I was recently exposed for the first time to beacon technology while working with AustinCityUP, a consortium of companies, organizations, and individuals collaborating to help advance smart city technology in Austin, Texas. Rapid7 is providing security help in this effort as AustinCityUP evaluates and conducts product proof-of-concepts with smart city technology.
As part of this project, I wanted to share some of my learnings about beacon technology and the different ways to evaluate and ensure its security:
Beacons are small, embedded devices that advertise or beacon out small pieces of information used for proximity identification. Beacons use the radio frequency (RF) protocol Bluetooth Low Energy (BLE), also known as Bluetooth Smart. They can be configured to use a couple beaconing protocol profiles, such as iBeacon and Eddystone.
Beacons do not collect or receive information. Instead, they send out a signal containing a specific identifier that allows a specific, designated mobile application to receive and deliver relevant information through the mobile application.
The following are some of the most common uses of beacons that we’ve seen:
- Indoor navigation
- Location information (place of importance nearby)
- Retail stores
As mentioned above, beacons can also be used for indoor navigation, which means they can identify how near you are to them. This service is not very accurate, but by tuning the signal strength of the beacons and deploying them in a strategic manner, they can be used for basic navigation. This becomes very handy in indoor locations where GPS technology may not be very reliable, such as in malls and airports.
Most of the most intriguing examples of beacon use I encountered was a pilot project Austin ran in early 2018 that used a mobile application and beacons to deliver guidance and useful information to visually impaired bus passengers.
Evaluating beacon security
On a more concerning note, I recently heard of beacons being used to deliver malicious attacks. This consisted of using low-cost beacons utilizing the Eddystone URL (Physical Web) configuration to advertise out a malicious URL, which would redirect innocent users to malicious websites when they were in close proximity of one of these devices.
On a positive note, Google Chrome recently rolled out an application change that disabled the nearby notifications feature on Google Chrome. In my opinion, this helps reduce this risk but does not completely eradicate it, since other beacon applications can still receive Physical Web beacons. So, as a precaution, following Physical Web beacons should be done with care.
So, what are the possible security implications and risk associated with beacon technology? As mentioned before, beacons only transmit information, so at first glance, the risk seems minimal. To fully understand the risk associated with this technology, we need to step back for a broader view and, like we do with all IoT technology, approach the security by examining and understanding the product’s entire ecosystem.
Examining beacon ecosystems
For the most part, the average ecosystem of a deployed beacon solution typically includes the following components:
- Embedded hardware (beacon)
- Product management software
- End user mobile application
- Cloud web services, APIs, and storage
These segments of the ecosystem will vary based on how the products are deployed. For example, I would expect that once the end user mobile application receives the identifiers from the beacons, it would carry out some information lookup transaction from the internet (cloud services) and deliver that specific usable information to the application user. Typically that would be all the mobile application does, but it could also include collecting and storing demographic data on the user that could include which beacons they are near, GPS data, and possibly other end user or cell phone data. With these extended transaction and data gathering functions in place within the mobile application, and cloud services, each of these must be considered further when evaluating the overall security. As you can see, understanding the specific products implementation plays a big part in determining the full ecosystem from a security point of view.
So, from an overall ecosystem perspective, each segment of the ecosystem should be examined and tested in detail:
- Embedded hardware should include testing that the manufacturer’s code is properly secured from extraction and tampering. A beacon device’s firmware can often be updated using over-the-air (OTA) methods. So, it’s important to examine whether attackers can alter the devices by installing their own code or modifying current code.
- Product management software can often be deployed in several ways, including in mobile applications, web services, or desktop applications. So, a full assessment of all the identified methods should be conducted. This should include evaluating authentication, session management, encrypted communication, encrypted data storage, injection attacks, OTA data capture, and embedded keys and passwords within the software, just to name a few of the general areas.
- End user mobile applications, which are designed to take advantage of the beacons, should have a thorough mobile application assessment conducted. This includes testing for encrypted communication, encrypted storage, authentication and session management, excessive rights, data collection, and stored keys or passwords.
- Finally, cloud services testing should include all aspect of applications and devices that communicate with cloud services. In this space, we must look at details of how both the management application and the end user application interact with the internet cloud services. It is important to ensure the data stored in the cloud is properly secured and that all API functions are properly authenticated and contain no vulnerabilities that would allow unauthenticated access to data or various injection-style attacks.
In conclusion, beacon technology continues to expand its reach. Those who plan to leverage this technology within cities, stores, or other businesses should take the time to understand and test the complete ecosystem of the product they are looking to deploy in order to maintain a safe and secure environment for all users.