By their definition, Bluetooth Low Energy Beacons utilizing the iBeacon or Eddystone-UID standards advertise a static, publicly discoverable payload – Proximity UUID:Major:Minor or NamespaceID:InstanceID. This introduces a number of security concerns, in particular:
1. The ability for someone to ‘Spoof’ a beacon in order to trick an app into triggering an action in the wrong place. For example, a person may use his or her a phone to advertise the exact same UUID:Major:Minor as a useful iBeacon, and trick an App into doing something in the wrong micro-location.
2. The ability for someone to Scan for beacons and map an environment, allowing rival applications to utilize the micro-location information and serve competing content. For example, Store Owner A may gather all iBeacon IDs from his rival store, set his app to listen for these IDs, and incentivize people to leave his rival store when they’re heard.
To solve problem number one, BlueCats beacons intersperse their own proprietary non-iBeacon information into the stream of iBeacon advertisements, and any device running our SDK can utilize this info to ‘Verify’ that they are indeed hearing from a BlueCats beacon, and not a spoofed iBeacon.
However, problem number two remains a concern as long as the Bluetooth Advertisement remains static.
All BlueCats beacons are secured against tampering or unauthorized changes to their broadcast settings, but for a more robust level of control and security of the identifiers that the beacons broadcast, we offer you the opportunity to switch the “mode” of a BlueCats beacon, from iBeacon mode to Secure mode. A Secure Mode broadcast does not advertise a static identifier, but rolls its advertisement periodically.
This rolling advertisement must be decoded to a static identifier by the BlueCats SDK, via a proprietary multi-step procedure and assures that only authorized apps (utilizing the BlueCats SDK, and having been granted permission) can interpret beacons and trigger micro-location based actions.
One of the major benefits of a beacon utilizing the iBeacon standard is the ability for iOS to listen for them while the app isn’t open and prompt action. BlueCats Secure Mode supports similar background capabilities in iOS if the 'Uses Bluetooth LE Accessories' background mode is requested by an app. The Android SDK background capabilities do not change whether the beacon is broadcasting in iBeacon, Eddystone UID or Secure mode.
In summary, the benefits of Secure mode are:
- Complete control of which apps can and cannot access your beacon network for purposes such as gathering analytics about or showing notifications to their customers.
- Prevents spoofed (replicated) beacons interfering with your own customer experiences
Because the secure aspect of this is enforced by including our mobile SDKs within an app, third party systems that rely on standardised iBeacon or Eddystone will not be compatible without additional custom integration by that system.