If you are tuned into the technology world, then you might have heard that Make Magazine was able to hack into the CES 2016 beacons in January for the second time. By breaking into the Scavenger application source code, hackers were able to connect to the Radius Networks cloud service and obtain the list of beacons used at the show. Once the list of beacons was known, they wrote a software-based script to duplicate the iBeacon packets broadcasted at the conference which, in turn, tricked the locally-installed application into thinking the hacker completed the scavenger hunt without attending the conference.

This brings up several questions that have been circulating the retail industry regarding beacons:

  • Can beacon packets be duplicated? The simple answer is yes. Since both the Bluetooth Low Energy Specification and all major beacon formats are publicly available, beacon packets can easily be duplicated through both hardware- and software-based beacons.
  • Can hardware-based beacons be hacked to send different packets? It’s possible, but not likely. Depending on the hardware provided by the vendor, most modern hardware-based beacons require some form of authentication to change their settings. However, the level of security supplied is unique to each vendor.
  • Do I need an application to detect beacon packets? Yes, currently most operating systems, including smartphones, contain hardware and programming interfaces that can detect beacon packets, but a third party application is required to process the information received.
  • Do hardware beacons receive responses from the responding devices, and can they detect that a device, such an iPhone, is near? Most beacons being deployed today do not receive responses from the receiving device. Beacons, by definition, are omni-directional and sessionless. However, the next generation of “smart” beacons will be capable of two-way communication and a wealth of more sophisticated capabilities. This blog will focus primarily on “basic” beacons.
  • Can beacons implement a proprietary format? Yes, they can. However, implementation is slowed by the fact that smartphone manufacturers, such as Google (“Eddystone”) and Apple (“iBeacon”), have vested interest in promoting their own beacon protocol, so they are expected to be slow in providing robust application programming interfaces (APIs) that support proprietary formats.

So why are businesses and consumers interested in beacon technology? It’s a combination of locally installed “smart” applications and the ability to mass produce low-cost, hardware-based basic beacons that provide both extreme value and convenience to both users and retailers, but this technology can also be abused by hackers and software companies alike.

Let’s take iBeacons as an example – As defined by the Apple iBeacon specification, all iBeacons must broadcast a universally unique identifier (UUID), Major number, Minor number and a TxPower value. The UUID number typically identifies the beacon owner, while the Major/Minor values are used to further define each beacon with the owner’s ecosystem. The TxPower indicator is a measure of the signal strength that should be received by the consumer application when the application is one meter from the iBeacon. It is important to note that a beacon UUID need not be unique, it is not assigned by any governing organization, and depending on the intended use, can be duplicated across multiple beacons.

When a vendor’s application is installed on a smartphone, and the device comes within roughly 100 – 150 feet of an iBeacon, it reads the UUID, Major/Minor number and TxPower transmitted by the beacon. It then processes this information, calculates the device’s approximate distance from the device based on the actual received signal strength, and sends this information to the vendor’s cloud service. In addition, typically, with the user’s permission, the GPS location of the smartphone is sent as well. From here, information is sent back to the application, such as “Thanks for visiting, here is a great offer from our store!”

However, since beacon packets can be received by multiple applications on the same phone, consumers need to be aware that the information gathered by one application to provide services to the user could easily be used by another installed application to either track the user’s visit to the same location or return additional alternative messaging to the user.

Hence it is important retailers and consumers consider these tips for protecting themselves:

For Shoppers:

  1. Be aware that each application installed on your device could be listening to beacon broadcasts and only install applications from reputable and trusted organizations with clear “terms of use” that list what information they will obtain from your device.
  1. While not a security matter, consumers should understand that listening for and reacting to beacons will impact battery life.

For Retailers:

  1. Partner with an organization capable and knowledgeable about security and privacy concerns. Choose one that will not immediately dismiss your security concerns, but rather help you in addressing them. A great partner can provide knowhow into the technology protocol, deployment and beacon management.
  1. It is important to test and conduct a proof-of-concept before rolling out any new technology. This allows the internal teams to understand the complexities and risks of this new, emerging technology and where the gaps, holes or weaknesses might be.
  1. While it is a long shot, do not completely dismiss the potential for a security breach via beacons. Instead, consider implementing dynamic UUIDs that are continuously changing and/or implementing strong credentialing and multiple layers of encryption.
  1. Remember that while beacons deliver content and do not capture consumers’ personal information, they do connect to their personal mobile device. Therefore, develop and implement this technology in the most secure way possible. The last thing a retailer wants is for their beacons or app to allow their customer’s personal information to be compromised or offensive content presented.
  1. Consider implementing a fully integrated mobile shopper engagement platform which has the ability to leverage all desired methods of activation, including “smart” and “basic” beacons, multiple beacon protocols including iBeacon and Eddystone, short codes/SMS, Near Field Communications (NFC), QR, Wi-Fi-gating and/or geo-fencing. A unified platform ensures consistent security protocols and eliminates the requirement for integrating a patchwork of disparate systems, each of which may have their own security vulnerabilities.

With the increased use of technology, the potential for security implications also rises. While most of today’s beacons are not smart devices and are used as a one-way form of communication, there is still a possibility of a breach occurring – especially given the recent growth and increased sophistication of cybercriminal attacks. In the near future, “smart” beacons, which may be integrated with on-premise Wi-Fi and can deliver a two-way connection experience between shoppers and retailers, will also provide the potential for an even higher and more complex set of security vulnerabilities. Therefore, take security into consideration from the very beginning when implementing this new technology in your business. Don’t wait until it is potentially too late!

Previously published on Blue Calypso’s blog.