Beacon usage continues to grow across retail and enterprise use cases from proximity marketing and micro-location services to RTLS-based way-finding, asset tracking and workforce optimization. However, one of the primary concerns of IoT and the beacon ecosystem is how to handle security at scale in these enterprise scenarios. Security can be split into two categories. These are hardware/firmware and beacon transmission validation(anti-spoofing).
What is hardware/firmware security?
Hardware/firmware security is the first level of protection required to keep the physical beacons safe and operational. This security measure protects the beacon hardware’s firmware from malicious access and-or modification of individual beacon configuration. A beacon’s configuration includes transmission power, rate, modulation, and broadcast frames which include – Eddystone-URL (Physical Web), Eddystone-UID, Eddystone-TLM, iBeacon, and Bluvision’s sBeacon. Just one malicious configuration adjustment can drastically impact a beacons’ operational lifespan. Furthermore, each and every-time a beacon is illegally tampered with, a technician and-or replacement beacon must be dispatched. This action drastically impacts the total cost of ownership of a beacon fleet.
Many of our novice competitors believe the answer to hardware/firmware security is “password” protection. Basic password protection does not scale. Imagine a typical enterprise scenario where a corporation has a fleet of 100,000+ beacons installed globally. The corporation uses thousands of technicians spread across multiple partners and-or system integrators to install and maintain beacon infrastructure. This high-risk scenario requires thousands of people have access to clear text passwords for access to each beacon. The cards are stacked against corporation’s security when it tries to leverage shared/distributed clear text passwords database for hardware protection. This will fail and fail often as employees and partners leak passwords. Bluvision does not believe in this approach, we believe in the cloud, fleet management, and encryption. Bluvision’s cloud-based solution secures each beacon from the time a beacon is born at the factory to the end of its operational life. Our cloud-based vault leverages unique public/private encryption keys for authentication to each beacon. Our solution was designed from the ground up to manage, monitor, and protect a beacon access in real-life, big business scenarios. Our BluFi(Bluetooth to WiFi) gateways, provisioning tools, and SDKs maintain the highest level of security protection at all times. Bluzone cloud does it the right way.
How to validate beacon transmissions? … Eddystone-EID
How do we know a beacon’s BLE transmission is valid and not being spoofed? This question is continually being asked by our customers who leverage Bluvision solutions in mission critical programs like retail, banking, entertainment, ticketing, manufacturing, transportation (airports, train stations), hospitality, digital signage, and more. If a beacon transmission can be hijacked, intercepted, spoofed, and-or used without consent, a beacon fleet can turn into a liability, spamming engine, and-or security risk. Here are some scenarios that can play out:
- Beacon Hijacking: A retail competitor could use a competitor’s beacons for counter promotion. You walk into Blue Café, and have installed the app for Green Café. Green Café can use Blue Café’s beacons to push you a discount for their coffee.
- Beacon Cloning & Impersonation: Beacons are also extensively being used for asset tracking in places like hospitals, airports, manufacturing sectors etc., to keep track of expensive, and valuable equipment/assets. Without security features and encryption, it is quite easy to mimic the deployed beacons in this area and remove the assets from the location.
- Beacon Spambot: One of the widespread uses of beacons has been with contextual or proximity marketing in retail outlets, airports, restaurants, etc. These venues install beacons in their location and allow 3rd party vendors to send hyper-local marketing to their audience. With no security measures in place, regular vendors could send out spam messages rendering these beacons obsolete.
Bluvision has created many custom means for handling these scenarios based on client needs. Bluvision has the ability to create encrypted and modulating BLE beacons for Eddystone and iBeacon protection. However, an agreed upon security standard/protocol is needed to get widespread adoption across mobile, application developers, and enterprise architectures. No enterprise wants to support one-offs or custom solution, it’s hard to do, hard to technically sponsor. Security customization generally increases cost of ownership and risk. This is why we are excited about Eddystone Ephemeral Identifiers. Eddystone’s Ephemeral Identifiers (Eddystone-EID) is sophisticated and proven approach to securing IoT implementations and beacon transmissions. It uses rotating ephemeral identifiers to broadcast a more secure signal/beacon transmission. Each signal is quickly validated to ensure authenticity and access control.
Eddystone-EID in combination with Google, gives the beacon ecosystem a common protocol/language for securing beacon interactions. Bluvision sees the Eddystone EID release as a solution accelerator. Why? Now we can focus on more complex IoT problems, value-adds, mobile experiences, and transactions. Eddystone-EID places less technical focus beacon security and more on delivering premiere value-add solutions. But what about iBeacon? Of course there are ways to encrypt and rotate Apple’s iBeacon frames but it is not native from Apple and doesn’t have the deep security capabilities that Eddystone EID brings.