A guest blog by Kontakt.io
There is a lot that beacons have done to make marketers’ dreams come true. From offering real-time push notifications that are rich with context to giving priceless information about how customers behave on site, they’re bringing the kind of granular knowledge that marketers increasingly take for granted in the online world and make it accessible in the physical one. Understanding your buyers and prospects helps you target (and retarget) them better, tailor their experiences further, and delight customers in previously unthinkable ways. No wonder that savvy marketers are increasingly considering proximity infrastructure a treasure. The thing about treasures, though, is that the more valuable they become, the more parties they attract. Some of those parties will look to exploit that treasure, too. Do you know how to keep your treasure safe?
It’s easy to screw up security. Don’t be that guy or girl.
IoT security has been a concern for a while but for some, beacon security still boils down to making sure an app is encrypted and its management platform is stored in the cloud. While these are important, don’t neglect the hardware side! Whether it’s a common certificate exploit or a sophisticated MITM attack, hardware vulnerabilities can leave the door open for scary outcomes just as much as software ones. Security should embrace your entire infrastructure—if one part is vulnerable, the whole security structure can come tumbling down.
If you haven’t thought of securing your physical infrastructure yet, it’s high time. Here’s the skinny on how to protect your beacons against major kinds of attack.
Shuffle your beacon identifiers
No matter whose beacons you use, their Majors, Minors, UUIDs, and MAC addresses are always publicly visible to anyone who has a BLE scanning device. That’s actually a feature, not a bug. By default, they’re also constant. That’s a little closer to a bug, because it means that someone can grab those identifiers, add to his or her own app, and use your beacons until you change the identifiers. At Kontakt.io we know that 80% of our clients never change the configured identifiers for their beacons after they have deployed them. That may be a mistake. Why is that? Because if we trust too much, we leave ourselves open to people acting in bad faith.
For example, a malicious party could create exact copies of your beacons to mislead your customers or simply make them angry. Imagine if you had a beacon that triggered a welcome message to all shoppers in your mobile app and you stationed it at your front door. Someone could easily copy your welcoming beacon’s settings and added them to dozens of their own beacons located at every 10 meters all throughout the parking lot in front of your store. What would your app users do? Bombarded with notifications pushed by your own app, they’d uninstall it immediately and likely never download it again.
That’s a relatively mischievous use case. There are some scarier ones, too. Imagine a competitor of yours using your own beacon infrastructure to conduct research about how to win your customers over. If someone knows your beacon identifiers, someone like your competitor could add your beacons to their own app to know when their customers are in your store. That’s unpleasant enough, but imagine if you’re using your beacons for coupons or in-store analytics and your competitor also knows which beacon triggers which action. Suddenly, you competitor knows where your customer spends most of the time. In this case, they’re also aware of your advantages and know why the customer buys from you. Armed with such knowledge, they could precisely target their marketing campaigns or offer your customers better deals.
That’s an unpleasant thought indeed. See why security is important for retail use? The only way to keep your store information safe is to make sure that your competition can’t know what a beacon does. The best way to do this it to shuffle (or randomize) the unique information that the beacon broadcasts. A hacker can’t use the previously grabbed values for a beacon because he or she doesn’t know them unless he or she goes back to your store and scans them all once more. The only person who knows what beacon does what is you, because you know which every randomized value is related to, and you can “deshuffle” the beacon information in the cloud. The more often you shuffle and the more combinations you have, the more worthless sniffing out a beacon’s unique identifiers becomes. If you want to be sure your beacons are used as you desire, make sure you automatically shuffle their values at least once a day.
Forget all passwords
By default, communication between a beacon and its managing device isn’t encrypted, so theoretically, anyone can change the beacon’s settings so that your app will stop “understanding” your beacons. That’s why most beacon vendors require that you enter a password to administer a beacon. Passwords are sent “in the clear”, too. If someone has a device that scans BLE transmissions and eavesdrops on your password, he or she can use it to connect to the beacon and then change the password so you can’t control the device anymore. Although hijacking doesn’t directly threaten your existing data, avoid it at all costs as long as you want to fully control your fleet. Having a beacon that no longer is connected to your app results in a direct loss of money, and possibly even worse outcomes as well.
The only way to prevent hijacking is to fully encrypt the communication so there’s no need to send passwords over the air. Instead, you queue new updates directly in the cloud. Once any smartphone with your app installed enters the beacon’s range, it automatically sends the encrypted updates directly to the beacon without understanding what’s in the packet. It’s easy, seamless, and 100% secure.
Choose beacons with protected chips
Even the most advanced shuffling or communication aren’t secure enough if a beacon’s physical memory is directly readable so a hacker can get an access to your shuffling key and the beacon’s firmware including its security shuffling algorithm.
If you don’t want all of the work you’ve put into security so far to be caught, make sure your beacons have the ability to wipe out the memory as soon as someone tries to access it.
If you think that some of the threats listed above are edge cases, you’re right—fortunately, although all of them are technically possible, they’re relatively uncommon—so far. As the industry grows and involves more connected devices and a bigger data flow, we’re rapidly approaching the day when we hear of a large-scale data breach involving beacons. Don’t wait with your beacon security until it’s too late. Rather, think like a pioneer and prepare for it ahead of time.
The author, Trevor Longino, is Head of Product at Kontakt.io, the beacon company which provides a full suite of beacon security technology. Connect with him on LinkedIn.