Breaking 6 Myths about Beacon Security and Privacy
September 22, 2014
From retailers to theme parks, restaurants and malls, one of the chief factors that fueled unparalleled excitement over beacons, is its ability to cater to the consumers’ desire to receive personalized, contextual offers and content on their mobile devices. According to a recent study by Research Now, a U.S based market research company, 72% of consumers agreed that receiving a relevant offer on their mobile device while shopping in-store would significantly influence their chances of making a purchase.
Despite all the attention from the tech world, beacons are yet to go mainstream because businesses have quite a few security concerns around beacons. While data breaches around credit card have tormented retailers for years, the issue around beacon security and privacy is comparatively new. And among the many questions being tossed around, the most common one would easily be ‘ How secure are beacons?’. We recently published a blog on ‘6 Myths around Beacon Security and Privacy‘, where we have tried to break few common myths. It also contains a checklist that will help you assess beacon security.
Myth 1: Any beacon can be hacked easily
Agreed, Bluetooth Low Energy proximity solutions, come with a number of risks such as untrustworthiness of the mobile devices participating in the solution, device spoofing and man-in-the-middle interception. Similarly, despite the fact that UUIDs are unique to each organization, they do not play any role in the security strategy around beacons. Anyone equipped with a bluetooth discovery app or a bluetooth sniffer can discover the identifiers with great ease. However, this doesn’t make beacons insecure, but merely indicates misplaced security concerns.
Image Source: gevme.com
For example, a team from the Make magazine, cracked the CES Scavenger Hunt, a beacon powered app that was aimed at offering an engaging experience to visitors at the event. What shocked media the most was that not only did they manage to complete it before the show started, but also without being present at the venue physically. Though, it might seem as a major exploit at first glance, cracking it would have been pretty simple. For starters, the application file wasn’t encrypted. And this made it easy for them to discover the ID numbers of the beacons at the venue and spoof them.
Therefore, when it comes to developing apps for proximity solutions, you should incorporate a security model that addresses the common risks involved. Another important thing to note is that, the compensation security mechanism you employ should suit the concerned application. If the resources or assets at risk are minimal, then you can opt for a minimal security model. For example, in the case of CES Scavenger Hunt app,the company that provided the technology to support beacons, used an audit trail to validate the progress of the players based on time and location in order to ensure reasonably fair game play in a cost-effective manner. On the other hand, if there are a number of valuable assets then, you should definitely opt for a stringent security model.
To learn more about other myths round beacon security and privacy such as:
– Do beacons deliver contextual offers?
– Can beacons can collect information about users without their permission?
– Is UUID is used to protect valuable resources or assets?
Beaconstac makes it easy for brands to protect their infrastructure investment and prevent unauthorized third party use of their beacon network. If you plan to beacon-enable your existing/upcoming mobile app, use the Beaconstac SDK for iOS that will take care of the above mentioned security aspects.
If you are planning a beacon pilot, take a look at Beaconstac, that includes everything you need to get started. Using Beaconstac you can set up your own campaign, without a developer’s help!