iBeacon Security Part 2: Beacon Privacy and Security

In the first part of the series, I talked about how beacons worked and the availability of the identifiers that are broadcast out from the iBeacon. Now that we covered the operations of how beacons work, let’s talk privacy.

While an iBeacon broadcasts identifiers publicly, an iPhone does not need to connect to an iBeacon-enabled beacon to get this information. To understand the importance of this, consider an example of how Bluetooth services traditionally work. For a temperature sensor, Bluetooth will advertise that a temperature service is available. An iPhone can listen passively for a service advertisement or can send out a request for this service. Either way, when the service is discovered, the iPhone then connects to the sensor and requests the temperature information. If a third party nearby is scanning for Bluetooth traffic, they will see the traffic and can uniquely identify the iPhone based on a built-in Bluetooth value, known as a MAC address. This is not related to the identifier used for iBeacons, but as part of standard Bluetooth. The iPhone Bluetooth MAC address can be discovered whenever the iPhone is transmitting over Bluetooth. In the example interchange above, the iPhone Bluetooth MAC address would be exposed when requesting a scan or connecting to the temperature sensor. The mobile device could potentially be tracked using the Bluetooth MAC address.

The Bluetooth MAC address of the iPhone is not exposed when getting iBeacon identifier information. iBeacon broadcasts its identifier to the world, but only the beacon’s MAC address is exposed. An iPhone does not need to connect to the beacon to get the required information, so its Bluetooth MAC address is not exposed. Apple’s iBeacon standard allows a beacon to advertise without compromising privacy of the listening devices. This prevents tracking of iPhones based on capturing and tracking Bluetooth MAC address.

Most beacons provide a way to program the identifiers that are used by iBeacon. Since changing the identifiers could provide a way to disrupt the beacon broadcasts (and potentially advertise as a different organization’s beacon), it is important to prevent unauthorized users from gaining access.

To prevent unauthorized access, the beacon must be able to support the following areas:

Authorized Access Prevention

The use of credentials to change settings is critical. Simply making it difficult to discover how to connect the beacon to change settings is not sufficient. Setting a complex password with sufficient length can prevent people from trying to guess the password. Having a mechanism to detect unauthorized authentication attempts and initiate progressively longer timeout periods between authentication attempts helps prevent brute force password attacks.

Unique Passwords

Beacons should not all have the same or similar passwords. Organizations should have the ability to set unique passwords for each beacon and should not deploy using the default vendor password.

Encrypted Channel

All authentication should be done over an encrypted channel and passwords should not have the ability to be extracted from the physical beacon. Since Bluetooth pairing to a beacon is usually done using Secure Simple Pairing that does not require an out-of-band password, initial pairing should be done in an area that is free from unauthorized scanning of the Bluetooth network.

Provide a mechanism for updates

Since security vulnerabilities can be discovered at any given time, it is important to get timely security notifications and firmware updates to keep the beacons secure. Beacons must support the ability to update the software on the beacons themselves.

Reduce Attack Surface Area

Since iBeacon is a broadcast only protocol, administration must be done while the iBeacon is not acting as an beacon or over a different communications channel, for instance another Bluetooth radio. Beacons must not allow service connections when deployed and broadcasting as an iBeacon. This reduces the attack surface area since an attacker could not connect to the beacon, making it difficult for automated attacks.

Physical Security

Beacons should be placed in physically secured environments to prevent theft, tampering, and placing in administrative mode. Beacons can be placed with other infrastructure equipment that is secured in cabinets, behind counters, or physically attached and secured. While attaching to display walls may ease initial deployment, it is an easy target for theft and vandalism in many environments.

Next in the series will be some tips and tricks to help get the most out of your beacons.