Secure your iBeacon devices with the PiBeacon

0.00 avg. rating (0% score) - 0 votes

iBeacon, introduced at the Apple Worldwide Developers Conference in 2013, is Apple’s implementation of Bluetooth low-energy (BLE) wireless technology to create a different way of providing location-based information and services to iPhones and other iOS devices. Various vendors have since made iBeacon-compatible hardware transmitters, a class of Bluetooth low energy (LE) devices that broadcast their identifier to nearby portable electronic devices, enabling smartphones, tablets and other devices to perform actions when in close proximity to an beacon conveniently.

However, using the iBeacon protocol is not without security risks as the beacon automatically broadcasts its UUID, major and minor version number and make it available to anyone, including attackers. To help resolve this issue, this article with share some tips and tricks on how to secure your iBeacon related applications.

Common attack methods

Below are some of attack methods commonly used on a beacon:

Piggybacking
The attackers scan for beacon information such as its UUID, major or minor version numbers and then use them in their applications without your consent. This attack can be used anywhere beacons are deployed. However, in terms of security, this is still not strictly considered as an attack because there is no impact to the owner application and the beacon hardware, other than the fact that the UUID, major and minor version numbers are exposed.

Cloning
Same as piggyback, attackers scan for beacon information but then deploy their own beacons somewhere else. This could be a serious issue with sensitive applications such as payment gateway or security-related services as the beacon-based functions might be used in the wrong place by the wrong users.

Hijacking
Attackers can patiently listen to the beacon configuratiin transactions and capture the password to access the beacon hardware. Beacon devices that allow owners to configure over the air are also vunerable to this kind of attack. Once the attackers know the password to access the beacon, they can change access information of the beacon such as URL of alternative beacon or modify the behavior of owner applications.

Stealing
Attackers simply steal the beacons from where they are located in order to dump their memory contents destroying the owner beacon infrastructure. However, this method is not very easy because the attacker needs to know where the beacons are located and have physical access to these locations. Also, it is difficult to dump the beacon memory, or perhaps impossible on some devices where the chips are read-protected.

How to prevent those attacks?

To prevent attacks by piggybacking and cloning, which works by scaning for beacon info, we can prevent them simply by frequently updating the UUID/major/minor values of the beacons. Once the beacon information has been changed, the old values obtained by the attackers are useless.

To change the values, I use PiBeacon as the beacon transmitter. The overall flow is demonstrated in the following diagram:

Screen Shot 2015-10-04 at 11.11.09 AM

The server here is the heart of the system which generates the UUID/Major/Minor. After that, it first asks PiBeacon to update the information of the beacons in the system accordingly. Once the beacons have been updated successfully, the server will inform the applications of the new beacon information (UUID/major/minor) for them to update the list of the listening beacons. After the above steps have been successfully completed, the PiBeacon will start to broadcast the new UUID/Major/Minor. The more frequently you change the UUID/Major/Minor, the more difficult it is to attack by piggybacking or cloning.

To prevent attacks by hijacking, do not configure the beacons via Bluetooth. This is the most simple method to prevent attackers from capturing the password. With the PiBeacon, we can configure our beacons via ethernet, WIFI or even 3G. Those communication channels are safe, or at least safer than the plain Bluetooth packages that are transmitter unencrypted over the air.

Unfortunately, there is no way to absolutely stop the attacker from stealing the beacon devices and dumping their memories. But as developers, we can limit the impact if we know which beacon hardware has been stolen as soon as it happens. With PiBeacon, we can scan for UUID/Major/Minor of nearby beacons periodically.

Experimenting with PiBeacon

This photo shows the PiBeacon Board connected to the beacon dongle:

PiBeacon

 

To scan for beacons in the vicinity in one second, use:

 $ sudo beacon scan -d 1

The output is:

BLE Beacon Scan ...
AltBeacon   ID1:  2F234454-CF6D-4A0F-ADF2-F4911BA9FFA6   ID2:   1       ID3:   1       POWER: -66   RSSI: -65   RESERVED: 100 
iBeacon     UUID: 2F234454-CF6D-4A0F-ADF2-F4911BA9FFA6   MAJOR: 1       MINOR: 1       POWER: -66   RSSI: -69 
AltBeacon   ID1:  2F234454-CF6D-4A0F-ADF2-F4911BA9FFA6   ID2:   1       ID3:   1       POWER: -66   RSSI: -65   RESERVED: 100 
iBeacon     UUID: 2F234454-CF6D-4A0F-ADF2-F4911BA9FFA6   MAJOR: 1       MINOR: 1       POWER: -66   RSSI: -68 
AltBeacon   ID1:  2F234454-CF6D-4A0F-ADF2-F4911BA9FFA6   ID2:   1       ID3:   1       POWER: -66   RSSI: -68   RESERVED: 100 
iBeacon     UUID: 2F234454-CF6D-4A0F-ADF2-F4911BA9FFA6   MAJOR: 1       MINOR: 1       POWER: -66   RSSI: -67 
AltBeacon   ID1:  2F234454-CF6D-4A0F-ADF2-F4911BA9FFA6   ID2:   1       ID3:   1       POWER: -66   RSSI: -66   RESERVED: 100 
...

To track the nearby beacons, we can just scan as frequently as possible.

The Pibeacon itself can be a transmitter and we can easily start to transmit with the following command:

 sudo beacon transmit -I -f 10 -p -59 -u "11111111-1111-1111-1111-111111111111" -M 0 -m 1

As a result of the above comment, The PiBeacon will broadcast as a beacon with UUID/Major/Minor info as above.

To config the PiBeacon information, we can easily put the config file somewhere on cloud service provides such as Dropbox public folder. The PiBeacon can then read this file to set the beacon information:

//the file content is simply a line of text: ibeacon;22222222-2222-2222-2222-222222222222;1;1;-58;10
wget "https://dl.dropboxusercontent.com/............/beacon.config" 

mystring=$(<beacon.config)
IFS=';' read -a myarray <<< "$mystring"
echo "Beacon Type: ${myarray[0]}"
UUID=${myarray[1]}
Major=${myarray[2]}
minor=${myarray[3]}
TxPower=${myarray[4]}
AdsRate=${myarray[5]}
echo "UUID: " $UUID "; Major: " $Major "; Minor: " $minor "; TxPower: " $TxPower "; AdsRate: " $AdsRate
sudo beacon transmit -I -f $AdsRate -p $TxPower -u $UUID  -M $Major -m $minor

Obbiously, a lot of work needs to be done to secure your iBeacon applications. But the end result, a much more secure iBecon solution, is definitely worth the hard work and efforts put in.

0.00 avg. rating (0% score) - 0 votes
ToughDev

ToughDev

A tough developer who likes to work on just about anything, from software development to electronics, and share his knowledge with the rest of the world.

Leave a Reply