iBeacon Spoofing Security and Privacy Implications of iBeacon Technology
Karan Singhal
ABSTRACT Apple introduced iBeacons with iOS 7, revolutionizing the way our phones interact with real-life places and objects. iBeacons leverage Bluetooth Low Energy (BLE) to broadcast a unique identifier and two 8-bit integers known as the major and minor numbers. These components are used to identify the iBeacon. Typical use cases include indoor micro-location and interaction with real-world objects. However, it is trivial to spoof a beacon by broadcasting the same UUID and same major and minor numbers. Thus, Apple stresses that iBeacons should not be used to transfer sensitive details such as credit card information – they should only be used for identification of objects or places. To safeguard against spoofing, beacon detection can be verified by additional security measures (such as physically scanning a QR code).
Apart from the security implications of using an easily “spoofable” Bluetooth signal, iBeacons also create a privacy concern. As an example, retail stores could tag products with iBeacons and record which users pick up which products. They could later use this data to create targeted advertisements or track your location in their store. My research shows that current iBeacon implementations “in the wild” are not widely used for sensitive data, limiting the potential motivation for exploiters. However, the privacy concerns with the platform are warranted and could result in dire consequences.
INTRODUCTION
On June 10th, 2013 Apple released iOS 7 and unveiled iBeacons to the world. For many developers, this was a new and unique way to integrate real world objects into mobile applications. Apple provided ranging, proximity, and many other algorithms which abstracted away the complexities of finding or advertising Bluetooth Low Energy (BLE) devices.
Because this technology is backward compatible to the iPhone 4S, support and implementation occurred rapidly.
Just a few months later, on July 24th, 2013 Google released Android 4.3, with “support for Bluetooth Low Energy in the central role and provides
APIs that apps can use to discover devices, query for services, and read/write characteristics.”1 With both major smartphone platforms able to detect and broadcast as iBeacons, the adoption of iBeacon technology is on the rise.
Of course, in order for any of the myriad of iBeacon applications to work, there has to be a beacon broadcasting. Any compatible device can be used
1 "Bluetooth Low Energy." Android Developers. Google Inc. Web. 1 Dec. 2014.
The possibilities for innovative iBeacon implementations are endless, but the security and privacy concerns could be immense as well.
TO THE COMMUNITY
2 “Virgin Atlantic Unveils New Airport Terminal Experience Powered by Apple's IBeacon." AppleInsider, 2 May 2014. Web. 2 Dec. 2014.
When combined with BLE-capable Android devices, the number of iBeacon- capable smartphones is staggering. Since each of these devices can download and install applications that interact with beacons, most smartphone owners today could be vulnerable to security and privacy concerns of iBeacon.
Common use cases of iBeacons typically employ the technology to facilitate indoor micro-location. Sometimes, the detection of a beacon is used to push special discounts or offers to the user if they pass a certain “virtual checkpoints”. In these scenarios, someone can simply “spoof” the iBeacon by using their own hardware and broadcasting the same UUID, major number, and minor number to their device – thereby bypassing the purpose of the promotion. I believe that this specific iBeacon security issue has the greatest potential for abuse.
3 "Apple IPhone: Global Sales 2007-2014, by Quarter." Statista. Web. 2 Dec. 2014.
“realtime deals, notifications, and opportunities delivered directly to your device from businesses within eye sight.”4 Their cloud server accumulates this data and charges their business partners on a per-visit basis. It would be trivial to replicate the iBeacon from any given business and have your smartphone “discover” it several times, thereby causing Howler to charge the business for these fake “visits”.
From a privacy viewpoint, iBeacons have a potential for abuse as well. Any interaction that an application has with an iBeacon can be recorded. This means, for example, that the retail store application that helps you find the right aisle in their store using indoor iBeacon micro-location can track your location.
VULNERABILITIES AND DEFENSES
4 http://www.howler.at/ In 2014, the Consumer Electronics Show (CES) hosted a scavenger hunt that used iBeacon technology. They placed 9 iBeacons around the building, and offered a reward to those who could locate them all. Alsaidar Allan and
Sandeep Mistry from Makezine outline an innovative way to “win the hunt, without ever having to go to CES.”5 In their article, they demonstrate how someone can duplicate the iBeacons, set up some BLE hardware broadcasting identically to the 9 official beacons, and claim the prize from anywhere in the world. To do so, they downloaded the Android version of the CES mobile application and decompiled it. Without too much digging they were able to find the UUID with which the beacons were broadcasting, because the application must know the UUID to recognize and identify the beacons. The decompiled source also shows the minor numbers that the app was waiting to recognize (major number was ignored in the Android
CES iBeacon implementation). Instead of decompiling the application,
Apple notes that since “a beacon device is advertising using BLE, it is possible for the UUID to be “sniffed” off the air and once that UUID is
5 Allan, Alasdair, and Sandeep Mistry. "Hacking the CES Scavenger Hunt." Makezine. 3 Jan. 2014. Web. 2 Dec. 2014.
This example clearly depicts the biggest security flaw with iBeacons – since the UUID and major and minor numbers have to be specified in order to find beacons, the source code gives away all three. Anybody can replicate any beacon from the comfort of their home and claim discounts, prizes, or other rewards, bypassing the intended goal of the promotion.
So how do you safeguard against this vulnerability? The most practical way is to do a physical verification check that is similar to two-factor authentication (which is becoming a standard for OAuth and other forms of virtual authentication). For example, the CES application could have prompted the user to scan a QR code or enter a secret number written next to each of the CES beacons. This would verify that the user was actually on
6 "Getting Started with IBeacon." Apple Developer. Apple Inc., 2 June 2014. Web. 1 Dec. 2014.
From the privacy standpoint there is only one real option that keeps your iBeacon interactions from being used maliciously – but it is only possible on iOS and comes with a big tradeoff. iBeacon applications will not work until the user allows the application to use Bluetooth. This is Apple’s implementation and it appears as a simple popup that occurs when the application tries to use Bluetooth. Users can simply accept or deny the request. Of course, if you deny the request you miss out on the significant benefits of the technology.
SUMMARY
All in all, iBeacons are an innovative and useful tool to integrate smartphone apps with the real world. Developers implementing iBeacon functionality must be extremely careful not to transfer sensitive data using iBeacons, or use physical verification to supplement the iBeacon transaction. The main vulnerability of iBeacon devices is the ability to
“spoof” them using your own hardware and bypass their intended purpose.
Implementing physical verification in addition to iBeacons can mitigate this risk.
The privacy concerns cannot be overlooked either – your interaction with iBeacons can be recorded by the application, and this data could be used to track your location without your knowledge or consent. It is very common and easy to overlook Apple’s warning that the application uses Bluetooth, so users may be unaware that their application uses iBeacons at all, and that is the only safeguard preventing your privacy from being invaded.
Users should take steps to be informed about why applications want to use their location or their devices’ Bluetooth capabilities and should trust the applications they approve to do so. SUPPORTING MATERIAL
Provided alongside this article is the source code for the iBeacon pairing component in an iOS application that uses iBeacon technology to pair two devices. The full source code can be provided upon request. This is a proof of concept of the physical verification step that could mitigate the risk of a
“spoof attack”. This application (SpotLight Parking) provides an on-demand valet service to park your car. A customer requests a valet at a specific location and drives there. Upon arrival, the customer’s iPhone looks for the valet’s iPhone, which is broadcasting as an iBeacon. When found, it prompts the user to enter a 4-digit verification code that is located on the valet’s application and changes for each request. This step ensures that nobody can masquerade as a valet and steal the customer’s car.
REFERENCES
[1] "Getting Started with IBeacon." Apple Developer. Apple Inc., 2 June 2014. Web. 1 Dec. 2014.
[2] "Apple IPhone: Global Sales 2007-2014, by Quarter." Statista. Web. 2 Dec. 2014.
[3] "Bluetooth Low Energy." Android Developers. Google Inc. Web. 1 Dec. 2014.
[4] “Virgin Atlantic Unveils New Airport Terminal Experience Powered by Apple's IBeacon." AppleInsider, 2 May 2014. Web. 2 Dec. 2014.
[5] "IBeacon Security Part 2: Beacon Privacy and Security." Twocanoes, 29 May 2014. Web. 2 Dec. 2014.
[6] Allan, Alasdair, and Sandeep Mistry. "Hacking the CES Scavenger Hunt." Makezine. 3 Jan. 2014. Web. 2 Dec. 2014.