciona18Ponencia sobre SEO para Ecommerce en Posiciona18
Ponencia sobre SEO para Ecommerce en Posiciona18
 
How Marketing Cloud Latest Features Can Improve Your Campaign Performance
How Marketing Cloud Latest Features Can Improve Your Campaign PerformanceHow Marketing Cloud Latest Features Can Improve Your Campaign Performance
How Marketing Cloud Latest Features Can Improve Your Campaign Performance
 
Enterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneEnterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft Intune
 
Synchronized Security Presentation
Synchronized Security PresentationSynchronized Security Presentation
Synchronized Security Presentation
 
Marketing Automation Checklists
Marketing Automation ChecklistsMarketing Automation Checklists
Marketing Automation Checklists
 

Viewers also liked

Beacon Security
Beacon SecurityBeacon Security
Beacon Securitykontakt.io
 
iBeacons: Security and Privacy?
iBeacons: Security and Privacy?iBeacons: Security and Privacy?
iBeacons: Security and Privacy?Jim Fenton
 
Java alem das aplicacoes comerciais convencionais
Java alem das aplicacoes comerciais convencionaisJava alem das aplicacoes comerciais convencionais
Java alem das aplicacoes comerciais convencionaisLeonardo Simberg
 
Security Questions Considered Harmful
Security Questions Considered HarmfulSecurity Questions Considered Harmful
Security Questions Considered HarmfulJim Fenton
 
What can beacons do for your business?
What can beacons do for your business?What can beacons do for your business?
What can beacons do for your business?kontakt.io
 
PayPal Beacon and Apple iBeacon
PayPal Beacon and Apple iBeaconPayPal Beacon and Apple iBeacon
PayPal Beacon and Apple iBeaconChitpong Wuttanan
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 

Viewers also liked (8)

Beacon Security
Beacon SecurityBeacon Security
Beacon Security
 
iBeacons: Security and Privacy?
iBeacons: Security and Privacy?iBeacons: Security and Privacy?
iBeacons: Security and Privacy?
 
Java alem das aplicacoes comerciais convencionais
Java alem das aplicacoes comerciais convencionaisJava alem das aplicacoes comerciais convencionais
Java alem das aplicacoes comerciais convencionais
 
Security Questions Considered Harmful
Security Questions Considered HarmfulSecurity Questions Considered Harmful
Security Questions Considered Harmful
 
What can beacons do for your business?
What can beacons do for your business?What can beacons do for your business?
What can beacons do for your business?
 
PayPal Beacon and Apple iBeacon
PayPal Beacon and Apple iBeaconPayPal Beacon and Apple iBeacon
PayPal Beacon and Apple iBeacon
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boards
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
 

Similar to iBeacon security overview

Hacking A Bluetooth-Enabled Medical Device Is Too Easy
Hacking A Bluetooth-Enabled Medical Device Is Too EasyHacking A Bluetooth-Enabled Medical Device Is Too Easy
Hacking A Bluetooth-Enabled Medical Device Is Too EasyIFAH
 
iBeacon Reality Check _ Essential Considerations for an iBeacon Deployment
iBeacon Reality Check _ Essential Considerations for an iBeacon DeploymentiBeacon Reality Check _ Essential Considerations for an iBeacon Deployment
iBeacon Reality Check _ Essential Considerations for an iBeacon DeploymentAirTight Networks
 
Internet of things, and rise of ibeacons
Internet of things, and rise of ibeaconsInternet of things, and rise of ibeacons
Internet of things, and rise of ibeaconsJanusz Chudzynski
 
GDG Eddystone overview Aug2016
GDG Eddystone overview Aug2016GDG Eddystone overview Aug2016
GDG Eddystone overview Aug2016David Pugh
 
Enabling supply chain flexibility and IoT scale with zero touch provisioning
Enabling supply chain flexibility and IoT scale with zero touch provisioningEnabling supply chain flexibility and IoT scale with zero touch provisioning
Enabling supply chain flexibility and IoT scale with zero touch provisioningEurotech
 
Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401LOC Place
 
Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401LOC Place
 
Canopy SF Home Automation Meetup Slides 10/14/2014
Canopy SF Home Automation Meetup Slides 10/14/2014Canopy SF Home Automation Meetup Slides 10/14/2014
Canopy SF Home Automation Meetup Slides 10/14/2014gregulator
 
Reinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsReinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsNirmal Misra
 
151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1pStéphane Roule
 
Connecting devices to the internet of things
Connecting devices to the internet of thingsConnecting devices to the internet of things
Connecting devices to the internet of thingsBernard Kufluk
 
2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinarAlgoSec
 
Simplifying IoT App Development - A Whitepaper by RapidValue
Simplifying IoT App Development - A Whitepaper by RapidValueSimplifying IoT App Development - A Whitepaper by RapidValue
Simplifying IoT App Development - A Whitepaper by RapidValueRapidValue
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsCA API Management
 
BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...
BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...
BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...muzzhash1
 
Use biometrics for identity management of cloud users to enhanced the securit...
Use biometrics for identity management of cloud users to enhanced the securit...Use biometrics for identity management of cloud users to enhanced the securit...
Use biometrics for identity management of cloud users to enhanced the securit...Vineet Garg
 
CIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CIS 2015-Putting Control Back in the Users’ Hands- David PollingtonCIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CIS 2015-Putting Control Back in the Users’ Hands- David PollingtonCloudIDSummit
 
Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile AuthenticationFIDO Alliance
 

Similar to iBeacon security overview (20)

Hacking A Bluetooth-Enabled Medical Device Is Too Easy
Hacking A Bluetooth-Enabled Medical Device Is Too EasyHacking A Bluetooth-Enabled Medical Device Is Too Easy
Hacking A Bluetooth-Enabled Medical Device Is Too Easy
 
14 569
14 569 14 569
14 569
 
iBeacon Reality Check _ Essential Considerations for an iBeacon Deployment
iBeacon Reality Check _ Essential Considerations for an iBeacon DeploymentiBeacon Reality Check _ Essential Considerations for an iBeacon Deployment
iBeacon Reality Check _ Essential Considerations for an iBeacon Deployment
 
Internet of things, and rise of ibeacons
Internet of things, and rise of ibeaconsInternet of things, and rise of ibeacons
Internet of things, and rise of ibeacons
 
GDG Eddystone overview Aug2016
GDG Eddystone overview Aug2016GDG Eddystone overview Aug2016
GDG Eddystone overview Aug2016
 
Enabling supply chain flexibility and IoT scale with zero touch provisioning
Enabling supply chain flexibility and IoT scale with zero touch provisioningEnabling supply chain flexibility and IoT scale with zero touch provisioning
Enabling supply chain flexibility and IoT scale with zero touch provisioning
 
Beacons
Beacons Beacons
Beacons
 
Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401
 
Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401
 
Canopy SF Home Automation Meetup Slides 10/14/2014
Canopy SF Home Automation Meetup Slides 10/14/2014Canopy SF Home Automation Meetup Slides 10/14/2014
Canopy SF Home Automation Meetup Slides 10/14/2014
 
Reinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsReinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of Things
 
151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p
 
Connecting devices to the internet of things
Connecting devices to the internet of thingsConnecting devices to the internet of things
Connecting devices to the internet of things
 
2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar
 
Simplifying IoT App Development - A Whitepaper by RapidValue
Simplifying IoT App Development - A Whitepaper by RapidValueSimplifying IoT App Development - A Whitepaper by RapidValue
Simplifying IoT App Development - A Whitepaper by RapidValue
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
 
BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...
BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...
BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...
 
Use biometrics for identity management of cloud users to enhanced the securit...
Use biometrics for identity management of cloud users to enhanced the securit...Use biometrics for identity management of cloud users to enhanced the securit...
Use biometrics for identity management of cloud users to enhanced the securit...
 
CIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CIS 2015-Putting Control Back in the Users’ Hands- David PollingtonCIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CIS 2015-Putting Control Back in the Users’ Hands- David Pollington
 
Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile Authentication
 

Recently uploaded

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Recently uploaded (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

iBeacon security overview

  • 1. Secure Beacons Overview & Options © 2015 Localz Pty. Ltd.
  • 2. Beacon Security B E A C O N S E C U R I T Y Bluetooth Low Energy (Smart) Beacons leverage a common wireless standard that can be detected by nearly every modern smartphone. Beacons can be detect from a range of up to 70 meters. Because of this wide and wireless coverage, concerns have been raised on the security of beacons. © 2015 Localz Pty. Ltd.
  • 3. Static Beacon IDs By default, Beacons are open and static. For example, Apple’s iBeacons constantly broadcast a single repeating payload: UUID, Major ID and Minor ID. Once deployed, anyone can detect these Beacon IDs. This gives rise to two specific risks: Beacon Spoofing & Piggybacking. There are additional but unrelated security concerns related to Beacon provisioning and configuration updates. However, we’ll save those for another paper. 1234… 1234… 1234… 1234… 1244… 1244… 1244… 1244… 1245… 1245… 1245… 1245… B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 4. Beacon Spoofing Beacon Spoofing is possibility of detecting and cloning beacon IDs. Another beacon (or phone) could be created with the same beacon ID. Malicious users can use spoofed beacons to trigger events and messages in a different physical space than intended. A store entrance beacon triggering a welcome message could be copied by an attacker and replayed at the entrance to a train line. Consumers with the store app would receive the welcome message at train entrance. This could create consumer annoyance and confusion. Example risk: Beacon ID detected and copied cloned Beacon ID Later on . . . Store entrance Train entrance cloned beacon placed elsewhere B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 5. Beacon Piggybacking Beacon Piggybacking or Hijacking is possibility of using beacons deployed for one application in another, unauthorised, application. Beacon IDs can be detected and their profile included in applications deployed by third parties. Providing a consumer has this third party app installed, these hijacked beacons can then be used to trigger events, messages and analytics unrelated to the intended deployment. A coffee house, Small’s Coffee, deploys beacons for their mobile app. A competing coffee house, Big Coffee, visits small’s coffee to detect and copy beacons. Big Coffee deploys their own mobile app that includes beacon IDs from Small’s coffee. When consumers with the Big Coffee app installed visit Small’s Coffee, they receive a message for discount coffee at Big Coffee. Example risk: Small’s Coffee Small’s CoffeeBeacon ID detected Beacon ID included in competing app Big Coffee App “Get a discount at Big Coffee” App installed on consumer phone Later on . . . B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 6. Risk Mitigation There are four general controls to mitigating beacon risks Geolocation Validation + Cloud Validation + Hardware ManagementSoftware Seed ++ B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 7. Geolocation Validation After identifying a registered beacon the mobile device validates the phone geo location (during each session) to ensure it is near the intended physical space. This type of control prevents spoofing of beacons outside of the retail store. Further, the control is simple, inexpensive to deploy and permits the use of native iBeacon mode for greater compatibility. + B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 8. Software Seed Beacons are provisioned with changing IDs which prevent direct copying and piggybacking. A seed value is used to determine the ID sequence and change interval. The seed is synched to mobile devices via a SDK. When a beacon is detected, the mobile device checks with the SDK to determine if it is valid and what, if any action, is permitted. Although this approach helps to mitigate against spoofing and piggybacking, the seed value can be easily extracted and copied by a determined attacker. For this reason, several providers offer cloud based propositions. + Seed value similar in concept to… B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 9. Cloud Validation Beacons are provisioned with changing IDs which prevent direct copying and piggybacking. A seed value is used to determine the ID sequence and change interval. The seed is synched to a cloud based service. When a beacon is detected, the mobile device checks with the Cloud service to determine if it is valid and what, if any action, is permitted. This approach provides a high degree of mitigation against spoofing and piggybacking. However, testing indicated that reliance on cloud services introduces latency that can significantly detract from the user experience - especially in retail environments with poor mobile reception. + Seed value B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 10. Hardware Management Beacons are provisioned and managed by hardware controllers. Connected WiFi/Bluetooth devices such as BluVision’s BluFi and Kontakt’s Cloud Beacon are used to remotely manage and update the beacon fleet via cloud services. These devices can be used to change Beacon IDs at will, with corresponding changes sent to mobile apps. This approach provides a high degree of mitigation against spoofing and piggybacking. However, additional hardware is required. Further, this hardware must be able to connect over Bluetooth to covered beacons, which may limit effectiveness (e.g., will not work if beacons are placed in remote parking lots. + B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 11. Other Controls B E A C O N S E C U R I T Y Hardware Validation: • There are additional controls to deter spoofing attacks that rely on beacon hardware manufacturer identifiers • This type of control is available from several manufactures but to our knowledge has not been widely deployed in production • Though challenging, it is possible to spoof nearly any aspect of a Bluetooth broadcast protocol - cloning may still be possible Hybrid Controls: • Many beacon vendors provide SDKs that combine one or more security controls • A common configuration leverages a combination of Cloud Validation and Software Seeds • Software seeds can be updated periodically via API calls © 2015 Localz Pty. Ltd.
  • 12. Additional Considerations Rotating Beacon IDs: • Any scheme which relies on rotating beacon ID runs some level of risk that such changes will not be synchronised with mobile apps • Synchronisation may be lost due to: • Loss of internet connection • Failed background updates (register/ deregister) • A limit on iOS registrations • Failed beacon configurations • Where there is a lack of synchronisation, the app will not deliver the intended experience B E A C O N S E C U R I T Y iBeacon Alternatives: • Several secure beacon methods rely on alternative Bluetooth Low Energy protocols • Several of these approaches force iOS apps to use Bluetooth as an accessory and/or UIBackgroundMode • If implemented incorrectly, these modes can cause material battery drain • These approaches can be rejected by Apple for production deployment: stackoverflow.com/questions/15980481/my-app-has- been-rejected-because-of-uibackgroundmodes Geofence Triggers: • Piggyback style risks cannot be fully mitigated. It is possible to trigger background messages and events without the use of beacons • Geofence (clustered) registrations can be used to initiate messages and events using course location technologies • For example: location push messages could be triggered by third party apps on approach to a competitor store © 2015 Localz Pty. Ltd.
  • 13. Comparison Control Geolocation Validation Software Seed Cloud Validation Hardware Management Benefit • Least expensive mitigation • Simple to configure and operate • Can be enabled/disabled on demand • Permits use of native iBeacon mode for greater compatibility • Helps mitigate spoofing and piggybacking attacks • No reliance on internet connections • No additional hardware required • Provides high degree of mitigation against spoofing & piggyback attacks • No additional hardware required • Difficult for determined attackers to compromise • Provides high degree of mitigation against spoofing & piggyback attacks • Provides a device to remotely monitor & update the beacon fleet • Changes can be deployed or backed out on-demand • Permits use of native iBeacon mode for greater compatibility Disadvantage • Does not protect against piggybacking attacks • Geolocation reliance does not provide same level of precision as other anti-spoofing controls • Location lookup may cause delay on initial start of session • Difficult to change or backout in case of issue • Beacon IDs can be easily identified by determined attackers • More complex deployment • Some schemes may not work reliably for Apple apps - not a native iOS iBeacon standard • Difficult to change or backout in case of issue • More complex deployment • Latency can diminish user experience • Requires reliable internet connections - may not work in all store environments • Some schemes may not work reliably for Apple apps - not a native iOS iBeacon standard • Most expensive deployment option • Requires additional hardware • Does not work for beacons out of range (i.e., parking lots) • Requires periodic internet connection for WiFi/BT devices B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 14. © 2015 Localz Pty. Ltd. tim.andrew@localz.com✉ ✉pete.williams@localz.com @localzco