Geek Answers Handbook

How to prevent iBeacons spoofing?

As far as I can tell, nothing can prevent any developer from programming their beacon to use a specific UUID, primary, secondary or identifier.

In case I create an iBeacon with the UUID "foo", what should another developer to create a beacon with the same identifier and (accidentally or maliciously) prevent the application from displaying incorrect data?

I misunderstood how iBeacons work? Please correct me if I am wrong.

+6
source share
2 answers

This is absolutely true. I have forged Apple Store iBeacons (to prove it) and my beacons forged. Make a magazine for the Consumer Electronics Show Scavenger Hunt.

This is not a flaw. You just need to create an application that uses iBeacons, so spoofing is relatively immaterial. If you are developing an application, so it does not really matter, who cares?

The specific security mechanisms appropriate to combat this depend on the application in question, but there are countless possibilities.

To hunt for CES Scavenger, for example, we simply kept an audit trail with timestamps so that we knew that someone quickly discovered all the targets. In the end, no one did this - our participants were good sports!

+4
source

You cannot prevent proposal spoofing because there is no central authority that issues universal unique identifiers (UUIDs). UUIDs are arbitrarily assigned to the beacon and are not really guaranteed to be unique.

However, as soon as you pair your PDA with a beacon, the image is different. You can program a beacon (or, more specifically, a device with a beacon) to generate completely unique pairing information, such as a one-time password or some kind of secret handshake between your application and a pair of beacons.

A typical process flow would be:

  • the phone detects the ibeacon broadcast, reads UUID + Major / Minor.

  • the phone launches your application (using the didEnterRegion event).

  • your beacon application requests send a command to generate an encrypted response.

  • your application decrypts the response. If successful, display a happy face! In case of failure, display a sad face.

Moving forward, I suspect that most lighthouse systems will be implemented in this way. If and until the iBeacon standard is updated to provide encryption, it should be a hybrid ping + pair approach.

+1
source

More articles:


All Articles