IOT: IMPACT OFTHE PHYSICAL WEB AND

BEACONSDr.DebasisBhattacharya,MarioCanul,SaxonKnight

ICSFaculty•UniversityofHawaiʻI MauiCollegedebasisb@hawaii.edu •(808)984-3619

maui.hawaii.edu/cybersecurity

Partial support for this work was provided by the National Science Foundation’s Scholarship for Service (SFS) program under Award No. 1437514. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. University of Hawaii Maui College is an equal opportunity/affirmative action institution.

The “Internet of Things” is exploding. It’s made up of billions of “smart” devices – from miniscule chips to mammoth machines –that use wireless technology to talk to each other (and to us). Our IoT world is growing at a breathtaking pace –from 2 billion objects in 2006 to a projected 200 billion by 2020.

The Physical Web

• EverydayobjectswithabilitytointeractwiththeInternet,mobiledevices– SmartTVs,Refrigerators,Microwavesetc.– Providesinformation,statusetc.

• BluetoothLowEnergy(BLE)– Newprotocoltotransmitinformation– Lowpower,shortdistance

• Beacons!– ManyVendors:Estimote,RadiusNetworks,BKON

What is a Beacon?!

• Smalltransmitterdevice– Soldbymanysmall/largecompanies– UsesBluetoothLowEnergy(BLE)– Usesbatteries(cell,AAAetc.)– Longbatterylife(years)– Pricerangesfrom$10-$30– Advertisesitselfonaregularbasis– Recognizedbymobilephoneapps– Transmitswhenareceiverisclose(proximity)– Smallsizedatatransfers– UniqueBeaconID,canbemanagedremotely

How does it work?

• Apple– iBeaconProtocol– OriginaliBeaconprotocol– TransmitsBeaconUIDandShortText

• Google– Eddystone Protocol– UID– UniqueID+Text– URL– UniqueID+URL+Text– TLM– TelemetryData,formanagement– EID– EphemeralID,secureaccess(new!)

• Smartphone– iOSandAndroid

So, how does it work?

• BeaconAdvertisement– RegulartransmissionsofUIDetc.

• ReceiverinProximity(Range)– Typicallyasmartphonewithapp– Manyvendorshavebeaconapps– GooglePlay:ThePhysicalWeb– iTunes:ThePhysicalWeb

• BeaconTransmitsData– Ex.Eddystone URLresolvesURLonmobileapp

OK, so what?

• Beaconsprovideproximityinfo– BeaconsarenotconnectedtotheInternet– Theyprovide”nearby”information– Receiverdoes[will]notneedanyapp

• GoogleinintegratingbeaconinfoinAndroid• SomewhatsimilartosearchingforWi-Fi

– Beaconscanbeassociatedwithobjects– Or,locations,people,animalsetc.etc.– Beacons=Physicalthings+Web

Issues and Concerns

• RemoteManagement– Locationsneedtobemapped

• SomewhatsimilartodeploymentofWAPs

– Needtobemanaged• Weather,batterylife,status

– TransmittalURLinformation• Needstobecurrentandupdated

• Costs– $10-$30perbeaconcangetexpensive– TimeandcostforITtomanagebeaconsandcontent

More Issues and Concerns

• CurrentStateofBeaconSecurity– Nothing!

• UnauthorizedTracking– AnyreceivercantrackabeaconUIDandLocation

• Forgery– AdversarycanforgetheadvertisementUID

• Showrooming– Adversarycaninsertcompetinginfoinbeacondata

Security Mitigation

• Google’snewEddystone EphemeralID– Everybeaconhasaprivatesymmetrickey

• Knownonlytotheownerofthebeacon

– UniqueBeaconEphemeralID(EID)• Symmetrickey+pseudo-randomfunctionofBeaconclock

– UniqueBeaconEIDneedsregistration• GlobalonlinetrustedresolverofBeaconIDs• Sharingpermissionpolicyallowsothertoconnect

– ReceiversecurelyconnectstoaBeaconwhen…• SmartphonereceivesBeaconEID• SendsEIDtothecloud/globalresolverservice• Cloud/globalservicematchesEIDwithregisteredkeys

Case Study: Tracking Luggage

http://accent-systems.com/blog/accent-systems-eddystone-eid-case-study-trackgo-samsonite/

Beacons on College Campus

• Guidedtourofcampus– Eachmajorobjectoncampushasabeacon!

• Classroom– Classroombeaconprovidescurrentstatus,schedule

• Cafeteria– Dailyhours,specials,prices,otherinfo.

• Stadium– Currentscores,ticketinformation,eventsetc.

• FacultyOffice– Officehours,appointmentscheduleetc.

Case Studies

Case Studies

• Retail– Beaconsidentifyvariousstorelocations

• Ascustomersapproach,providesinfo,salesetc.

• Hospitals/Hotels– Beaconscanidentifyapatient/guest,locationinfo.

• AnyPhysicalLocationofInterest– Museum,Conventions,Stadiums,TouristLocation

• Education– Beaconscanidentifyclassroominfo,cafeteriaetc.

Conclusion

• CurrentWeb– Cloudbased– URLdescribescontentincloud

• Relatedtopeople,places,thingsetc.

• PhysicalWeb– Proximitycontent,nearmicrolocation– Contextisaphysicalobjectand/orlocation– Doesnotrequireanyapp ordownloads– IoT:BeaconsallowThingstohaveInfoviaInternet

Debasis Bhattacharya • UH Maui Collegedebasisb@hawaii.edu • (808) 984-3619