Are Estimote Beacons secure? How does Secure UUID work?

Follow

Estimote platforms offer two layers of security:

  • cloud-based authentication protecting beacons from the unauthorized access
  • Secure UUID, preventing piggybacking on your beacon network

Both features are integrated with Estimote Cloud, but please note that while authentication is mandatory, using Secure UUID is optional.

Authentication

Every beacon is automatically registered in the Estimote Cloud and assigned to its owner in the factory, based on the email address using during purchase. If a user is not an owner of the beacon, they won’t be able to change any settings.

When you connect to a beacon with the Estimote app, you will see its basic properties like identifier or color. But to be able to configure beacons’ settings with the Estimote app, you need to be logged in to your Estimote Account and Estimote Cloud needs to authenticate you as the owner. If you don’t have an account, you can sign up here.

The same applies to Estimote SDK, but instead of Estimote Account login and password, we use API tokens to authorize access for third-party apps.

We explain how the API token works in a separate article.

If you want to learn more about ownership management and transferring beacons between users, there’s another article that will help.

  

Secure UUID

Enabling Secure UUID causes rotation of the beacon’s ID (UUID, Major and Minor) so it’s broadcasting unpredictable, encrypted values. We advise using it in the production environment, especially in case of large deployments. In order to use Secure UUID, you'll need to enable iBeacon protocol first.

By default the IDs that beacons broadcast(UUID, Major, Minor), used by apps to identify them, are visible to any device supporting Bluetooth Low Energy. This means anyone could piggyback on your beacon network. For instance, imagine you’re a store owner and your customers are using your app that is integrated with beacons. Beacons broadcast their IDs, so your competitor can easily build an app that will show competing offers to your customers. Secure UUID solves that problem.

With Secure UUID enabled, the only way to resolve the beacon’s ID is via authorized access to Estimote Cloud which requires your username and password or the proper app ID & app token.

Estimote SDK detects whether Secure UUID is enabled on the beacon and automatically takes care of the decryption—you are able to use ranging & monitoring as usual.

Pro tip: don't forget to change ESTBeaconManager to  ESTSecureBeaconManager.

Estimote Monitoring currently doesn't offer any alternatives to Secure UUID but we're hard at work to implement it in the near future.

How to enable Secure UUID?

It’s pretty easy. First, UUID rotation requires beacons to have Estimote firmware version 2.2 or later. All you need is log into your Estimote Account in the Estimote iOS app and connect to the beacon. Secure UUID will appear in the settings list.

You can also secure your beacons directly from Estimote Cloud dashboard. Simply go to beacon settings and set Secure UUID and save changes. The change will be applied via remote settings update.

 

Was this article helpful?
1 out of 1 found this helpful

10 Comment(s)

  • Avatar
    Llama Team

    Do you know when roughly in 2014 this feature will be released? We have beacons in a real world setting and are worried about them having their settings (Major, Minor, Power, etc) changed.

  • Avatar
    Agnieszka Steczkiewicz

    Hi again!

    With the new version of our app that will be released in around 2 weeks (we are waiting for Apple approval) there will be authentication feature implemented. Full security layer is a matter of 1-2 months.

  • Avatar
    Rui Couto

    How is the new security layer implementation going?
    I'm going to develop a project soon, and I will probably use Estimotes but security is a big concern.

    Thanks!

  • Avatar
    Ula Kierwiak

    Hi Rui,

    We will implement the second security layer for our beacons very soon. Stay tuned!

  • Avatar
    Rui Couto

    If a Beacon UUID is modified, do the current security features still apply?
    That means, when the UUID is modified is that updated on your servers aswell?
    Is any password associated to the beacon when it is produced? So that only a specific account can change it?

  • Avatar
    Wojtek Borowicz

    Hi Rui,

    Our new SDK and Estimote Cloud incorporate the key to decode the rotation, so ranging and monitoring remain unaffected. The authentication is based on App ID and App Token: https://community.estimote.com/hc/en-us/articles/203607313-What-are-App-ID-and-App-Token-and-what-do-I-need-them-for-

    Cheers.

  • Avatar
    Gil Elgrably - Zikit

    Few questions about using Secure UUID:

    1. Does the user must have a working internet connection to detect beacons?
    2. What is the beacon's identifier changes frequency (hh / dd / mm / yy )?
    3. How much does it impact the battery? (reduce percentage will be nice)

    Tnx.

  • Avatar
    Wojtek Borowicz

    Hi Gil,

    Yes, right now internet connection is required. At some point in the future we might release an offline-compatible version. The rotation occurs every 10 minutes and impact on the battery is negligible.

    Cheers.

  • Avatar
    Josh San

    Hi,
    I'm developing a solution for a client and top concern is security.
    I would like to understand details on the implementation of the secure UUID. What sort of encryption do you employ?
    What does a secure UUID look like? Is it an encrypted random string? Does it look like another UUID?

  • Avatar
    Wojtek Borowicz

    Hi Josh,

    Yes, Secure UUID looks like another UUID, but to resolve it to the real ID you need app's API credentials and a key stored in Estimote Cloud.

    Cheers.

Estimote is
hiring!