New Eddystone beacon format addresses security concerns

The Ephemeral Identities addition to Google’s more secure Eddystone beacon format is now supported by a dedicated Nordic Software Development Kit

Beacons are driving new proximity-based services. The devices comprise low-cost Bluetooth low energy transmitters for indoor or outdoor use, placed in a particular location or point of interest. The beacon transmits its identity to any Bluetooth 4.0-equipped mobiles in range; those hosting a companion app can be located and the software can trigger various types of notifications.

Because beacons have the potential to identify the location of smartphones to within a few meters, they enable content delivery specifically targeted to that location for users who want it. As such, the technology is predicted to be rapidly adopted by stores as a way to boost sales. Analyst Business Insider, for example, estimates that the top 100 U.S. retailers could reap $44.4 billion in sales by the end of this year as a result of the influence of beacon-triggered smartphone notifications.

However, despite the potential, beacons have taken a little longer than initially predicted to catch on. “Beacons are a core building block of the Internet of Things,” explains Reidar Martin Svendsen, Technical Product Manager with Nordic Semiconductor, “but security and privacy has been a concern with today’s beacon formats.”

The root of the problem is Bluetooth low energy technology’s use of a unique identifier to pair with mobile devices for the exchange of information. In most applications, this is not an issue, but because a beacon is designed to pair with any mobile device that comes within range, a fixed identifier can leave open a ‘back door’ for the unethical to eavesdrop on communications and perhaps access private information about a consumer with the intention of malicious attack.

This perceived vulnerability is holding back beacon deployment. “Privacy is the top consumer barrier to wide adoption of beacons,” Adam Silverman, an analyst with Forrester Research, told technology publication Wired.

Hardening beacon security

In April, Google introduced new technology to enhance beacon privacy by launching Eddystone- Ephemeral Identities (EID), an addition to the Eddystone beacon format that itself was announced in mid 2015.

The company explains that Eddystone-EID provides developers more power to control who can make use of a beacon’s signal, enabling a new set of use cases for users to be able to exchange information securely and privately. The secret of the technology is a beacon ‘frame’ (or signal) that changes periodically, and consequently is only recognizable to a controlled set of users (those that have signed up to the service).

An Eddystone-EID beacon uses an AES-encrypted eight-byte beacon identifier that changes pseudo-randomly with an average period (from one second to just over nine hours) determined by the developer. The identifier is generated using a key and timer running on the beacon. The key is generated and exchanged with a resolution service using a defined protocol and only the beacon and the service to which it is registered have access to the key. If registered with the service beacon ‘attachments’ are served in the normal way across a secure link to a consumer’s mobile.

Apart from the security improvement, Eddystone- EID also introduces other enhancements such as an ability to broadcast URLs. “[Now, for example] advertising posters [could have] the ability to broadcast a relevant web address to smartphones nearby – making it easy for interested parties to find out more about the advertised item without having to download an app first,” notes Nordic’s Svendsen.

Nordic is one of fifteen manufacturers currently supporting Eddystone-EID, a list which also includes Sensoro and Estimote, beacon makers that use Nordic’s Bluetooth low energy wireless technology. When Google introduced Eddystone-EID, Nordic simultaneously announced its Software Development Kit (SDK) and supporting tools for engineers looking to work with the more secure beacon technology.

The ‘nRF5 SDK for Eddystone’ enables development of Eddystone-EID beacons to provide real-world context to users in a huge variety of proximity- based beacon applications. The SDK also features a Generic Attribute Profile (GATT) that allows beacons to be configured from a smartphone.

The SDK is designed for Nordic’s nRF52 Series Bluetooth low energy Systems-on-Chip (SoCs). A future upgrade will also allow for the existing nRF51 or nRF52 Eddystone beacons to be updated to Eddystone-EID via an over-the- air (OTA) firmware update.

share post: