Beacons are inconspicuous, compact wireless devices that repeatedly broadcast tiny packets of location and sensor data using Bluetooth Low Energy (成為) 信號. When in range, compatible smartphones can receive these transmissions to enable a myriad of location-based use cases — from targeted advertising to contact tracing and asset tracking. For any business deploying beacons, ensuring robust beacon security protections are in place is now imperative.
Why beacon security matters
This versatility has fueled rapid global adoption of beacon technology across industries, with smart beacon market size exceeding $127.4 億 2032. 然而, with much of this potential though, comes heightened risk around security and misuse of user data. Research suggests pretty much of consumers worry about beacons “tracking your every move” from ambient beacon infrastructure. And these concerns are valid — flaws in beacon infrastructure, 設備, or usage can expose sensitive user and corporate data. For any business deploying beacons, ensuring robust protections are in place is now imperative.
除了, the implementation of beacons is rapidly moving from the introduction phase to serious business involving more money, 第三方, 和大多數人感興趣的信息.
在物聯網設備中, 安全是第二重要的事情. 當信標打開且安全可靠時, 這是它唯一一次有效地完成鄰近位置等工作, 通過安全通道傳輸數據, 或與信標周圍的現實世界互動.
How beacons work and security risks
Beacons utilize BLE technology to communicate with nearby smartphones and tablets. They actually transmit in two key modes:
- Advertising Mode: Repeatedly broadcasts a one-way generic packet containing the beacon’s ID only.
- 連接方式: Establishes a two-way, encrypted data connection between two devices.
Most retail and proximity applications rely on advertising mode to detect consumer smartphones. While in range, the beacon identifies the phone but does not access private data. So purely broadcasting beacons cannot “track” users in terms of collecting info. 然而, a beacon network combined with a brand’s mobile app does allow for monitoring customers within stores for analytics or engagement purposes. Users consent to this level of tracking via the app’s terms of service and permissions like enabling Bluetooth. It’s worth noting you can disable location services and Bluetooth on your device to opt out of beacon detection.
Examining a typical beacon ecosystem
While beacons themselves are relatively simple broadcasting devices, the wider ecosystems built around them comprise many interconnected components:
信標生態系統的這些組件因產品的部署而異. Continuous security evaluations of all touchpoints in an ecosystem are key to ensuring defenses stay robust even as new threats emerge.
- Embedded hardware beacon devices – The BLE transmitters, manufactured by companies like MOKOSmart and Kontakt.io. Available for $5 至 $30 每單位. It’s vital to ensure hardware has security protections against code modification or interference attacks.
- 云網絡服務 – Centralized repositories where companies manage registered beacons’ metadata (電池壽命, 地點, sensor data etc.) and analyze aggregated telemetry. 妥善保護存儲在雲中的所有數據非常重要. 還, 確保所有 API 函數都經過適當的身份驗證,並且沒有允許惡意攻擊或訪問未經身份驗證的數據的漏洞.
- Beacon management software – Admin panels from vendors allowing bulk configuring of beacon settings instead of device-by-device. Must encrypt data communications and storage while also securing over-the-air (OTA) 固件更新.
- End User mobile applications – The apps on consumer smartphones and tablets detecting transmitted beacon signals in proximity and leveraging the location data to enable engagements. Rigorous testing essential around authentication, 數據採集, communication encryption etc.
Common beacon exploits – how beacons are attacked
Every communication in Bluetooth beacon is decoded and happens clearly. 由於信標正迅速成為複雜連接的網關, 有些人越來越多地以非預期的方式使用它們,從而導致攻擊. 信標可以通過攻擊:
Piggybacking & Cloning Beacons
當黑客窺探信標時,就會發生捎帶, capture its UUIDs, 專業, 和未成年人, 並在未經所有者同意的情況下將它們添加到他們的應用程序中. 黑客可以在他們的應用程序中依賴信標的基礎設施,因為大多數信標會在幾年內傳輸相同的信號. 儘管與陌生人免費共享信標的基礎設施變得不方便, 對客戶無不良影響,不損壞應用程序.
每當黑客捕獲信標的信息時, 他們還可以輕鬆克隆信標. 克隆涉及復制信標的配置並將其設置到另一個應用程序, 從而誤導用戶. 這是毀滅性的,因為黑客控制了信標激活的地點和時間, 但它仍然會觸發應用付款.
Hijacking Beacons
信標設置為僅通信但不能加密發送給它們的信息. 所以, 當鏈接到信標時,黑客會看到您用於連接的密碼, 他們可以使用或更改它,使其無法再連接. 這使黑客可以完全控制您的信標,從而使您的整個物聯網基礎設施處於危險之中.
Cracking Bluetooth Beacons
即使信標免受遠程攻擊, 有人仍然可以通過從牆上物理移除信標並將其打開來探測信標的內存. 雖然這種攻擊發生的概率很低, 如果您有一個控制敏感應用程序的信標,那麼保護您的信標仍然很重要.
Addressing each of these common attack entryways requires diligent defense across people, processes and technology — coordinating hardware supply chain security, cloud access governance, beacon configuration guidelines and more.
如何使信標更安全
沒有人能夠保護信標免受攻擊,因為它非常棘手. Although many companies have developed strategies to protect their beacons from piggybacking and chip manufacturers’ defenses that protect a device from cracking, 這些努力沒有價值,因為它們沒有覆蓋整個數據鏈. 此外, 沒有人開發出一種可以保護設備免遭劫持的機制. 由於信標技術非常簡單, you can use the following beacon security mechanisms to secure your beacon from all kinds of attacks efficiently.
安全通訊
安全通信保護信標免遭劫持. It is a beacon cyber protocol that uses Bluetooth Low Energy (成為) 並被各種設備支持. 從信標到管理設備的整個通信通道都是完全加密的. 使用安全連接定制的信標不可能被劫持,因為它具有端到端加密並且不需要在 SDK 和信標之間發送密碼. 此安全通信通道通過 SDK 或 Proximity API 進行管理. 具有此通信通道的任何信標都已充分保護免受任何攻擊. 這是因為設備可以有效地防止黑客可能試圖利用的任何惡意攻擊.
軟件鎖
軟件鎖可以保護我們所有的信標免受直接破解. 任何訪問安裝了軟件鎖的設備內存的嘗試都會擦除內存中的所有數據. 儘管簡單的信標配置仍然可用, 破解者無法訪問任何其他信息. 當您的信標中安裝了軟件鎖時, 您可以放心,您的基礎設施是安全的. 原來, 我們曾經在我們所有的信標中都有這項服務, 但我們現在只在客戶需要時才這樣做,因為有些人自己開發固件.
Using Secure UUID for iBeacon Advertising
安全 UUID 是一種保護信標真實 ID 的安全機制. 它使您可以更好地控制對信標信號的訪問. This optional added layer of security is recommended for every beacon deployment.
製造過程中, 可以為每個信標分配一個唯一的信標密鑰. 鑰匙只能被信標或物聯網雲平台識別. 加密和解密信標的可見 ID 時, 安全的 UUID 算法使用信標密鑰及其最近的輪換時間戳.
由於信標負責加密, 它根據其唯一的旋轉間隔創建一個新的可見信標 ID. 信標在 iBeacon 數據包中傳輸新的可見 ID. 解密發生在解析信標密鑰的雲中, 從而異常識別信標. 信標和雲端之間有一個 iOS/Android 設備. 設備偵聽信標的可見 ID 並與雲端鏈接以發現信標的真實 ID.
由於設備僅充當代理, 它無法識別信標鍵. 因此, 惡意方可以輕鬆地從您的應用程序中刪除密鑰,並在將來解密任何信標的可見 ID. 這可以通過在雲中設置解密來防止, 儘管安全 UUID 必須具有有效的 Internet 連接才能工作.
保護您的信標的下一步是什麼
如果您正在尋找一種方法來保護您的信標免受任何攻擊, 那麼你來對地方了. MOKOSmart is a global frontrunner with highly quality 藍牙信標. 隨時歡迎訪問或聯繫我們以獲得進一步的幫助.