The UK Defence and Security Accelerator (DASA) held a competition to find ideas to reduce the threat of terrorists in public spaces. KSharp created CriB, Crowd Resilience through iBeacons, a system using iBeacons to allow people to report terrorist threats and receive security alerts through an app. This allows venues such as city centres, shopping centres and sports stadiums to improve safety and security. A video has recently become available:
Category: Security
Bluetooth Beacon Security
We sometimes get asked about Beacon security. Beacons use Bluetooth so the underlying security is that provided by Bluetooth 4.0. There’s a great new video by Ellisys, who create Bluetooth test equipment, that explains the threats and mitigations:
In the context of beacons, the mentioned perisistent bonding never happens. Pairing is temporary. Also, beacon manufacturers often layer additional security on top of Bluetooth in the form of pins or passwords required to set up the beacon.
As the underlying Bluetooth communication is relatively secure, the main beacon security issues tend to be related to spoofing (the possibility of beacons pretending to be yours). However, this is usually only pertinent in security sensitive scenarios such as payment. Contact us if you need more advice on beacon security.
Beacons and Physical Web Security Review
Renaud Lifchitz, a security consultant, has some great new slides on Security review of proximity technologies: beacons and physical web.
He mainly concludes that:
- Beacons can easily be spoofed
- Beacon passwords are often sent in plain text
- Web Bluetooth might be used with XSS to allow hacked sites to access local devices via GATT
The spoofing issue is well known and is a necessary consequence of a broadcast, non-connectable, type mechanism. Fortunately, people mainly only use these things for nefarious purposes when there’s a profit motive. Spoofing beacons rarely benefits anyone.
The beacon passwords thing sometimes happens when beacons are set up using the manufacturer app. This is usually a one-off event, when the beacon is first set up, when the user is usually control who in their surroundings. Hence, it’s very unlikely other people will ‘sniff’ the beacon password.
For Web Bluetooth, GATT communications without a known password is benign. You can’t do much by just connecting to a beacon or Bluetooth device. You usually need a password to change or view security sensitive data.
While it’s good to know these things, it’s very unlikely any of these security observations will ever be a problem. Beacons don’t tend to be used in critical or valuable scenarios so the risk of things being subverted is low. There are much easier, more valuable and higher profile targets for hackers in the shape of servers, desktops, laptops and apps. Even if one of the mechanisms mentioned in the slides were used one day, the consequences, for most scenarios, would be minimal.
Paper on Using Eddystone Ephemeral-ID (EID)
There’s a recent paper by Debasis Bhattacharya Mario Canul and Saxon Knight of the University of Hawaii on the Impact of the Physical Web and BLE Beacons (pdf). The paper is based on a project that uses Eddystone Ephemeral-ID (EID). The paper is more a backgrounder and description rather than providing new insights. Nevertheless, it provides a useful description of some security issues with beacons that include tracking of beacon locations, forgery and showrooming.
New INGICS Bluetooth Sensor Beacons
We have some new INGICS Sensor beacons in stock.
These are slightly different to our other beacons in that they don’t transmit iBeacon or Eddystone. Instead the Bluetooth advertising is wholly used for sensor and battery information. Hence, they are more suitable for sensing, security and IoT applications rather than retail-marketing type scenarios.
There are 4 models:
iBS01G – movement/fall sensor
iBS01H – magnetic (hall) sensor
iBS01RG – (raw) accelerometer sensor
iBS01T – temperature and humidity sensor
They derive power from 2xCR2032 or via a micro USB smartphone charger (not supplied). They all also have a detectable button press. While the manufacturer’s app shows the sensor data, you will probably need a custom app or gateway to scan and use the advertising data.
Man-in-the-Middle Attacks on Beacons
There’s an interesting BtleJuice Bluetooth Smart (LE) Man-in-the-Middle framework on GitHub. It allows you to listen in on the Bluetooth GATT communication that goes on when an app connects to a beacon.
The majority of, scanning-type, apps don’t tend to connect via GATT and only read the advertising data that’s available to anyone. Connection usually only happens when configuring beacons or in advanced scenarios where the apps needs to read sensor or battery data. Some custom platforms’ apps also connect to beacons to perform platform related things such as remote setup, security or other such things specific to the platform.
The availability of a Man-in-the-Middle framework presents a security threat. The likelihood depends on the scenario. In the case of most beacons, the main GATT connection activity is one-off beacon setup by an administrator. In these cases the beacon communication interception is very unlikely.
The larger problem might be with platforms’ apps that connect to beacons where GATT connections happen regularly via users (platform apps) and not under control of an administrator. The implications of the communications data being able to be eavesdropped obviously depends on what’s being communicated. That being said, most current non-Beacon Man-in-the-Middle (WiFi) attacks usually have financial motivations. It’s difficult to think up beacon attacks that might lead to financial gain for the attackers. Nevertheless, if you work with such a system that regularly connects to beacons via GATT, you might like to think about the consequences of data and metadata (what’s being changed) eavesdropping.
A more positive use of BtleJuice might be to discover and reverse engineer Bluetooth GATT Services. As mentioned in a previous article, some of our beacon manufacturers haven’t documented their Bluetooth Service Characteristics. This means that while they are ok for scanning/proximity type applications, you can’t write your own app to, for example, change programatically the UUID, major and minor and must rely on the manufacturer’s configuration app or, in the case of the Sensoro beacon, their SDK. While this of no consequence for the majority of uses, more ambitious scenarios might want directly access the Bluetooth GATT services. BtleJuice provides a new way to reverse engineer those Bluetooth GATT Services.