iBeacon is a protocol standardized by Apple that was introduced in 2013. A number of manufacturers support this technology. It works using hardware transmitters that get assigned a unique ID and broadcast it using Bluetooth Low Energy. If a mobile device such as a smartphone approaches an iBeacon, a specific action is being performed.

Regarding its basic functionality, iBeacons are no different from NFC/RFID. The same principle applies: Proximity to a chip triggers an event. Functionally, iBeacons differ by being able to being able to tell distances. To be precise, it knows three distances:

• Immediate: A few centimetres
• Near: A few meters
• Far: Further than ten meters

An iBeacon is able to tell whenever someone with a specific smartphone enters the room. This triggers the event that the lights will be dimmed and when the person sits down on the couch, the TV will turn on. If the person gets up and leaves, the lights and the TV are turned off. It’s important to understand that the actions are not triggered by the transmitting iBeacon but have to be triggered by the receiving smartphone. An iBeacon is a stupid device that can only broadcast its ID and serves only for identification and localisation within a limited range.

The UUID broadcast by an iBeacon contains a standardized prefix, a unique ID as well as major and minor information. The latter are being used for logical grouping if you’re using several iBeacons on a single floor.

fb0b57a2-8228-44 cd-913a-94a122ba1206 Major 1 Minor 2

This string is broadcast in clear text and can thus be intercepted assuming the attacker is within broadcasting distance. Using this method, an attacker can create a transmitter that broadcasts the same UUID, fooling the beacon into assuming a faulty distance. Apple tries to restrict scanning of beacons with their own iOS API. However, there are solutions that allow for an analysis.

An iBeacon becomes a security risk when its proximity to a critical object triggers actions critical for security. For example when approaching your home’s front door automatically disables the house’s alarm system. If you’re not in front of the building but, let’s say, at the office, and a spoofed transmitter is being activated in your front yard, the alarm of the house is being disabled.

The basic issue with iBeacon also concerns the weak authentication and the missing encryption in close quarters. Paired with actions critical to security that are triggered using beacons there could be specific vulnerabilities. Attack scenarios are legion and highly individualized, depending on geographical as well as logical context.

However, users are not tied to Apples pre-defined protocol. There is the possibility of implementing your own protocol with additional cryptographic means built in. There are several vendors such as Paypal who have gone to some lengths to ensure security. An attack on these vendors is not possible without additional effort.

About the Author

Marc Ruef has been working in information security since the late 1990s. He is well-known for his many publications and books. The last one called The Art of Penetration Testing is discussing security testing in detail. He is a lecturer at several faculties, like ETH, HWZ, HSLU and IKF. (ORCID 0000-0002-1328-6357)

Links

• http://blog.beaconstac.com/6-myths-around-beacon-security-and-privacy/
• http://daveaddey.com/?p=1252
• https://devblog.paypal.com/how-does-paypal-beacon-work/
• https://support.apple.com/en-gb/HT202880
• https://www.youtube.com/watch?v=j87D-6JA0g8