Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

iBeacons: Security and Privacy?


Published on

Presentation at iBeacon Makers' Workshop held at Andreesen Horowitz on 29 April 2014, describing some security and privacy concerns with the new iBeacon micro-location technology.

Published in: Technology, News & Politics
  • Login to see the comments

iBeacons: Security and Privacy?

  1. 1. iBeacons: Security and Privacy? Jim Fenton iBeacon Makers’ Workshop 29 April 2014
  2. 2. Introduction • Security • What is the threat model? • What are the threat countermeasures? • [User] Privacy • How might iBeacons impact users?
  3. 3. Threat Analysis • Who are the bad actors? • What are their capabilities? • What are the bad acts we want to protect against?
  4. 4. Bad Actors • Competitors • Competitive analysis, offers • Vandals • Physically move and/or destroy beacons • Script kiddies • Opportunists - Gaming the system “Security Checks” by Flickr user David Woo used under CC BY-ND 2.0 license
  5. 5. Bad Actors’ Capabilities • Create beacon clones • Place your beacons in unauthorized places • Disable beacons • Move beacons • Monitor interactions with beacons
  6. 6. Bring In The Clones! • Place duplicates of existing beacons • Pollutes analytics • Can be used to annoy users, encourage them to disable app • Might be used to “game” special offers • Countermeasure: Fusion of beacon location with rough geolocation from other sources • No effective crypto countermeasure
  7. 7. Beacon Planting • Place beacons in unauthorized places, like competitors’ premises • Car salesman gives user an app • Salesman gets notified when prospective customer enters competitors’ showroom • Salesman calls customer and sweetens offer • Countermeasures: WarBeaconing, public shaming, search-and-destroy
  8. 8. Beacon Abuse • Destruction or movement of existing beacons • Countermeasures • Detect unexpected loss of beacon “hits” • Geolocation fusion • Camouflage “beacons” by Flickr user used under CC BY-2.0 license
  9. 9. Privacy Issues • Alerts and user visibility • Aggregation
  10. 10. User Alerts • Concern about over- alerting users • But this problem is self-correcting • Not alerting users can be a concern -- users may not know they’re being tracked “estimote” by Flickr user Sam Churchill used under CC BY-2.0 license
  11. 11. Aggregation • Beacon services potentially have access to lots of behavioral information • Shopping center apps can aggregate behavior within centers (and co-owned centers) • Popular apps (Facebook, Google) could roll out beacon services with great potential to aggregate user data
  12. 12. Summary • Significant security threats exist • Beacons will require active management to mitigate loss, cloning, and movement • Deployment scenarios that support wide aggregation of beacon data are problematic for privacy