Using Covert Channels with iBeacon

A new study Implementation and Analysis of Covert Channel Using iBeacon (PDF) explores the creation and analysis of covert communication channels using iBeacon, which is based on Bluetooth Low Energy (BLE). Covert channels are methods used to transmit information secretly, bypassing normal security measures.

The authors introduce two types of covert channels: one that uses the payload of the iBeacon broadcast messages and another that employs the broadcasting intervals. The payload-based covert channel modifies the UUID, Major, Minor, and TX power fields of the iBeacon packets to transmit covert messages. This method achieved a maximum throughput of 911,600 Bytes per second (Bps) with a Packet Delivery Rate (PDR) consistently above 75%, indicating its efficiency in transmitting substantial data covertly.

The interval-based covert channel, on the other hand, encodes messages in the time intervals between consecutive iBeacon broadcasts. Although this method provides higher concealment compared to payload-based channels, it has a lower channel capacity and can cause transmission delays.

The experimental setup involved using Raspberry Pi devices to simulate the transmission and reception of iBeacon packets, where various advertising intervals were tested. The findings highlighted that shorter advertising intervals resulted in higher throughput, with the best performance observed in the 100–200 ms range.

The study concludes by emphasising the potential for significant data transmission through BLE beacons and suggests future research to explore countermeasures against such covert channels.

A Summary of Bluetooth Attacks

A recent study with the strange title SoK: The Long Journey of Exploiting and Defending the Legacy of King Harald Bluetooth (pdf) provides a comprehensive analysis of the security and privacy issues surrounding Bluetooth technology. Authored by Jianliang Wu, Ruoyu Wu, Dongyan Xu, Dave (Jing) Tian, and Antonio Bianchi from Purdue University and Simon Fraser University, it explores the evolution of Bluetooth security over 24 years, focusing on both attacks and defences.

The paper begins by summarising the evolution of Bluetooth security features since its first version, discussing the introduction of Bluetooth Low Energy (BLE) and Mesh protocols. It then looks into a systematisation of 76 attacks and 33 defences, categorising them based on their affected layers in the Bluetooth stack, the protocols they target, and their threat models.

Key observations include the increasing number of privacy attacks during the BLE device discovery phase, challenges in pairing security due to user mistakes and a mismatch between the assumptions of Bluetooth specifications and their real-world implementations on modern operating systems. The authors also highlight that while Bluetooth’s security has improved over time, there remain significant gaps in both security and privacy features that need addressing.

The document further explores attacks and defences in detail, divided into different layers of the Bluetooth stack: the physical layer, firmware layer, and host layer. Each layer faces unique challenges, from signal eavesdropping and injection at the physical layer to firmware exploitation and host exploitation attacks. The authors categorise these attacks based on their goals, affected protocol, phase, and attack model, providing a comprehensive overview of the current state of Bluetooth security.

Hybrid-AI-Based iBeacon Indoor Positioning Cybersecurity

New research “Hybrid-AI-Based iBeacon Indoor Positioning Cybersecurity: Attacks and Defenses” by Wei-Tzu Hung, focuses on the cybersecurity aspects of iBeacon systems, particularly in the context of indoor positioning and navigation. iBeacon is increasingly used in very large and important public spaces for indoor navigation, using the Bluetooth Low Energy (BLE) in mobile phones. However, the security of these systems is sometimes a concern, especially against cyberattacks.

The study uses the iBeacon system at Taipei Main Station, a major transportation hub, as a case study. This station experiences a high daily traffic flow, making it a critical area for such technology. The research explores potential attacks on the iBeacon system and investigates defence technologies, incorporating AI techniques and human participation.

The study looks into various aspects of iBeacon technology, including its mechanisms, related work in the field and specific challenges in information security. It also discusses the design of the iBeacon system at Taipei Main Station, potential attacks by hackers and methods to defend against these attacks.

The paper concludes with insights into future studies in this area. Key findings include the necessity of incorporating information security technology and rolling coding encryption in the early stages of iBeacon system planning. These methods are currently the best defence strategies. The research suggests that rolling coding is the most cost-effective defence, but for critical infrastructure, a more secure method, such as predictable and encrypted rolling coding, can be used.

Can Bluetooth Beacons Track Individual User Data?

Bluetooth beacons themselves are generally not designed to track individual user data. They are small devices that transmit a Bluetooth signal at regular intervals, which can be picked up by smartphones or other Bluetooth-enabled devices within a certain range. The primary function of a beacon is to broadcast its presence and certain identifying information such as a unique ID.

However, the apps on your smartphone that interact with these beacons could potentially collect and store data about your location or behaviour. For example, a retail store might use beacons to send promotional messages to your phone when you’re near a particular product. The app on your phone that interacts with the beacon could collect data on which promotions you’ve seen, how long you spent in a particular area of the store and other information.

While the beacon itself is not tracking you, the software that interacts with it could be. It’s essential to be aware of the permissions you’re granting to apps on your phone, particularly those that request access to your location services.

Which Beacons to Buy?

There’s an old, yet pertinent, post at Hotel Online, by Dr. Michael Arner is the Chief Technology Officer of RoamingAround, on How Do You Choose Which Beacons to Have Faith In? The article questions the merits of being tied in to a particular supplier’s hardware or software features.

The article gives the opinions:

“If you’re a beacon merchant, I suppose it’s great to have clients that are willing to shackle themselves to your super-special hardware, but if you’re the consumer, it’s usually best to avoid doing so when you can.”

“In reality, iOS and Android devices can both speak to both protocols and there are very few reasons why you shouldn’t be choosing a solution that’s beacon agnostic.”

Regarding security:

“There exist beacons which maintain proprietary end-to-end encryption, and these should be purchased, in the very rare case they’re needed”

On Customer service:

“Multiply-source your vendors and then you’ll discover that the decisive factor ends up being not the device stats but the customer service”

There’s also the issue of longevity. Since the article was written, many beacon SAAS platforms with tied hardware have ceased to be in business.

Summarising the advice in the article, look beyond what’s being offered or promoted by vendors. They will always be promoting their unique selling points but those might not actually be the decisive factors for your project.

Read about the advantages of generic beacons

Using Beacons for Intelligent In-Room Presence Detection

Most Beacon usecases involve putting beacons on things or in places and triggering notifications on users’ phones. There’s a paper by Yang Yang, Zhouchi Li and Kaveh Pahlavan of Worcester Polytechnic Institute (WPI), Worcester, MA that instead proposes Using iBeacon for Intelligent In-Room Presence Detection.

Their system records users in a room for applications such as graduate seminar check-in, security and in and out counting. It recognises in room presence by analysing path loss and door motion readings to decide whether a person is inside the room. Their custom app receives the beacon data and sends it to a server for analysis. They experimented using two iBeacons, one attached to the outside of the door with another mirroring at the inside and also as single iBeacon implementation that still performed well.


The paper also a useful chart showing the variation of RSSI with how a phone is held:


Research into Bluetooth Beacon Security

There’s recent useful research into Bluetooth beacon security from The University of Hong Kong. The paper on Security and Privacy of Wireless Beacon Systems explains how widespread deployment of Bluetooth beacons can cause them to be an attractive target for adversaries.

The paper covers security issues and privacy concerns and classifies the possible types of attack.

The three main reasons for attacks are for free riding services, user profiling or service disruption.

Understanding adversary motives, capabilities and the potential impact allows for defence mechanisms and planning for remedial actions.

Beacon Jewellery as a Personal Security device

IT World Canada recently reported Telus launches personal security beacons disguised as jewellery.

A problem with beacons is that they tend to look ugly when worn. Telus have solved this problem and have developed an app and service so they can be used as a SOS lifeline.

The Telus SmartWear looks like jewellery or a keychain. It connects using Bluetooth to a smartphone. When the back of the charm is double clicked it sends a alert. Telus will ring you back to confirm you need help and, if necessary, send emergency services.

Bluetooth Vehicle–Pedestrian Collision Warning

There’s recent research by Carleton University, Ottawa, Canada on Investigating Wi-Fi, Bluetooth, and Bluetooth Low-Energy Signal Characteristics for Integration in Vehicle–Pedestrian Collision Warning Systems.

The paper looks into the comparative performance of Wi-Fi, Bluetooth Classic (Bluetooth) and Bluetooth Low Energy (BLE) for integration in vehicle–pedestrian collision warning systems. More specifically, accuracy and functionality are considered with respect to signal strength indicator (RSSI) distance stability, rainfall effects on the signals, motion effects, non-line of sight effects and signal transmission rates.

The experiments identified the overall superiority of Bluetooth LE over Wi-Fi and Classic Bluetooth. Bluetooth LE provides fast collision warnings due to the frequent transmission and provides higher probability of simultaneous signal detection by multiple scanners.

The researchers say the results indicate the possibility of integration of Bluetooth LE technology in the design of vehicle–pedestrian collision warning systems in addition to currently used systems.