According to Tim Parry from TechCrunch security is the second most important thing an IoT device needs), as everyone is aware of the importance of security for an IoT device needs but still some beacon manufacturers provide beacons without any kind of security. It’s only when the beacon is turned on and secured that one can trust it to do its job, such as notifying users about locations, making transactions happen via secure channels, or interacting with the real world around a beacon.
Industries and societies are increasing IoT enablement with the number of beacons, for object tracking, energy management, wireless identity, keyless access control systems, sensor data transmission, unique identification, etc. As per the analysis of IoT applied in industries and societies it is observed that it has often been planned without consideration for security issues. Most systems are taking care of only software such as applications, databases, the cloud, etc. as they have a common assumption that since the data is stored in the cloud, it remains safe. Security is not only dependent on the software, generally, companies take care of the cloud (database) which much be un-hackable, and applications that much be fully encrypted but any secured software isn’t secure enough when the hardware is vulnerable.
Security Issues with Beacon
Four different ways beacons can be attacked:
1) Piggybacking
An attacker listens to the beacon to capture the beacon’s MAC address and adds it to the application without the owner’s permission. As most beacons broadcast the same signal for a long time, they can rely on beacon infrastructure in their application.
2) Cloning
An attacker captures information to make clone beacons, it consists of copying the beacon configuration and putting it into another beacon to mislead users.
3) Hijacking
Generally, beacons communicate “in the clear” without encryption of data. As someone can see the password sent to connect to the beacon and then use it and change it, so can’t connect anymore.
4) Cracking
Beacons are secured from remote attacks, but still, optionally someone can physically remove the beacon.
Existing Security Schemes for Beacon
1) Data Confidentiality
Confidentiality is a basic security provision for data protection which maintain the privacy of information such as authorization to view, share, and use data. To make data confidential, mostly cryptographic algorithms have been used that convert given plaintext into ciphertext. if ciphertext i.e., encrypted data is broadcasted and eavesdropped on by an attacker then he will not be able to understand its contents. Cryptographic algorithms are categorized into two main types 1) Symmetric cryptography and 2) Asymmetric cryptography.
2) Data Integrity
Data integrity is the accuracy, completeness, and quality of data as it’s maintained over time and across formats. Data integrity is a related concept to data security but not the same. Data security protects data from both external and internal threats while data integrity ensures that it hasn’t been modified by those threats.
Related Secured Protocol Approach
1) Beacon Identification Shuffling
Any user can spoof the beacon fleet by showing other beacon identities (MAC address, UID, or any other) as their identities so that the user application will treat the clone as an authorized device. In many IoT applications beacon has to broadcast the same identities repeatedly but, in this case, hackers can take advantage without notification to the owner. To solve the above problem manufacturers developing beacons that shuffle broadcasting messages randomly so that hackers will not use previously grabbed identifiers to access network infrastructure. Today the best method to protect beacons against spoofing is identifiers random shuffling in which nobody can predict when they change again.
2) Beacon Memory Protection
In many IoT, beacons may have a memory that anyone can easily access the beacon memory. The memory without any authentication can be directly accessed which may cause hacking. Therefore, the beacon should have the ability to delete the data as soon as someone other tries to access it.
Existing Security Provisions for Beacon
As a beacon broadcast message, it is very challenging to protect them from a particular receiver. Beacon does not maintain the confidentiality of data, data integrity and other security-related parameters. Many researchers proposed security provisions but everyone has some limitations. In general, there are three strategies to defend beacons against attacks.
1) Time-Varying ID
Beacons can be set to broadcast time-to-time changing UIDs, which makes it more complex for an attacker to copy and replay beacon messages. Gimbal and Kontakt beacons also introduced a similar but less secure version based on rotating UIDs from a predefined, fixed pattern. In other more secure versions, cryptographic techniques such as keyed pseudorandom functions are used to generate time-varying beacon UID. The generation of evolving UIDs beacons consumes more energy which causes a reduction in the battery lifespan. In addition, it also fails to withhold re-programming and reshuffling attacks.
2) Outlier/Anomaly Detection
Traces of user queries are gathered at the backend server to run hypothesis testing to detect any outlier or anomaly of beacon ID transitions for their geographic mounting positions. As a user device moves around a beacon area, the transitions of consecutive beacon IDs seen by the application would follow a certain probability distribution. The merit of outlier detection is that it requires no modification on beacons and does not shorten beacon lifespan also it is more powerful and can defend against all attacks other than piggybacking attacks, careful consideration of user privacy protection is necessary.
3) Selective Jamming
An additional BLE- compatible guardian device can be installed to opportunistically invoke reactive jamming of messages emitted by a personal beacon tag. Only devices authenticated through an out-of-band channel with the guardian device can read beacon messages indirectly through the guardian device. No modification on beacons is required but this approach mainly applies to protecting beacon tags carried by a person against presence inference and would not be useful for beacons deployed for location-based services.
Related Secured Protocols
Many privacy and security approaches were proposed at the different layers of communication to provide privacy and security to data transmission and device access. In 1999 the MIT Auto-ID Center initially focused on the use of RFID technology for short-range wireless which led to research on the security and privacy aspects of tag tracking.
In [16] the authors suggested assigning a temporary ID in the context of book identification in libraries.
In [17] the authors suggested having a set of IDs assigned temporarily and updating the ID cryptographically between interactions with the readers, and a method to synchronize successful readings among the set of readers.
In [18] the authors suggested using the system hosting the tag to perform the encryption with a public-key operation.
In [19] Golle et al. defined universal re-encryption, which allows a reader to re-encrypt the tag identity without knowing either the plaintext or the public key it uses.
In [20] Ateniese et al. described a similar solution based on elliptic curve cryptography, which also allows verifying message integrity.
In [21] Weis et al. presented a different type of proposal (tag needs to compute) which suggested a MAC-based random computation on a random challenge (shared key).
In [22] Molnaret al. suggested a rotation of pseudonyms based on a PRF computed over a random nonce or a counter, where an interaction with the reader can assure the computation is done with the actual key.
In [23] Kontakt.io proposed to shuffle some of the fields in the advertisement but they do not prevent tracking.
In [24] Estimote proposed a Secure UUID by rotating beacon ID (UUID, Major and Minor) so it’s broadcasting unpredictable, encrypted values but relies on secure access to the Estimote cloud for beacon identification, even for the owner of the beacon.
We have studied various currently available protocol standards for wireless sensor networks in the IoT. For many IoT applications BLE Beacon becoming a very useful wireless communication technology for the short range. BLE Beacon is the ultimate for short-range data broadcasting, it is available with proprietary as well as open-source. Google is providing an open-source protocol standard called Eddystone with UID, URL, TLM, and EID frames for unique identification broadcasting, universal resource locator broadcasting, telemetry data broadcasting, and ephemeral identification broadcasting respectively.
Eddystone Privacy/ Security
Beacon periodically broadcast non-connectable advertising packets so anyone willing can receive them. The encrypted data provide high-end security to the broadcasted data and also encrypted data by a private key hide the plaintext not to be understood by the unauthorized receiver. Broadcasting is fast and easy to use, and it’s a good choice if the user has to push only a small amount of data on a fixed schedule or to multiple devices. A major limitation of broadcasting, when compared to a regular connection, is that there is no security provision at all with it (anyone can receive the data being broadcasted), so it might not be suited for sensitive data.
Findings:
BLE Beacons are designed mainly to object tracking, distance estimation, proximity, opportunistic data collection, and transmitting notifications by broadcasting beacon unique identification. As per the review of various applications, it is observed that beacons are mostly used for object tracking by broadcasting Eddystone-UID frame hence for most applications only short static value transmission is required for example broadcasting of sensor id, device id, machine id, vehicle number, security key, mobile number, employee id, object id, location, etc.
A sensitive short message broadcasting by such an Eddystone-UID frame may face security challenges. For secured and uninterrupted performance protocol must have provision for data confidentiality and data integrity. For the development of such secured broadcasting, we have focused to extend the Eddystone-UID frame to make it a secured broadcasting standard.
As everyone is aware that security is the second most important thing an IoT device needs but still some beacon manufacturers provide beacons without any kind of security. The use of beacons without security is disastrous because anyone can easily reconfigure or change beacon settings without authentication or circumventing security. To maintain beacon security in the IoT applications user should avoid the use of such beacon hardware at all costs.
The comforting fact related to the above-discussed beacon authentication issue is that now most beacon manufacturers adopted a system by which user authentication is required to administer a beacon. Authentication by password is a better security provision but as per experience, it is observed that it is also not fully secure. The beacon specification does not include any data privacy system, the standard beacons broadcast their signal without encryption in the clear form, i.e., communication between the beacon and its administrator is not encrypted.
The beacon without authentication makes the system unsecured as anyone can scan the broadcasted signals by the BLE scanning devices such as a laptop, smartphone, or any other Bluetooth-equipped devices in the range. Anyone can eavesdrop on communications with beacons and discover device passwords. Once a password is hacked, anyone can connect to the beacon without permission and reconfigure it or change the setting and credentials.