IOT: IMPACT OFTHE PHYSICAL WEB AND

BEACONSDr.DebasisBhattacharya,MarioCanul,SaxonKnight

ICSFaculty•UniversityofHawaiʻI MauiCollegedebasisb@hawaii.edu •(808)984-3619

maui.hawaii.edu/cybersecurity

Partial support for this work was provided by the National Science Foundation’s Scholarship for Service (SFS) program under Award No. 1437514. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. University of Hawaii Maui College is an equal opportunity/affirmative action institution.

The Physical Web

• EverydayobjectswithabilitytointeractwiththeInternet,mobiledevices– SmartTVs,Refrigerators,Microwavesetc.– Providesinformation,statusetc.

• BluetoothLowEnergy(BLE)– Newprotocoltotransmitinformation– Lowpower,shortdistance

• Beacons!– ManyVendors:Estimote,RadiusNetworks,BKON

What is a Beacon?!

• Smalltransmitterdevice– Soldbymanysmall/largecompanies– UsesBluetoothLowEnergy(BLE)– Usesbatteries(cell,AAAetc.)– Longbatterylife(years)– Pricerangesfrom$10-$30– Advertisesitselfonaregularbasis– Recognizedbymobilephoneapps– Transmitswhenareceiverisclose(proximity)– Smallsizedatatransfers– UniqueBeaconID,canbemanagedremotely

What are the protocols?

• Apple– iBeaconProtocol– OriginaliBeaconprotocol– TransmitsBeaconUIDandShortText

• Google– Eddystone Protocol– UID– UniqueID+Text– URL– UniqueID+URL+Text– TLM– TelemetryData,formanagement– EID– EphemeralID,secureaccess(new!)

• Smartphone– iOSandAndroid

So, how does it work?

• BeaconAdvertisement– RegulartransmissionsofUIDetc.

• ReceiverinProximity(Range)– Typicallyasmartphonewithapp– Manyvendorshavebeaconapps– GooglePlay:ThePhysicalWeb– iTunes:ThePhysicalWeb

• BeaconTransmitsData– Ex.Eddystone URLresolvesURLonmobileapp

OK, so what?

• Beaconsprovideproximityinfo– BeaconsarenotconnectedtotheInternet– Theyprovide”nearby”information– Receiverdoes[will]notneedanyapp

• GoogleinintegratingbeaconinfoinAndroid• SomewhatsimilartosearchingforWi-Fi

– Beaconscanbeassociatedwithobjects– Or,locations,people,animalsetc.etc.– Beacons=Physicalthings+Web

Issues and Concerns

• RemoteManagement– Locationsneedtobemapped

• SomewhatsimilartodeploymentofWAPs

– Needtobemanaged• Weather,batterylife,status

– TransmittalURLinformation• Needstobecurrentandupdated

• Costs– $10-$30perbeaconcangetexpensive– TimeandcostforITtomanagebeaconsandcontent

More Issues and Concerns

• CurrentStateofBeaconSecurity– Limited!

• UnauthorizedTracking– AnyreceivercantrackabeaconUIDandLocation

• Forgery– AdversarycanforgetheadvertisementUID

• Showrooming– Adversarycaninsertcompetinginfoinbeacondata

Security Mitigation

• Google’sEddystone EphemeralID– Everybeaconhasaprivatesymmetrickey

• Knownonlytotheownerofthebeacon

– UniqueBeaconEphemeralID(EID)• Symmetrickey+pseudo-randomfunctionofBeaconclock

– UniqueBeaconEIDneedsregistration• GlobalonlinetrustedresolverofBeaconIDs• Sharingpermissionpolicyallowsothertoconnect

– ReceiversecurelyconnectstoaBeaconwhen…• SmartphonereceivesBeaconEID• SendsEIDtothecloud/globalresolverservice• Cloud/globalservicematchesEIDwithregisteredkeys

Beacons on College Campus

• Guidedtourofcampus– Eachmajorobjectoncampushasabeacon!

• Classroom– Classroombeaconprovidescurrentstatus,schedule

• Cafeteria– Dailyhours,specials,prices,otherinfo.

• Stadium– Currentscores,ticketinformation,eventsetc.

• FacultyOffice– Officehours,appointmentscheduleetc.

Case Studies

Case Studies

• Retail– Beaconsidentifyvariousstorelocations

• Ascustomersapproach,providesinfo,salesetc.

• Hospitals/Hotels– Beaconscanidentifyapatient/guest,locationinfo.

• AnyPhysicalLocationofInterest– Museum,Conventions,Stadiums,TouristLocation

• Education– Beaconscanidentifyclassroominfo,cafeteriaetc.

Conclusion

• CurrentWeb– Cloudbased– URLdescribescontentincloud

• Relatedtopeople,places,thingsetc.

• PhysicalWeb– Proximitycontent,nearmicrolocation– Contextisaphysicalobjectand/orlocation– Doesnotrequireanyapp ordownloads– IoT:BeaconsallowThingstohaveInfoviaInternet

Debasis Bhattacharya • UH Maui Collegedebasisb@hawaii.edu • (808) 984-3619