Category: Security

Beacons for Spying?

There’s lots of information on Bluetooth beacon security, Bluetooth attacks and using beacons to track individual user data but these are known, small risks we might expect. What about unknown things such as espionage?

Recently, a prospective customer posed a critical question: How can we ensure that purchased beacons are not engaging in activities beyond their intended purpose, such as eavesdropping or transmitting sensitive information? This question becomes even more pertinent when considering beacons manufactured overseas that might be deployed in sensitive locations.

Typically, a single SoC chip on the beacon’s simple Printed Circuit Board (PCB) is responsible for all operations. Upon examination, if there are no additional, unexpected, chips on the PCB, it limits the beacon’s ability to perform unexpected tasks. If the hardware is not compromised, the only factor to consider is the standard, usually Nordic Semiconductor, System on Chip (SoC) used in the beacons. This means that any potential spying would likely be restricted to software in the SoC rather than hardware modifications.

Let’s assume beacons can only exploit the capabilities that the standard SoC chip provides. These usually include Bluetooth, ANT, 802.15.4 and other proprietary and non-proprietary 2.4GHz protocols. Crucially, beacons are designed primarily to send signals rather than receive them. They transmit signals every millisecond, typically every 200ms to 1000ms, to maintain low battery consumption. For a beacon to listen or scan for information, it would require significantly more power, thus drastically reducing battery life. Similarly, relaying, perhaps via covert channels, any gathered information would also deplete the battery swiftly. Therefore, any huge deviation from the expected battery life could be a tell-tale sign of unauthorised activities.

Given that beacons usually only send data, they cannot capture sound or video without additional, noticeable components. When they are listening using the protocols they are designed for, the information they could gather would be limited and lack context, such as identifying what they have seen or the specific location.

While the theoretical possibility of beacons being used for spying exists, it is easily detectable due to the easily examined, simple hardware, limited capabilities of the SoC and the significant power requirements for any additional activities. By understanding the simplicity, limitations and functionalities of these devices, businesses can better safeguard against potential espionage.

Read about our consultancy for more advice

Using Covert Channels with iBeacon

A new study Implementation and Analysis of Covert Channel Using iBeacon (PDF) explores the creation and analysis of covert communication channels using iBeacon, which is based on Bluetooth Low Energy (BLE). Covert channels are methods used to transmit information secretly, bypassing normal security measures.

The authors introduce two types of covert channels: one that uses the payload of the iBeacon broadcast messages and another that employs the broadcasting intervals. The payload-based covert channel modifies the UUID, Major, Minor, and TX power fields of the iBeacon packets to transmit covert messages. This method achieved a maximum throughput of 911,600 Bytes per second (Bps) with a Packet Delivery Rate (PDR) consistently above 75%, indicating its efficiency in transmitting substantial data covertly.

The interval-based covert channel, on the other hand, encodes messages in the time intervals between consecutive iBeacon broadcasts. Although this method provides higher concealment compared to payload-based channels, it has a lower channel capacity and can cause transmission delays.

The experimental setup involved using Raspberry Pi devices to simulate the transmission and reception of iBeacon packets, where various advertising intervals were tested. The findings highlighted that shorter advertising intervals resulted in higher throughput, with the best performance observed in the 100–200 ms range.

The study concludes by emphasising the potential for significant data transmission through BLE beacons and suggests future research to explore countermeasures against such covert channels.

A Summary of Bluetooth Attacks

A recent study with the strange title SoK: The Long Journey of Exploiting and Defending the Legacy of King Harald Bluetooth (pdf) provides a comprehensive analysis of the security and privacy issues surrounding Bluetooth technology. Authored by Jianliang Wu, Ruoyu Wu, Dongyan Xu, Dave (Jing) Tian, and Antonio Bianchi from Purdue University and Simon Fraser University, it explores the evolution of Bluetooth security over 24 years, focusing on both attacks and defences.

The paper begins by summarising the evolution of Bluetooth security features since its first version, discussing the introduction of Bluetooth Low Energy (BLE) and Mesh protocols. It then looks into a systematisation of 76 attacks and 33 defences, categorising them based on their affected layers in the Bluetooth stack, the protocols they target, and their threat models.

Key observations include the increasing number of privacy attacks during the BLE device discovery phase, challenges in pairing security due to user mistakes and a mismatch between the assumptions of Bluetooth specifications and their real-world implementations on modern operating systems. The authors also highlight that while Bluetooth’s security has improved over time, there remain significant gaps in both security and privacy features that need addressing.

The document further explores attacks and defences in detail, divided into different layers of the Bluetooth stack: the physical layer, firmware layer, and host layer. Each layer faces unique challenges, from signal eavesdropping and injection at the physical layer to firmware exploitation and host exploitation attacks. The authors categorise these attacks based on their goals, affected protocol, phase, and attack model, providing a comprehensive overview of the current state of Bluetooth security.

Hybrid-AI-Based iBeacon Indoor Positioning Cybersecurity

New research “Hybrid-AI-Based iBeacon Indoor Positioning Cybersecurity: Attacks and Defenses” by Wei-Tzu Hung, focuses on the cybersecurity aspects of iBeacon systems, particularly in the context of indoor positioning and navigation. iBeacon is increasingly used in very large and important public spaces for indoor navigation, using the Bluetooth Low Energy (BLE) in mobile phones. However, the security of these systems is sometimes a concern, especially against cyberattacks.

The study uses the iBeacon system at Taipei Main Station, a major transportation hub, as a case study. This station experiences a high daily traffic flow, making it a critical area for such technology. The research explores potential attacks on the iBeacon system and investigates defence technologies, incorporating AI techniques and human participation.

The study looks into various aspects of iBeacon technology, including its mechanisms, related work in the field and specific challenges in information security. It also discusses the design of the iBeacon system at Taipei Main Station, potential attacks by hackers and methods to defend against these attacks.

The paper concludes with insights into future studies in this area. Key findings include the necessity of incorporating information security technology and rolling coding encryption in the early stages of iBeacon system planning. These methods are currently the best defence strategies. The research suggests that rolling coding is the most cost-effective defence, but for critical infrastructure, a more secure method, such as predictable and encrypted rolling coding, can be used.

Can Bluetooth Beacons Track Individual User Data?

Bluetooth beacons themselves are generally not designed to track individual user data. They are small devices that transmit a Bluetooth signal at regular intervals, which can be picked up by smartphones or other Bluetooth-enabled devices within a certain range. The primary function of a beacon is to broadcast its presence and certain identifying information such as a unique ID.

However, the apps on your smartphone that interact with these beacons could potentially collect and store data about your location or behaviour. For example, a retail store might use beacons to send promotional messages to your phone when you’re near a particular product. The app on your phone that interacts with the beacon could collect data on which promotions you’ve seen, how long you spent in a particular area of the store and other information.

While the beacon itself is not tracking you, the software that interacts with it could be. It’s essential to be aware of the permissions you’re granting to apps on your phone, particularly those that request access to your location services.

Which Beacons to Buy?

There’s an old, yet pertinent, post at Hotel Online, by Dr. Michael Arner is the Chief Technology Officer of RoamingAround, on How Do You Choose Which Beacons to Have Faith In? The article questions the merits of being tied in to a particular supplier’s hardware or software features.

The article gives the opinions:

“If you’re a beacon merchant, I suppose it’s great to have clients that are willing to shackle themselves to your super-special hardware, but if you’re the consumer, it’s usually best to avoid doing so when you can.”

“In reality, iOS and Android devices can both speak to both protocols and there are very few reasons why you shouldn’t be choosing a solution that’s beacon agnostic.”

Regarding security:

“There exist beacons which maintain proprietary end-to-end encryption, and these should be purchased, in the very rare case they’re needed”

On Customer service:

“Multiply-source your vendors and then you’ll discover that the decisive factor ends up being not the device stats but the customer service”

There’s also the issue of longevity. Since the article was written, many beacon SAAS platforms with tied hardware have ceased to be in business.

Summarising the advice in the article, look beyond what’s being offered or promoted by vendors. They will always be promoting their unique selling points but those might not actually be the decisive factors for your project.

Read about the advantages of generic beacons

Using Beacons for Intelligent In-Room Presence Detection

Most Beacon usecases involve putting beacons on things or in places and triggering notifications on users’ phones. There’s a paper by Yang Yang, Zhouchi Li and Kaveh Pahlavan of Worcester Polytechnic Institute (WPI), Worcester, MA that instead proposes Using iBeacon for Intelligent In-Room Presence Detection.

Their system records users in a room for applications such as graduate seminar check-in, security and in and out counting. It recognises in room presence by analysing path loss and door motion readings to decide whether a person is inside the room. Their custom app receives the beacon data and sends it to a server for analysis. They experimented using two iBeacons, one attached to the outside of the door with another mirroring at the inside and also as single iBeacon implementation that still performed well.

presencedetection

The paper also a useful chart showing the variation of RSSI with how a phone is held:

rssivspostion

Research into Bluetooth Beacon Security

There’s recent useful research into Bluetooth beacon security from The University of Hong Kong. The paper on Security and Privacy of Wireless Beacon Systems explains how widespread deployment of Bluetooth beacons can cause them to be an attractive target for adversaries.

The paper covers security issues and privacy concerns and classifies the possible types of attack.

The three main reasons for attacks are for free riding services, user profiling or service disruption.

Understanding adversary motives, capabilities and the potential impact allows for defence mechanisms and planning for remedial actions.

Beacon Jewellery as a Personal Security device

IT World Canada recently reported Telus launches personal security beacons disguised as jewellery.

A problem with beacons is that they tend to look ugly when worn. Telus have solved this problem and have developed an app and service so they can be used as a SOS lifeline.

The Telus SmartWear looks like jewellery or a keychain. It connects using Bluetooth to a smartphone. When the back of the charm is double clicked it sends a alert. Telus will ring you back to confirm you need help and, if necessary, send emergency services.