Make: Report Raises Questions about Security on Estimote, Gimbal Beacons
Make: has taken some of the deepest dives into beacon technology around the web, and their analyses are worth sharing here as well. In their latest investigation, Make: writers Alasdair Allan and Sandeep Mistry take note of the buzz around Google’s Eddystone, but question the rush to throw support behind the protocol.
The duo first take a look at Estimote, one of the leading beacon hardware providers, which has already announced full compatibility with Eddystone. The results are a bit disconcerting:
Unfortunately, our analysis shows that it’s possible to reconfigure any Estimote beacon running their current developer firmware to broadcast an entirely different URL. The vulnerability allows you to update beacons you don’t own, and theoretically at least, are not supposed to have authorization to access.
Beacon hijacking is a real concern for anyone jumping into the space. In the retail setting, competitors or e-commerce counterparts could piggyback upon unsecured beacons to reach shoppers under a store’s own roof. Worse yet, the Make: report suggests that hackers could leverage unsecured beacons to create a physical version of a phishing scam, tricking folks into tapping through on fake notifications and unknowingly sharing their location data.
Per the report, Estimote is hardly the only beacon manufacturer that is vulnerable to malfunction.
The [Estimote] beacon will rotate through 3 UUID + Major + Minor combinations when in Secure UUID mode, with the SDK querying the cloud for mapping to “real” UUID, and caching the results. Interestingly however, the Android version of the Estimote SDK doesn’t seem to support Secure UUID.
This technique is a somewhat similar tactic to that used by Qualcomm’s Gimbal, which used the trick of rotating the Bluetooth LE MAC address and advertisement data with each packet — once every 0.8 seconds — and as a consequence regularly crashed Android’s Bluetooth stack.
While using UUID rotations does prevent you from knowing the UUID scheme for a set of broadly distributed beacons, it doesn’t really prevent mimicking individual beacons. Since it’s all table-based lookups, you can still fake one advertisement rotation and trick the accompanying application in the same manner as before. It doesn’t change anything.
We encourage you to click through the incredibly in-depth full article on Make:.
Make:’s report brings to light the pressing need for security in the beacosystem. With thousands of beacons currently deployed, many of them unsecured, there’s tremendous potential for issues with hacking, phishing and crashing phones. All potential beacon users should be asking their providers if their hardware is fully secured and protected from hijackers.