Bluetooth MAC Randomization Can Be Defeated

The Register has an article Brilliant Boston boffins blow big borehole in Bluetooth’s ballyhooed barricades: MAC addy randomization broken.

Beneath the hyperbolic alliteration is some research (pdf) that Bluetooth MAC randomization isn’t foolproof. Researchers have found that similarities between the non-MAC information in advertising allows devices to be uniquely identified:

“What is perhaps even more concerning, say the Boston Uni trio, is the message Bluetooth vendors are putting out to the public when they advertise Bluetooth LE as being an untrackable standard.”

In actual fact, very few vendors do MAC randomization. The majority of beacon manufacturers don’t because the whole idea of a beacon is that it can be identified via MAC address or iBeacon id. For the same reason, most Bluetooth accessories don’t as they want to be identified via apps. Android smartphones don’t do MAC randomization but iOS and Windows 10 do to improve end-user privacy. It’s mainly iOS devices that will be moving around and possibly tracked in-store or on-site via the ‘vulnerability’ described in the paper.

The Crux of Machine Learning is Realistic Expectations

Venturebeat has an article, based on IDC research, titled For 1 in 4 companies, half of all AI projects fail.

“Firms blamed the cost of AI solutions, a lack of qualified workers, and biased data as the principal blockers impeding AI adoption internally. Respondents identified skills shortages and unrealistic expectations as the top two reasons for failure, in fact, with a full quarter reporting up to 50% failure rate.”

We believe a key part of this is ‘unrealistic expectations’. Half of all AI projects failing for 1 in 4 companies isn’t unreasonable. AI and machine learning should be viewed as a research rather than a development activity in that it’s often the case that it’s not known if the goal is achievable until you try.

Another unrealistic expectation of machine learning is often to have 100% accuracy. The use of an accuracy % in assessing machine learning models focuses stakeholders minds too much on the perceived need for a very high accuracy. In reality, human-assessed, non-machine learning, processes such as medical diagnosis tend to have much less than 100% accuracy and sometimes have undetermined accuracy but these are reasonably seen as being acceptable.

In summary, there has to be upfront realistic expectations of both the possible outcome and the accuracy of the outcome for projects to correctly determine if AI activities are an unexpected failure.

Read about AI Machine Learning with Beacons

Simple In Out Uses Beacons

Simple In Out is an employee in/out board that works across multiple platforms:

As well as providing a useful visual display of who’s in and out it’s also possible to use the system for employee timekeeping, notifications when people come in/out and integration with Slack or other systems via web hooks or the API.

Simple in/out uses the employees’ phone’s operating system to detect the geographical area using cell towers or local WiFi Networks. It’s possible to use beacons to improve the accuracy. Beacons are better when you need to use Simple In Out with smaller areas (10-20 metres), moving areas or areas with poor cellular reception or no WiFi.

Configuring iBeacon with Minew BeaconSET+

Minew have a new video showing how easy it is to set iBeacon parameters with their BeaconSET+ app:

BeaconSET+ is the newer app that works with MiniBeacon Plus beacons. These are Minew beacons supporting both iBeacon and Eddystone as opposed to those only supporting iBeacon for which the older BeaconSET app should be used.

This new video is one of many new tutorials that show how to use BeaconSET+.

View Minew Beacons

Using Beacons with iOS 13

iOS 13 has introduced changes to Location and Bluetooth permissions. Estimote has an excellent new post summarising the changes and their affect on apps using beacons.

The article differentiates between Core Location and Core Bluetooth. Core Location implies using the iBeacon APIs while Core Bluetooth is lower level and allows scanning and connection to any Bluetooth LE devices, not just beacons (but perversely can’t scan the iBeacon UUD, major and minor). If, as we recommend, you use the Apple Core Location APIs directly, only the Core Location permission changes will affect you.

There was time, during the release of iOS 10 when Core Location beacon detection was faulty. At that time, Estimote decided to create an alternative beacon detection API based on Core Bluetooth to circumvent the problems. This means that if you use their SDK, users of your apps will get both Location and Bluetooth prompts and both permissions are required for the Proximity SDK to function. The iOS 10 triggering problems have since been fixed.

Kiosk Pro for iOS Uses iBeacons

Kiosk Pro is an app for iOS that turns an iPad into a public kiosk.

The technical documentation shows how you can trigger the showing of specific information when in the vicinity of a particular beacon. For example, if the kiosk is static, people with different beacons might trigger the showing of different information. If the kiosk is moving, for example a tablet being held, it might trigger the showing of different information based on the location of, for example, different exhibits. The kiosk can also be set to advertise iBeacon that can be picked up in iOS and Android apps.

View iBeacons

Android WiFi Direct via Bluetooth

A problem with many IoT projects is the need to connect the device to WiFi. It’s a ‘chicken and egg‘ situation in that you need to connect to the device in order to set the WiFi settings but you can’t connect because you aren’t WiFi connected. This is usually solved in one of two ways. The first relies on a WPS button on the WiFi router which sets it into a mode where it will accept a new device without the user having to enter or select anything. Security flaws in WPS and the possibility of anyone pressing the WPS button mean this isn’t a great solution for IoT applications. The second method involves the IoT device itself acting as a WiFi router in ‘station mode’ while the user on a phone, laptop or other device connects and uses a http web interface to set the WiFi settings and reboot. Upon reboot, it’s no longer in station mode and connects to the assigned access point. However, users need simpler mechanisms.

Android used to support WPS but this has been deprecated in favour Wi-Fi Easy Connect. The latest Android Q documentation explains that the Wi-Fi Direct connection information (a URI) needs to reach the device somehow such as through a QR Code scan NFC receipt or a Bluetooth scan. Hence, it’s possible for an unprovisioned device to be scanning for a particular beacon that provides a connection URI that’s used for provisioning the WiFi. This allows retailers’ Android apps or Android IoT devices to easily connect to location-specific WiFi.

The API mentions that Easy Connect does not require Location or Wi-Fi permissions which is a bit misleading. It will need the Location permission if you use a Bluetooth scan to provision.

Recording Employees’ Working Hours

We have been seeing an increase in the number of beacon-based employee clocking in/out systems. This is due to a recent ruling by the European Court of Justice that said that EU companies must have something in place to provide an “objective, reliable and accessible system” that allows the duration of time worked each day to be measured. This is so that it can be confirmed that companies and organisations are complying with the Fundamental Rights Charter and the Working Time Directive.

Some employers and employers’ federations have been critical of the need for modern versions of the ‘punch card’. Some employees also resent being tracked to such a degree. In today’s mobile, flexible working environments, it’s often not practical to track work-related activities performed outside the main workplace. The definition of work is also open to interpretation. For example, is replying to a work email, at home, outside working hours, counted as work?

As with many EU rules, these things can’t be clearly defined and aren’t properly policed. In this case, companies and organisations will come under scrutiny if employees or their unions go to court for non-compliance with working time regulations. Some industries such as construction need time tracking anyway for contractor billing and safety. It’s for each organisation to assess the risk. For those deciding they need time tracking, beacons provide an automated solution.

Reducing Asset Redundancy Using Beacons

There are many industries where the inability to find assets leads to the requirement to have many more of those assets. This is especially so in areas, such as hospitals, where not finding things can cost lives.

It also tends to be the case that such urgently required items are also expensive as they are critical pieces of equipment. When equipment is very expensive, lack of redundancy can end up causing key staff spending their time finding things rather than doing their main job.

Even when not finding things isn’t mission critical, a lot of time, human effort and hence cost can be wasted if assets aren’t available. Examples include vehicles in fleet management, tools in construction and equipment in manufacturing.

Beacons and locating systems allow you to reduce asset redundancy, save costs and make working processes more efficient.

Using Beacons, iBeacons for Real-time Locating Systems (RTLS)