IOT: IMPACT OF THE PHYSICAL WEB AND

BEACONS Dr.DebasisBha,acharya,MarioCanul,SaxonKnight

ICSFaculty•UniversityofHawaiʻIMauiCollegedebasisb@hawaii.edu•(808)984-3619

maui.hawaii.edu/cybersecurity

Partial support for this work was provided by the National Science Foundation’s Scholarship for Service (SFS) program under Award No. 1437514. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. University of Hawaii Maui College is an equal opportunity/affirmative action institution.

The “Internet of Things” is exploding. It’s made up of billions of “smart” devices – from miniscule chips to mammoth machines – that use wireless technology to talk to each other (and to us). Our IoT world is growing at a breathtaking pace – from 2 billion objects in 2006 to a projected 200 billion by 2020.

The Physical Web

•  EverydayobjectswithabilitytointeractwiththeInternet,mobiledevices–  SmartTVs,Refrigerators,Microwavesetc.–  ProvidesinformaXon,statusetc.

•  BluetoothLowEnergy(BLE)–  NewprotocoltotransmitinformaXon–  Lowpower,shortdistance

•  Beacons!– ManyVendors:EsXmote,RadiusNetworks,BKON

What is a Beacon?!

•  Smalltransmi,erdevice–  Soldbymanysmall/largecompanies–  UsesBluetoothLowEnergy(BLE)–  Usesba,eries(cell,AAAetc.)–  Longba,erylife(years)–  Pricerangesfrom$10-$30–  AdverXsesitselfonaregularbasis–  Recognizedbymobilephoneapps–  Transmitswhenareceiverisclose(proximity)–  Smallsizedatatransfers–  UniqueBeaconID,canbemanagedremotely

How does it work?

•  Apple–iBeaconProtocol–  OriginaliBeaconprotocol–  TransmitsBeaconUIDandShortText

•  Google–EddystoneProtocol–  UID–UniqueID+Text–  URL–UniqueID+URL+Text–  TLM–TelemetryData,formanagement–  EID–EphemeralID,secureaccess(new!)

•  Smartphone–iOSandAndroid

So, how does it work?

•  BeaconAdverXsement–  RegulartransmissionsofUIDetc.

•  ReceiverinProximity(Range)–  Typicallyasmartphonewithapp– Manyvendorshavebeaconapps–  GooglePlay:ThePhysicalWeb–  iTunes:ThePhysicalWeb

•  BeaconTransmitsData–  Ex.EddystoneURLresolvesURLonmobileapp

OK, so what?

•  Beaconsprovideproximityinfo–  BeaconsarenotconnectedtotheInternet–  Theyprovide”nearby”informaXon–  Receiverdoes[will]notneedanyapp

•  GoogleinintegraXngbeaconinfoinAndroid•  SomewhatsimilartosearchingforWi-Fi

–  Beaconscanbeassociatedwithobjects–  Or,locaXons,people,animalsetc.etc.–  Beacons=Physicalthings+Web

Issues and Concerns

•  RemoteManagement–  LocaXonsneedtobemapped

•  SomewhatsimilartodeploymentofWAPs

–  Needtobemanaged•  Weather,ba,erylife,status

–  Transmi,alURLinformaXon•  Needstobecurrentandupdated

•  Costs–  $10-$30perbeaconcangetexpensive–  TimeandcostforITtomanagebeaconsandcontent

More Issues and Concerns

•  CurrentStateofBeaconSecurity–  Nothing!

•  UnauthorizedTracking–  AnyreceivercantrackabeaconUIDandLocaXon

•  Forgery–  AdversarycanforgetheadverXsementUID

•  Showrooming–  AdversarycaninsertcompeXnginfoinbeacondata

Security Mitigation

•  Google’snewEddystoneEphemeralID–  Everybeaconhasaprivatesymmetrickey

•  Knownonlytotheownerofthebeacon–  UniqueBeaconEphemeralID(EID)

•  Symmetrickey+pseudo-randomfuncXonofBeaconclock

–  UniqueBeaconEIDneedsregistraXon•  GlobalonlinetrustedresolverofBeaconIDs•  Sharingpermissionpolicyallowsothertoconnect

–  ReceiversecurelyconnectstoaBeaconwhen…•  SmartphonereceivesBeaconEID•  SendsEIDtothecloud/globalresolverservice•  Cloud/globalservicematchesEIDwithregisteredkeys

Beacons on College Campus

•  Guidedtourofcampus–  Eachmajorobjectoncampushasabeacon!

•  Classroom–  Classroombeaconprovidescurrentstatus,schedule

•  Cafeteria–  Dailyhours,specials,prices,otherinfo.

•  Stadium–  Currentscores,XcketinformaXon,eventsetc.

•  FacultyOffice–  Officehours,appointmentscheduleetc.

Case Studies

Case Studies

•  Retail–  BeaconsidenXfyvariousstorelocaXons

•  Ascustomersapproach,providesinfo,salesetc.

•  Hospitals/Hotels–  BeaconscanidenXfyapaXent/guest,locaXoninfo.

•  AnyPhysicalLocaXonofInterest– Museum,ConvenXons,Stadiums,TouristLocaXon

•  EducaXon–  BeaconscanidenXfyclassroominfo,cafeteriaetc.

Case Study: Tracking Luggage

http://accent-systems.com/blog/accent-systems-eddystone-eid-case-study-trackgo-samsonite/

Conclusion

•  CurrentWeb–  Cloudbased–  URLdescribescontentincloud

•  Relatedtopeople,places,thingsetc.

•  PhysicalWeb–  Proximitycontent,nearmicrolocaXon–  Contextisaphysicalobjectand/orlocaXon–  Doesnotrequireanyappordownloads–  IoT:BeaconsallowThingstohaveInfoviaInternet

Debasis Bhattacharya • UH Maui College debasisb@hawaii.edu • (808) 984-3619