Man-in-the-Middle Attacks on Beacons

There’s an interesting BtleJuice Bluetooth Smart (LE) Man-in-the-Middle framework on GitHub. It allows you to listen in on the Bluetooth GATT communication that goes on when an app connects to a beacon.

The majority of, scanning-type, apps don’t tend to connect via GATT and only read the advertising data that’s available to anyone. Connection usually only happens when configuring beacons or in advanced scenarios where the apps needs to read sensor or battery data. Some custom platforms’ apps also connect to beacons to perform platform related things such as remote setup, security or other such things specific to the platform.

The availability of a Man-in-the-Middle framework presents a security threat. The likelihood depends on the scenario. In the case of most beacons, the main GATT connection activity is one-off beacon setup by an administrator. In these cases the beacon communication interception is very unlikely.

The larger problem might be with platforms’ apps that connect to beacons where GATT connections happen regularly via users (platform apps) and not under control of an administrator. The implications of the communications data being able to be eavesdropped obviously depends on what’s being communicated. That being said, most current non-Beacon Man-in-the-Middle (WiFi) attacks usually have financial motivations. It’s difficult to think up beacon attacks that might lead to financial gain for the attackers. Nevertheless, if you work with such a system that regularly connects to beacons via GATT, you might like to think about the consequences of data and metadata (what’s being changed) eavesdropping.

A more positive use of BtleJuice might be to discover and reverse engineer Bluetooth GATT Services. As mentioned in a previous article, some of our beacon manufacturers haven’t documented their Bluetooth Service Characteristics. This means that while they are ok for scanning/proximity type applications, you can’t write your own app to, for example, change programatically the UUID, major and minor and must rely on the manufacturer’s configuration app or, in the case of the Sensoro beacon, their SDK. While this of no consequence for the majority of uses, more ambitious scenarios might want directly access the Bluetooth GATT services. BtleJuice provides a new way to reverse engineer those Bluetooth GATT Services.

The Complete Beacon Industry Report

The Proximity Studio has a useful new document (pdf) The Complete Beacon Industry Report with industry insights and usecases. It covers opportunities in manufacturing, retail, facilities management, logistics and healthcare.

It also has interviews with Szymon Niemczura of Kontakt.io and Steve Statler author of the book The Hitchhiker’s Guide to The Beacosystem.

beaconsinmanufacturing

Beacons in Manufacturing

Learnings from Using iBeacons in Wales’ Oldest Gallery

There’s a useful article on the Nesta site on Using Proximity Technology to Enhance the Gallery Experience.

Oriel Plas Glyn-y-Weddw in Llanbedrog on the Llyn Peninsula is Wales’ oldest art gallery. They created a mobile app that uses iBeacons to deliver content to gallery visitors.

They have some insights:

  • They found that audio-only content was best so as not to distract from the art itself.
  • Users were most interested in content presented by the artists themselves rather than other commentators.
  • Positioning the beacons was important. Planning and positioning of beacons was vital in ensuring a glitch-free experience.

Our experience of using beacons in art galleries shows that, as with Oriel Plas Glyn-y-Weddw findings, most problems occur when beacon transmissions overlap. You have to fine tune beacon power and/or trigger on specific ranges in order to prevent false triggering or ‘bouncing’ between exhibits when the user hasn’t even moved. Apps can also be set to ignore multiple triggers that happen within a very short time.

How to Open the iB004N Case?

There’s a manufacturer-supplied video in our Ankhmaway technical information that shows how to open the iB004N. We haven’t been happy with this video for some time. Firstly, if you open the beacon as shown you are likely to crack the case. Secondly, it shows someone wielding what looks like a metal screwdriver that, given where it’s used, could easily short or damage the circuit board. Thirdly, if you snap it shut as shown, you will snap off the retaining lugs.

We have found that the best way to open the iB004N is with a plastic sharp edge such as a guitar pick. Push it down as shown, where there isn’t a retaining lug:

ib004n_open_case_smaller

Lever and the case top pops off. Use a plastic tool to lever up the printed circuit board and replace the battery.

To put the lid back on, first place the lid side with the two lugs into the corresponding two holes in the side. Push the lid down and use the plastic sharp edge, in the same position as you used to take the lid off, to widen the case slightly as you push the lid right down. This way, the lug won’t snap off.

Beacons and the IoT Value Chain

There’s a thought provoking article at the news arm of the GSMA, Mobile World Live. It quotes Nokia who think that applications are set to dominate the IoT value chain.

This isn’t applications, as in apps, but platforms, systems (and sometimes controlling apps) that create ecosystems for specific vertical needs. Nokia said:

It’s not the iPhone selling at $800 that’s going to make IoT grow, it’s going to be the devices and sensors that are sub-$10

Today’s sensor beacons are early devices upon which we can start building these IoT ecosystem applications.

nRF Connect Now Has Macros

The Nordic nRF Connect app (formerly known as nRF Master Control Panel) allows you to manipulate beacons directly at the Bluetooth GATT Service/Characteristic level. It works with all beacons, not just those containing Nordic SoCs. There’s also a version for iOS. The app is particularly good at recognising known Bluetooth profiles and giving them useful human descriptions rather than leaving the Bluetooth Services as numbers.

The Android version of the app has recently been updated to support macros:

nrfconnectmacros

This means that if you are configuring lots of beacons, it’s now much less tedious, quicker and less error prone if you record and replay a macro setting all your desired Service/Characteristic settings.

Beacons For Bees

There’s an interesting new project on GitHub that uses Eddystone-URL beacons to tag wild and domestic beehives.

“There are many reasons to geo-tag wild and domestic Beehives, one is simply to raise awareness of HoneyBee Colony Collapse Disorder (CCD), and the state of health of local Beehives; another would be to alert those that might be susceptible to anaphylactic shock that they should be mindful of their surroundings. (i.e. Don’t climb that lovely tree with the huge wild Beehive in it…)”

It’s questionable whether Eddystone-URL is the best solution in this particular scenario. Eddystone-URL will only show up when users are interacting with their devices (when the screen is on). People avoiding beehives due to possible anaphylactic shock would want to be alerted even when not using their phones. This requires use of an app and iBeacon if background notification is required on iOS.

Nevertheless, Eddystone-URL does provide an inexpensive, easy to create solution for educational and awareness (PR) purposes.

Crowd Analysis Using Beacons

With so many uses of beacons centred around notifications to users, it’s interesting to see Queen Mary University of London doing something different. Research by Kleomenis Katevas, Laurissa Tokarchuk, Hamed Haddadi and Richard G. Clegg of the Department of Computing of Imperial College looks into detecting group (crowd) formations using iBeacon (pdf).

They used beacon RSSI and phone motion together with algorithms based on graph theory to predict interactions inside the crowd. They verified their finding using using video footage as ground truth.

distanceestimationmodels

The paper has some particularly interesting observations from testing RSSI in an EMC screened anechoic chamber and also has some information on distance estimation models.