4

iBeacon is a promising new technology. But how secure is it? Bluetooth Low Energy (BLE) can be secure when encryption is enabled. However, this is only the case when communication is established. But the iBeacon framework isn't meant to allow communication between devices. It even isn't possible to communicate through the iBeacon framework (CoreBluetooth should then be used). An iBeacon is only capable of advertising (data). But are those advertising packets secured or are these open for public?

I am missing a more detailed (technical) report on iBeacon.

Another thing which isn't very clear: who starts 'talking'? Is it the advertising iBeacon device or the monitoring application/device. Is an advertising iBeacon device always advertising?

Safaci
  • 139
  • 2
  • 8
  • 1
    "How secure is X?" What kind of answer do you expect? 95% secure? Secure up to 100 meters? You're asking a quantitative question for a non-quantitative situation. And that's assuming there even was an answer, that didn't depend on your implementation, as suggested by davidgyoung's answer below. – Jonathan Hall Nov 27 '13 at 02:07

4 Answers4

15

Security is entirely up to you.

iBeacons are secure in the sense that they are very simple devices that do nothing but transmit a 3 part identifier (and a transmitter power measurement). They are always advertising unless you go out of your way to stop them.

Anybody can see this identifier, so you had better not expect to keep it secret! Last week for example, I went to the Washington, DC Apple store and used my Android iBeacon Locate app to find out the three part identifier of the iBeacon near the entrance to Apple's store.

With this info, I then configured my own iBeacon to transmit the very same tree part identifier, theoretically enabling me to push offers to apps configured to respond to Apple's iBeacon.

Is this a security problem? Only if you design a system that incorrectly assumes the an iBeacon identifier is secret.

Interestingly, Apple's iOS APIs forbid scanning for completely unknown iBeacon identifiers (you must at least know the first of the three part identifier), suggesting they want to maintain this secrecy. Given that Android and OSX offer no such prohibition, it is best not to expect your iBeacon identifier remain secret.

davidgyoung
  • 63,876
  • 14
  • 121
  • 204
  • Nice prank, David. :) – allprog Nov 26 '13 at 20:51
  • 1
    "Go out of your way to step them" would typically involve use of a hammer. – gnasher729 Jul 17 '14 at 17:37
  • So, what's the UUID? :P – Kenny Feb 09 '16 at 15:15
  • @davidyoung what do you mean by "Apple's iOS APIs forbid scanning for completely unknown iBeacon"? Apparently you have installed an app that recognizes the iBeacons which the iOS should know. Yet, isn't the iOS always scanning for beacons in the background? – dr.doom Feb 28 '16 at 23:00
  • On Android, OSX, Linux, Windows 10 and other platforms you can see any beacon regardless of Proximity UUID. Only iOS restricts discovery of beacons to those for which you have pre-specified the Proximity UUID. Even though iOS scans for all beacons in the background, it refuses to reveal them to any app which does not first provide the Proximity UUID. – davidgyoung Feb 29 '16 at 03:15
  • @davidgyoung just have a simple idea that is more like implement a `time-based token` (UUID changed by time, and server side can recognized this change) in an IBeacon, do you think this is enough secure as an authentication way? like used in car parking charge? – Shawn May 09 '17 at 02:34
  • That may work on any platform except iOS, which forbids seeing an iBeacon advertisement unless you know the UUID in advance. – davidgyoung May 09 '17 at 11:03
6

Security for iBeacon is not interpretable as there is no connection established between the receiver and the iBeacon. An iBeacon is nothing more than a BLE peripheral advertising a special packet. You can read about the details in this SO question: What is the iBeacon Bluetooth Profile

Community
  • 1
  • 1
allprog
  • 16,540
  • 9
  • 56
  • 97
5

You best think of an iBeacon as a special type of road sign. The software on iOS can detect the road sign and read what's printed on it. But anyone can go to the San Diego zoo, see a sign saying "San Diego Zoo, Monkey house", make a copy of the sign and put it up somewhere in Shanghai near a police station. So if you are in Shanghai, and your San Diego Zoo application is running, and tells you you are entering the Monkey house, don't call the police officers monkeys.

gnasher729
  • 51,477
  • 5
  • 75
  • 98
2

Despite all the attention from the tech world, beacons are yet to go mainstream because businesses have quite a few security concerns around beacons. Especially with a team having managed to crack the CES 2014 Scavenger Hunt, a beacon powered app without even being present at the venue physically. Therefore, when it comes to developing apps for proximity solutions, you should incorporate a security model that addresses the common risks involved such as device spoofing and man-in-the-middle interception. Another important thing to note is that, the compensation security mechanism you employ should suit the concerned application. We have compiled a checklist on vafrious ways to assess beacon security here; http://blog.beaconstac.com/6-myths-around-beacon-security-and-privacy/

Devika
  • 21
  • 1