SlideShare ist ein Scribd-Unternehmen logo

iBeacon security overview

Localz
Localz

Beacons leverage a common wireless standard that can be detected by nearly every modern smartphone. Because of this wide and wireless coverage, concerns have been raised on the security of beacons. By default, Beacons are open and static. For example, Apple’s iBeacons constantly broadcast a single repeating payload: UUID, Major ID and Minor ID. Once deployed, anyone can detect these Beacon IDs. This gives rise to two specific risks: Beacon Spoofing & Piggybacking. This doc is a summary of the risks and general controls available to mitigate attacks.

Technologie
1 von 14
Downloaden Sie, um offline zu lesen
Secure Beacons Overview & Options © 2015 Localz Pty. Ltd.
Beacon Security B E A C O N S E C U R I T Y Bluetooth Low Energy (Smart) Beacons leverage a common wireless standard that can be detected by nearly every modern smartphone. Beacons can be detect from a range of up to 70 meters. Because of this wide and wireless coverage, concerns have been raised on the security of beacons. © 2015 Localz Pty. Ltd.
Static Beacon IDs By default, Beacons are open and static. For example, Apple’s iBeacons constantly broadcast a single repeating payload: UUID, Major ID and Minor ID. Once deployed, anyone can detect these Beacon IDs. This gives rise to two specific risks: Beacon Spoofing & Piggybacking. There are additional but unrelated security concerns related to Beacon provisioning and configuration updates. However, we’ll save those for another paper. 1234… 1234… 1234… 1234… 1244… 1244… 1244… 1244… 1245… 1245… 1245… 1245… B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Beacon Spoofing Beacon Spoofing is possibility of detecting and cloning beacon IDs. Another beacon (or phone) could be created with the same beacon ID. Malicious users can use spoofed beacons to trigger events and messages in a different physical space than intended. A store entrance beacon triggering a welcome message could be copied by an attacker and replayed at the entrance to a train line. Consumers with the store app would receive the welcome message at train entrance. This could create consumer annoyance and confusion. Example risk: Beacon ID detected and copied cloned Beacon ID Later on . . . Store entrance Train entrance cloned beacon placed elsewhere B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Beacon Piggybacking Beacon Piggybacking or Hijacking is possibility of using beacons deployed for one application in another, unauthorised, application. Beacon IDs can be detected and their profile included in applications deployed by third parties. Providing a consumer has this third party app installed, these hijacked beacons can then be used to trigger events, messages and analytics unrelated to the intended deployment. A coffee house, Small’s Coffee, deploys beacons for their mobile app. A competing coffee house, Big Coffee, visits small’s coffee to detect and copy beacons. Big Coffee deploys their own mobile app that includes beacon IDs from Small’s coffee. When consumers with the Big Coffee app installed visit Small’s Coffee, they receive a message for discount coffee at Big Coffee. Example risk: Small’s Coffee Small’s CoffeeBeacon ID detected Beacon ID included in competing app Big Coffee App “Get a discount at Big Coffee” App installed on consumer phone Later on . . . B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Risk Mitigation There are four general controls to mitigating beacon risks Geolocation Validation + Cloud Validation + Hardware ManagementSoftware Seed ++ B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Geolocation Validation After identifying a registered beacon the mobile device validates the phone geo location (during each session) to ensure it is near the intended physical space. This type of control prevents spoofing of beacons outside of the retail store. Further, the control is simple, inexpensive to deploy and permits the use of native iBeacon mode for greater compatibility. + B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Software Seed Beacons are provisioned with changing IDs which prevent direct copying and piggybacking. A seed value is used to determine the ID sequence and change interval. The seed is synched to mobile devices via a SDK. When a beacon is detected, the mobile device checks with the SDK to determine if it is valid and what, if any action, is permitted. Although this approach helps to mitigate against spoofing and piggybacking, the seed value can be easily extracted and copied by a determined attacker. For this reason, several providers offer cloud based propositions. + Seed value similar in concept to… B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Cloud Validation Beacons are provisioned with changing IDs which prevent direct copying and piggybacking. A seed value is used to determine the ID sequence and change interval. The seed is synched to a cloud based service. When a beacon is detected, the mobile device checks with the Cloud service to determine if it is valid and what, if any action, is permitted. This approach provides a high degree of mitigation against spoofing and piggybacking. However, testing indicated that reliance on cloud services introduces latency that can significantly detract from the user experience - especially in retail environments with poor mobile reception. + Seed value B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Hardware Management Beacons are provisioned and managed by hardware controllers. Connected WiFi/Bluetooth devices such as BluVision’s BluFi and Kontakt’s Cloud Beacon are used to remotely manage and update the beacon fleet via cloud services. These devices can be used to change Beacon IDs at will, with corresponding changes sent to mobile apps. This approach provides a high degree of mitigation against spoofing and piggybacking. However, additional hardware is required. Further, this hardware must be able to connect over Bluetooth to covered beacons, which may limit effectiveness (e.g., will not work if beacons are placed in remote parking lots. + B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
Other Controls B E A C O N S E C U R I T Y Hardware Validation: • There are additional controls to deter spoofing attacks that rely on beacon hardware manufacturer identifiers • This type of control is available from several manufactures but to our knowledge has not been widely deployed in production • Though challenging, it is possible to spoof nearly any aspect of a Bluetooth broadcast protocol - cloning may still be possible Hybrid Controls: • Many beacon vendors provide SDKs that combine one or more security controls • A common configuration leverages a combination of Cloud Validation and Software Seeds • Software seeds can be updated periodically via API calls © 2015 Localz Pty. Ltd.
Additional Considerations Rotating Beacon IDs: • Any scheme which relies on rotating beacon ID runs some level of risk that such changes will not be synchronised with mobile apps • Synchronisation may be lost due to: • Loss of internet connection • Failed background updates (register/ deregister) • A limit on iOS registrations • Failed beacon configurations • Where there is a lack of synchronisation, the app will not deliver the intended experience B E A C O N S E C U R I T Y iBeacon Alternatives: • Several secure beacon methods rely on alternative Bluetooth Low Energy protocols • Several of these approaches force iOS apps to use Bluetooth as an accessory and/or UIBackgroundMode • If implemented incorrectly, these modes can cause material battery drain • These approaches can be rejected by Apple for production deployment: stackoverflow.com/questions/15980481/my-app-has- been-rejected-because-of-uibackgroundmodes Geofence Triggers: • Piggyback style risks cannot be fully mitigated. It is possible to trigger background messages and events without the use of beacons • Geofence (clustered) registrations can be used to initiate messages and events using course location technologies • For example: location push messages could be triggered by third party apps on approach to a competitor store © 2015 Localz Pty. Ltd.
Comparison Control Geolocation Validation Software Seed Cloud Validation Hardware Management Benefit • Least expensive mitigation • Simple to configure and operate • Can be enabled/disabled on demand • Permits use of native iBeacon mode for greater compatibility • Helps mitigate spoofing and piggybacking attacks • No reliance on internet connections • No additional hardware required • Provides high degree of mitigation against spoofing & piggyback attacks • No additional hardware required • Difficult for determined attackers to compromise • Provides high degree of mitigation against spoofing & piggyback attacks • Provides a device to remotely monitor & update the beacon fleet • Changes can be deployed or backed out on-demand • Permits use of native iBeacon mode for greater compatibility Disadvantage • Does not protect against piggybacking attacks • Geolocation reliance does not provide same level of precision as other anti-spoofing controls • Location lookup may cause delay on initial start of session • Difficult to change or backout in case of issue • Beacon IDs can be easily identified by determined attackers • More complex deployment • Some schemes may not work reliably for Apple apps - not a native iOS iBeacon standard • Difficult to change or backout in case of issue • More complex deployment • Latency can diminish user experience • Requires reliable internet connections - may not work in all store environments • Some schemes may not work reliably for Apple apps - not a native iOS iBeacon standard • Most expensive deployment option • Requires additional hardware • Does not work for beacons out of range (i.e., parking lots) • Requires periodic internet connection for WiFi/BT devices B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
© 2015 Localz Pty. Ltd. tim.andrew@localz.com✉ ✉pete.williams@localz.com @localzco

Empfohlen

Digital Marketing Audit
Digital Marketing AuditDigital Marketing Audit
Digital Marketing Audit
Mark Brewerton
 
What is digital marketing
What is digital marketing What is digital marketing
What is digital marketing
Othmane Targhi
 
Digital marketing strategy
Digital marketing strategyDigital marketing strategy
Digital marketing strategy
Technogics Inc
 
Introduction to social media strategy
Introduction to social media strategyIntroduction to social media strategy
Introduction to social media strategy
Mohammad Hijazi
 
Growth Hacking Roadmap
Growth Hacking RoadmapGrowth Hacking Roadmap
Growth Hacking Roadmap
Mark Andersen
 
Facebook | Facebook Marketing | Facebook Monetization
Facebook | Facebook Marketing | Facebook MonetizationFacebook | Facebook Marketing | Facebook Monetization
Facebook | Facebook Marketing | Facebook Monetization
Mujeeb Riaz
 
Native Advertising- An Analysis
Native Advertising- An AnalysisNative Advertising- An Analysis
Native Advertising- An Analysis
Jane Skiles
 
Social media plan strategy & process
Social media plan strategy & processSocial media plan strategy & process
Social media plan strategy & process
Vinod Nagar
 

Empfohlen

Digital Marketing Audit
Digital Marketing AuditDigital Marketing Audit
Digital Marketing Audit
Mark Brewerton
 
What is digital marketing
What is digital marketing What is digital marketing
What is digital marketing
Othmane Targhi
 
Digital marketing strategy
Digital marketing strategyDigital marketing strategy
Digital marketing strategy
Technogics Inc
 
Introduction to social media strategy
Introduction to social media strategyIntroduction to social media strategy
Introduction to social media strategy
Mohammad Hijazi
 
Growth Hacking Roadmap
Growth Hacking RoadmapGrowth Hacking Roadmap
Growth Hacking Roadmap
Mark Andersen
 
Facebook | Facebook Marketing | Facebook Monetization
Facebook | Facebook Marketing | Facebook MonetizationFacebook | Facebook Marketing | Facebook Monetization
Facebook | Facebook Marketing | Facebook Monetization
Mujeeb Riaz
 
Native Advertising- An Analysis
Native Advertising- An AnalysisNative Advertising- An Analysis
Native Advertising- An Analysis
Jane Skiles
 
Social media plan strategy & process
Social media plan strategy & processSocial media plan strategy & process
Social media plan strategy & process
Vinod Nagar
 
Influencer Marketing
Influencer MarketingInfluencer Marketing
Influencer Marketing
Jason Keath
 
Online Reputation Management
Online Reputation ManagementOnline Reputation Management
Online Reputation Management
Bart De Waele
 
Digital Marketing Trends for 2023
Digital Marketing Trends for 2023Digital Marketing Trends for 2023
Digital Marketing Trends for 2023
Vbout.com
 
Growth Hacking Guide - Mindset, Framework and Tools
Growth Hacking Guide - Mindset, Framework and ToolsGrowth Hacking Guide - Mindset, Framework and Tools
Growth Hacking Guide - Mindset, Framework and Tools
David Arnoux . Growth
 
Performance Marketing Strategy
Performance Marketing StrategyPerformance Marketing Strategy
Performance Marketing Strategy
Paul Skirbe
 
Lead Generation for B2B Pitch Deck
Lead Generation for B2B Pitch DeckLead Generation for B2B Pitch Deck
Lead Generation for B2B Pitch Deck
Malinda Senanayake
 
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
Amazon Web Services
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Basics of Instagram Marketing
Basics of Instagram MarketingBasics of Instagram Marketing
Basics of Instagram Marketing
introtodigital
 
The Anatomy of the Corporate Content Team: 5 Models to Inspire Your Team's St...
The Anatomy of the Corporate Content Team: 5 Models to Inspire Your Team's St...The Anatomy of the Corporate Content Team: 5 Models to Inspire Your Team's St...
The Anatomy of the Corporate Content Team: 5 Models to Inspire Your Team's St...
HubSpot
 
What Is Growth Marketing?
What Is Growth Marketing?What Is Growth Marketing?
What Is Growth Marketing?
Drift
 
Email Marketing Presetation
Email Marketing PresetationEmail Marketing Presetation
Email Marketing Presetation
David Caruso
 
Social media marketing ppt
Social media marketing pptSocial media marketing ppt
Social media marketing ppt
Sean Joan
 
All about different types of Content Writing Services
All about different types of Content Writing ServicesAll about different types of Content Writing Services
All about different types of Content Writing Services
Faux Digital Advertising Agency
 
Instagram Marketing Made Simple
Instagram Marketing Made SimpleInstagram Marketing Made Simple
Instagram Marketing Made Simple
MeetEdgar
 
Digital Marketing Proposal - Understanding Digital Marketing
Digital Marketing Proposal - Understanding Digital Marketing Digital Marketing Proposal - Understanding Digital Marketing
Digital Marketing Proposal - Understanding Digital Marketing
Infidirect
 
Still nothing but ad fraud 2021 dr augustine fou
Still nothing but ad fraud 2021 dr augustine fouStill nothing but ad fraud 2021 dr augustine fou
Still nothing but ad fraud 2021 dr augustine fou
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
LaunchRock
LaunchRockLaunchRock
LaunchRock
500 Startups
 
7 Principles of Conversion Centered Design with Oli Gardner
7 Principles of Conversion Centered Design with Oli Gardner7 Principles of Conversion Centered Design with Oli Gardner
7 Principles of Conversion Centered Design with Oli Gardner
Stukent Inc.
 
Level Up With WebEngage
Level Up With WebEngageLevel Up With WebEngage
Level Up With WebEngage
WebEngage
 
Beacon Security
Beacon SecurityBeacon Security
Beacon Security
kontakt.io
 
iBeacons: Security and Privacy?
iBeacons: Security and Privacy?iBeacons: Security and Privacy?
iBeacons: Security and Privacy?
Jim Fenton
 

Weitere ähnliche Inhalte

Was ist angesagt?

Digital Marketing Trends for 2023
Digital Marketing Trends for 2023Digital Marketing Trends for 2023
Digital Marketing Trends for 2023
Vbout.com
 

Was ist angesagt? (20)

Influencer Marketing
Influencer MarketingInfluencer Marketing
Influencer Marketing
 
Online Reputation Management
Online Reputation ManagementOnline Reputation Management
Online Reputation Management
 
Digital Marketing Trends for 2023
Digital Marketing Trends for 2023Digital Marketing Trends for 2023
Digital Marketing Trends for 2023
 
Growth Hacking Guide - Mindset, Framework and Tools
Growth Hacking Guide - Mindset, Framework and ToolsGrowth Hacking Guide - Mindset, Framework and Tools
Growth Hacking Guide - Mindset, Framework and Tools
 
Performance Marketing Strategy
Performance Marketing StrategyPerformance Marketing Strategy
Performance Marketing Strategy
 
Lead Generation for B2B Pitch Deck
Lead Generation for B2B Pitch DeckLead Generation for B2B Pitch Deck
Lead Generation for B2B Pitch Deck
 
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Basics of Instagram Marketing
Basics of Instagram MarketingBasics of Instagram Marketing
Basics of Instagram Marketing
 
The Anatomy of the Corporate Content Team: 5 Models to Inspire Your Team's St...
The Anatomy of the Corporate Content Team: 5 Models to Inspire Your Team's St...The Anatomy of the Corporate Content Team: 5 Models to Inspire Your Team's St...
The Anatomy of the Corporate Content Team: 5 Models to Inspire Your Team's St...
 
What Is Growth Marketing?
What Is Growth Marketing?What Is Growth Marketing?
What Is Growth Marketing?
 
Email Marketing Presetation
Email Marketing PresetationEmail Marketing Presetation
Email Marketing Presetation
 
Social media marketing ppt
Social media marketing pptSocial media marketing ppt
Social media marketing ppt
 
All about different types of Content Writing Services
All about different types of Content Writing ServicesAll about different types of Content Writing Services
All about different types of Content Writing Services
 
Instagram Marketing Made Simple
Instagram Marketing Made SimpleInstagram Marketing Made Simple
Instagram Marketing Made Simple
 
Digital Marketing Proposal - Understanding Digital Marketing
Digital Marketing Proposal - Understanding Digital Marketing Digital Marketing Proposal - Understanding Digital Marketing
Digital Marketing Proposal - Understanding Digital Marketing
 
Still nothing but ad fraud 2021 dr augustine fou
Still nothing but ad fraud 2021 dr augustine fouStill nothing but ad fraud 2021 dr augustine fou
Still nothing but ad fraud 2021 dr augustine fou
 
LaunchRock
LaunchRockLaunchRock
LaunchRock
 
7 Principles of Conversion Centered Design with Oli Gardner
7 Principles of Conversion Centered Design with Oli Gardner7 Principles of Conversion Centered Design with Oli Gardner
7 Principles of Conversion Centered Design with Oli Gardner
 
Level Up With WebEngage
Level Up With WebEngageLevel Up With WebEngage
Level Up With WebEngage
 

Andere mochten auch

Java alem das aplicacoes comerciais convencionais
Java alem das aplicacoes comerciais convencionaisJava alem das aplicacoes comerciais convencionais
Java alem das aplicacoes comerciais convencionais
Leonardo Simberg
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boards
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 

Andere mochten auch (8)

Beacon Security
Beacon SecurityBeacon Security
Beacon Security
 
iBeacons: Security and Privacy?
iBeacons: Security and Privacy?iBeacons: Security and Privacy?
iBeacons: Security and Privacy?
 
Java alem das aplicacoes comerciais convencionais
Java alem das aplicacoes comerciais convencionaisJava alem das aplicacoes comerciais convencionais
Java alem das aplicacoes comerciais convencionais
 
Security Questions Considered Harmful
Security Questions Considered HarmfulSecurity Questions Considered Harmful
Security Questions Considered Harmful
 
What can beacons do for your business?
What can beacons do for your business?What can beacons do for your business?
What can beacons do for your business?
 
PayPal Beacon and Apple iBeacon
PayPal Beacon and Apple iBeaconPayPal Beacon and Apple iBeacon
PayPal Beacon and Apple iBeacon
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boards
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
 

Ähnlich wie iBeacon security overview

Beacons
Beacons Beacons
Beacons
Rahul Dhabhai
 
Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401
LOC Place
 
Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401
LOC Place
 
Reinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsReinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of Things
Nirmal Misra
 
151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p
Stéphane Roule
 
2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar
AlgoSec
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
CA API Management
 
BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...
BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...
BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...
muzzhash1
 

Ähnlich wie iBeacon security overview (20)

Hacking A Bluetooth-Enabled Medical Device Is Too Easy
Hacking A Bluetooth-Enabled Medical Device Is Too EasyHacking A Bluetooth-Enabled Medical Device Is Too Easy
Hacking A Bluetooth-Enabled Medical Device Is Too Easy
 
14 569
14 569 14 569
14 569
 
iBeacon Reality Check _ Essential Considerations for an iBeacon Deployment
iBeacon Reality Check _ Essential Considerations for an iBeacon DeploymentiBeacon Reality Check _ Essential Considerations for an iBeacon Deployment
iBeacon Reality Check _ Essential Considerations for an iBeacon Deployment
 
Internet of things, and rise of ibeacons
Internet of things, and rise of ibeaconsInternet of things, and rise of ibeacons
Internet of things, and rise of ibeacons
 
GDG Eddystone overview Aug2016
GDG Eddystone overview Aug2016GDG Eddystone overview Aug2016
GDG Eddystone overview Aug2016
 
Enabling supply chain flexibility and IoT scale with zero touch provisioning
Enabling supply chain flexibility and IoT scale with zero touch provisioningEnabling supply chain flexibility and IoT scale with zero touch provisioning
Enabling supply chain flexibility and IoT scale with zero touch provisioning
 
Beacons
Beacons Beacons
Beacons
 
Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401
 
Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401Iljaitsch vectorform ble_i_beacon_140401
Iljaitsch vectorform ble_i_beacon_140401
 
Canopy SF Home Automation Meetup Slides 10/14/2014
Canopy SF Home Automation Meetup Slides 10/14/2014Canopy SF Home Automation Meetup Slides 10/14/2014
Canopy SF Home Automation Meetup Slides 10/14/2014
 
Reinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsReinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of Things
 
151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p
 
Connecting devices to the internet of things
Connecting devices to the internet of thingsConnecting devices to the internet of things
Connecting devices to the internet of things
 
2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar
 
Simplifying IoT App Development - A Whitepaper by RapidValue
Simplifying IoT App Development - A Whitepaper by RapidValueSimplifying IoT App Development - A Whitepaper by RapidValue
Simplifying IoT App Development - A Whitepaper by RapidValue
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
 
BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...
BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...
BLE Based Asset Tracking & Personnel Trackingin Food Products Manufacturing (...
 
Use biometrics for identity management of cloud users to enhanced the securit...
Use biometrics for identity management of cloud users to enhanced the securit...Use biometrics for identity management of cloud users to enhanced the securit...
Use biometrics for identity management of cloud users to enhanced the securit...
 
CIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CIS 2015-Putting Control Back in the Users’ Hands- David PollingtonCIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CIS 2015-Putting Control Back in the Users’ Hands- David Pollington
 
Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile Authentication
 

Kürzlich hochgeladen

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

iBeacon security overview

  • 1. Secure Beacons Overview & Options © 2015 Localz Pty. Ltd.
  • 2. Beacon Security B E A C O N S E C U R I T Y Bluetooth Low Energy (Smart) Beacons leverage a common wireless standard that can be detected by nearly every modern smartphone. Beacons can be detect from a range of up to 70 meters. Because of this wide and wireless coverage, concerns have been raised on the security of beacons. © 2015 Localz Pty. Ltd.
  • 3. Static Beacon IDs By default, Beacons are open and static. For example, Apple’s iBeacons constantly broadcast a single repeating payload: UUID, Major ID and Minor ID. Once deployed, anyone can detect these Beacon IDs. This gives rise to two specific risks: Beacon Spoofing & Piggybacking. There are additional but unrelated security concerns related to Beacon provisioning and configuration updates. However, we’ll save those for another paper. 1234… 1234… 1234… 1234… 1244… 1244… 1244… 1244… 1245… 1245… 1245… 1245… B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 4. Beacon Spoofing Beacon Spoofing is possibility of detecting and cloning beacon IDs. Another beacon (or phone) could be created with the same beacon ID. Malicious users can use spoofed beacons to trigger events and messages in a different physical space than intended. A store entrance beacon triggering a welcome message could be copied by an attacker and replayed at the entrance to a train line. Consumers with the store app would receive the welcome message at train entrance. This could create consumer annoyance and confusion. Example risk: Beacon ID detected and copied cloned Beacon ID Later on . . . Store entrance Train entrance cloned beacon placed elsewhere B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 5. Beacon Piggybacking Beacon Piggybacking or Hijacking is possibility of using beacons deployed for one application in another, unauthorised, application. Beacon IDs can be detected and their profile included in applications deployed by third parties. Providing a consumer has this third party app installed, these hijacked beacons can then be used to trigger events, messages and analytics unrelated to the intended deployment. A coffee house, Small’s Coffee, deploys beacons for their mobile app. A competing coffee house, Big Coffee, visits small’s coffee to detect and copy beacons. Big Coffee deploys their own mobile app that includes beacon IDs from Small’s coffee. When consumers with the Big Coffee app installed visit Small’s Coffee, they receive a message for discount coffee at Big Coffee. Example risk: Small’s Coffee Small’s CoffeeBeacon ID detected Beacon ID included in competing app Big Coffee App “Get a discount at Big Coffee” App installed on consumer phone Later on . . . B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 6. Risk Mitigation There are four general controls to mitigating beacon risks Geolocation Validation + Cloud Validation + Hardware ManagementSoftware Seed ++ B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 7. Geolocation Validation After identifying a registered beacon the mobile device validates the phone geo location (during each session) to ensure it is near the intended physical space. This type of control prevents spoofing of beacons outside of the retail store. Further, the control is simple, inexpensive to deploy and permits the use of native iBeacon mode for greater compatibility. + B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 8. Software Seed Beacons are provisioned with changing IDs which prevent direct copying and piggybacking. A seed value is used to determine the ID sequence and change interval. The seed is synched to mobile devices via a SDK. When a beacon is detected, the mobile device checks with the SDK to determine if it is valid and what, if any action, is permitted. Although this approach helps to mitigate against spoofing and piggybacking, the seed value can be easily extracted and copied by a determined attacker. For this reason, several providers offer cloud based propositions. + Seed value similar in concept to… B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 9. Cloud Validation Beacons are provisioned with changing IDs which prevent direct copying and piggybacking. A seed value is used to determine the ID sequence and change interval. The seed is synched to a cloud based service. When a beacon is detected, the mobile device checks with the Cloud service to determine if it is valid and what, if any action, is permitted. This approach provides a high degree of mitigation against spoofing and piggybacking. However, testing indicated that reliance on cloud services introduces latency that can significantly detract from the user experience - especially in retail environments with poor mobile reception. + Seed value B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 10. Hardware Management Beacons are provisioned and managed by hardware controllers. Connected WiFi/Bluetooth devices such as BluVision’s BluFi and Kontakt’s Cloud Beacon are used to remotely manage and update the beacon fleet via cloud services. These devices can be used to change Beacon IDs at will, with corresponding changes sent to mobile apps. This approach provides a high degree of mitigation against spoofing and piggybacking. However, additional hardware is required. Further, this hardware must be able to connect over Bluetooth to covered beacons, which may limit effectiveness (e.g., will not work if beacons are placed in remote parking lots. + B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 11. Other Controls B E A C O N S E C U R I T Y Hardware Validation: • There are additional controls to deter spoofing attacks that rely on beacon hardware manufacturer identifiers • This type of control is available from several manufactures but to our knowledge has not been widely deployed in production • Though challenging, it is possible to spoof nearly any aspect of a Bluetooth broadcast protocol - cloning may still be possible Hybrid Controls: • Many beacon vendors provide SDKs that combine one or more security controls • A common configuration leverages a combination of Cloud Validation and Software Seeds • Software seeds can be updated periodically via API calls © 2015 Localz Pty. Ltd.
  • 12. Additional Considerations Rotating Beacon IDs: • Any scheme which relies on rotating beacon ID runs some level of risk that such changes will not be synchronised with mobile apps • Synchronisation may be lost due to: • Loss of internet connection • Failed background updates (register/ deregister) • A limit on iOS registrations • Failed beacon configurations • Where there is a lack of synchronisation, the app will not deliver the intended experience B E A C O N S E C U R I T Y iBeacon Alternatives: • Several secure beacon methods rely on alternative Bluetooth Low Energy protocols • Several of these approaches force iOS apps to use Bluetooth as an accessory and/or UIBackgroundMode • If implemented incorrectly, these modes can cause material battery drain • These approaches can be rejected by Apple for production deployment: stackoverflow.com/questions/15980481/my-app-has- been-rejected-because-of-uibackgroundmodes Geofence Triggers: • Piggyback style risks cannot be fully mitigated. It is possible to trigger background messages and events without the use of beacons • Geofence (clustered) registrations can be used to initiate messages and events using course location technologies • For example: location push messages could be triggered by third party apps on approach to a competitor store © 2015 Localz Pty. Ltd.
  • 13. Comparison Control Geolocation Validation Software Seed Cloud Validation Hardware Management Benefit • Least expensive mitigation • Simple to configure and operate • Can be enabled/disabled on demand • Permits use of native iBeacon mode for greater compatibility • Helps mitigate spoofing and piggybacking attacks • No reliance on internet connections • No additional hardware required • Provides high degree of mitigation against spoofing & piggyback attacks • No additional hardware required • Difficult for determined attackers to compromise • Provides high degree of mitigation against spoofing & piggyback attacks • Provides a device to remotely monitor & update the beacon fleet • Changes can be deployed or backed out on-demand • Permits use of native iBeacon mode for greater compatibility Disadvantage • Does not protect against piggybacking attacks • Geolocation reliance does not provide same level of precision as other anti-spoofing controls • Location lookup may cause delay on initial start of session • Difficult to change or backout in case of issue • Beacon IDs can be easily identified by determined attackers • More complex deployment • Some schemes may not work reliably for Apple apps - not a native iOS iBeacon standard • Difficult to change or backout in case of issue • More complex deployment • Latency can diminish user experience • Requires reliable internet connections - may not work in all store environments • Some schemes may not work reliably for Apple apps - not a native iOS iBeacon standard • Most expensive deployment option • Requires additional hardware • Does not work for beacons out of range (i.e., parking lots) • Requires periodic internet connection for WiFi/BT devices B E A C O N S E C U R I T Y © 2015 Localz Pty. Ltd.
  • 14. © 2015 Localz Pty. Ltd. tim.andrew@localz.com✉ ✉pete.williams@localz.com @localzco