Clone-a-beacon: iBeacon and the proof of location issue

In our previous issue, I covered the basics of using iBeacons in iOS and Android apps, today I want to show some privacy and security issues, as well as how to clone and fake beacons such as Estimote, Shopkick, and how to get location based app rewards without ever leaving your desk.

Remember, iBeacons are really just numbers attached to distances. So to figure out if a user is near a shop, we’d simply check for their distance to an id that is known to be installed in that shop. Beacons really have no way of sending or receiving content, other than the hardcoded three part identifier, you will have to do the mapping in your app.

There’s usually two approaches this:

While the former is simpler, it has the rather obvious disadvantage of you having to update the app for every beacon rollout or content change. External fleet management platforms usually give you an easy to integrate api. On top of being able to change the content dynamically, fleet management apis also have tools for large scale deployment, such as brand shops with thousands of beacons.

What none of them can do of course, is change the way iBeacons interact on the low level, which is what i want to write about next. If we recall the previous posts, iBeacons are basically broadcasting bluetooth low energy announcements. Every device in the vicinity of a beacon receives the identical frame “i am beacon nr. 123” and calculates the distance.
The actual content, such as “This is my secret corner.” is in your app, and not part of the broadcast.

Beacon privacy/security is never about receiving content not intended for you. It is about:

The first is a privacy issue, in that beacons are continuously broadcasting unique information that is easy to track and correlate to other private information. This really becomes an issue when a user is carrying a beacon, but it may also be a minor concern to restaurant chains and industrial applications who prefer to not give tracking abilities to the whole world. There have been suggested workarounds to this issue, and even implemented by some manufacturers. Typically, they would simply swap the major/minor every now and then to disrupt mass analysis of beacon data. A CMS/fleet management platform would know when the ids are swapped and simply re-map the correct content to the new ids.

The second issue, false prove of location, is about the fact that iBeacons are really really simple devices. Literally all you need to make one is a laptop or an iPhone. This together with the privacy problem also means it is easy to trick reward systems that rely on you being somewhere. Like “get a free coffee if you enter our shop 100 times”. Let me show you how, by just entering one of such hypothetical shops, a hundred times, without moving from my desk.

On my Android phone, I install the free app “iBeacon locate” by Radius Networks, and hit the “Locate iBeacons” to start scanning for beacons. Let’s say i’m sitting at my favorite store which uses Estimote beacons for rewards, so I get 3 entries in the scanner.

uuid major minor
B9407F30-F5F8-466E-AFF9-25556B57FE6D 12 23
B9407F30-F5F8-466E-AFF9-25556B57FE6D 223 12
B9407F30-F5F8-466E-AFF9-25556B57FE6D 75 83

These are 3 distinct devices. Probably the vendor installed them in different areas of the shop. One of them is for getting rewards in their app. I could track it down and steal it, but that’s sort of lame. Instead i’ll just clone it. For that, i’ll need an iphone with the same app from radius (androids can scan, iphones can transmit, weird isnt it), or i’ll just use my linux laptop:

sudo hcitool -i hci0 cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02 15 B9 40 7F 30 F5 F8 46 6E AF F9 25 55 6B 57 FE 6D 00 0C 00 17 C5 00

I’ll not bother you with the details of bluetooth low energy, but let me break this down just a little bit:

Segment What does it mean?
sudo hcitool -i hci0 cmd 0x08 0x0008 1E Send announcements
02 01 1A I’m a non connectable device
1A FF 4C 00 Apple-specific announcement
02 15 iBeacon type
B9407F30-F5F8-466E-AFF9-25556B57FE6D Estimote
00 0C Major number 12
00 17 Minor number 23
c5 TX power

Ok so i cloned the beacon using two simple steps. Now i can leave the store, and continue earning points at home by entering and existing the region, which is… turn the beacon on and off while my phone sits there doing nothing.

Cloning prevention is hard to implement, as there is no connection happening between client and device that would allow the device to uniquely identify each mobile phone, or the other way round. Apple ‘prevents’ cloning by disallowing developers to specify a wildcard as the uuid, so you just can’t scan for other beacons. However, all you need is an android phone.

At airfy, what we’re doing to counter this is making our beacons dual-channel. That is, our beacon is both an iBeacon, and a different proprietary implementation that has security implemented. While you can still clone the iBeacon ids, you won’t get any rewards in apps that use our proprietary security extension. At the same time we can be apple certified and our beacons can do fancy stuff like wake up apps from background.

 
137
Kudos
 
137
Kudos

Now read this

Battery friendly indoor positioning with iBeacon

This post is the first of the series on working with beacons and mobile devices and was written by our CTO, Arvid E. Picciani (aep). Arvid is an ex-Nokia engineer, IoT pioneer, and self-proclaimed embedded devices hacker. Indoor... Continue →