Should We Be Worried About Beacons Being Hacked?

Since the hacks of Target and Home Depot that affected millions of consumers, retailers worldwide are concerned with their cybersecurity procedures and solutions now more than ever. In fact, attacks on point-of-sale systems remain the top source of confirmed data breaches, according to Verizon’s 2015 Data Breach Investigations Report. In addition, the increased use of in-store mobile technology, such as beacons, brings added risk to retailers by providing another potential entry point that hackers can manipulate.

So how are beacons hacked? Due to their connectivity via Bluetooth, software companies and/or cybercriminals can infiltrate into a beacon management system and hijack, or redirect, what information is delivered to the consumer’s smartphone. Let’s take iBeacons as an example.

As defined by the Apple iBeacon specifications, all iBeacons must broadcast a universally unique identifier (UUID), Major number, Minor number and TxPower value. The UUID number typically identifies the beacon owner, while the Major/Minor values are used to further define each beacon within the owner’s ecosystem. The TxPower indicator is a measure of the signal strength received by a consumer’s smartphone when the retailer’s app is one meter from the iBeacon. It's important to note that a beacon’s UUID doesn’t need to be unique; it's not assigned by any governing organization and, depending on the intended use, can be duplicated across multiple beacons.

When a retailer’s app is installed on a smartphone and the device comes within roughly 100 feet to 150 feet of an iBeacon, it reads the UUID, Major/Minor numbers and TxPower value transmitted by the beacon. The device then processes this information, calculates the approximate distance from the beacon based on the received signal strength and sends this information to the retailer’s cloud-based management system. Typically with the user’s permission, the GPS location of the smartphone is also sent. From here, relevant and geo-specific information is sent back to the app on a customer’s device for their viewing and use.

In this scenario, a competitor (e.g., Pete’s Produce) could seek out the UUID number for the beacons used by Val’s Vegetables and program its app to recognize the same value. Then, if a consumer passes a beacon in Val’s store, Pete’s app would process the information and redirect the user to Pete’s website. Essentially, Pete’s would be hijacking and using the virtually stolen beacons inside Val’s physical store for its mobile marketing purposes. However, if both stores’ apps are programed to recognize the same beacon, both apps would process the requests.

Since current manufactured beacons are used for one-way communication, hackers would most likely focus their efforts on redirecting the information sent to the shopper’s smartphone to either a competitor’s page or a malicious website. However, future "smart” beacons will provide a more complex set of security vulnerabilities and increase the possibility of hackers actually accessing the back-end system or, worse, sensitive customer data.

Therefore, retailers should consider these four security precautions when integrating new technologies into their mobile marketing campaigns:

1. Partner with an organization that's knowledgeable of the retail sector, mobile technology and related security issues. A great partner will be able to provide knowhow into technology protocol, deployment and beacon management. Additionally, the organization may be able to include retailers into a multibranded shopper engagement platform, ensuring consistent security protocols and eliminating the requirement for integrating a patchwork of disparate systems, each of which may have their own security vulnerabilities.
2. Conduct proof-of-concept testing before rolling out any technology. This allows internal teams to understand the complexities and risks of new, emerging technologies and where any gaps, holes or weaknesses may exist.
3. While it hasn’t occurred yet, don't completely dismiss the potential for a security breach via beacons. Instead, consider implementing strong credentialing and multiple layers of encryption on each device and back-end software.
4. Remember that while beacons deliver content and do not capture sensitive data directly, they do connect to personal mobile devices. Therefore, develop and implement this technology in the most secure way possible. The last thing a retailer wants is for its beacons or app to mistakenly send offensive content or compromise its customers’ personal information.

Andrew Levi is the founder, chairman of the board, chief executive officer and chief technology officer of Blue Calypso, a company that develops and delivers location-enabled mobile engagement solutions.