Target recently announced a new program geared towards helping the visually impaired located deals within a store. The program (launched in fifty stores across Chicago, Denver, Minneapolis, New York City, Pittsburgh, Portland, San Francisco and Seattle) uses bluetooth beacons to push up to two notifications per shopping trip to users who have installed the iOS app (Android soon to come) and opted into the service.
Naturally, the retail giant will use the collected data to, as you might expect, fine-tune the shopping experience for the upcoming holiday shopping madness.
On the surface, this sounds like a great idea… assisting the visually impaired to locate deals they might not otherwise find. But once you peel back the shiny veneer, you might be surprised at what you find.
I’m not talking about malware wrapped around the red target logo of a Target app. I’m talking about the darker possibilities that await such a system.
Let me explain myself.
Many times, when I’m out and about, reading news sites, I brave venturing into the comment sections. Anyone that spends much time on the internet, knows comment sections should be off limits. Why? Trolls. But in this case, it’s not your ordinary troll. What I found, in various news pieces reporting on Target’s new program was somewhat discouraging. Filling the comment sections were various and sundry ideas on how easy the system would be to hack.
sooooo easy to duplicate a beacon’s UUID and toss a $5 beacon somewhere in the building that broadcasts links to viruses, dirty sites, etc. With a cloned UUID, it’s automatically accepted as a broadcaster in the allowed list for the app, but with malicious payload.
… were pretty prevalent. One comment, in particular, referenced the hacking of the CES scavenger hunt from 2014 that walks you through the process used to hack the scavenger hunt beacons.
This is the world we live in now. With each new evolution of The Internet of Things, we have to face the fact that every step forward will be faced with a step or two backwards, as those that can… do. Unfortunately, there is no getting around it. Hacks will happen. Should you create something of interest, something on a network, it will be found and it will be cracked. The more you advertise something, the more will know about it.
And if you think there isn’t a monetary gain to be had from hacking your system… think twice. Your swell new app or system has a user-base, that means there’s a database of users that can be sold to the highest bidder. And if your sub-system is connected to an even bigger system… that means there might well be a pot of gold to be found at the end of that beacon-flavored rainbow.
The world of IT is filled with incredibly intelligent women and men, many of which have the skills to prevent such attacks… when they are given the resources they need. Unfortunately, we all know how this plays out. You build a better, more secure network and the powers that be start making demands that take you away from network security. Next thing you know, that new pilot program has been hacked and all of your efforts are too little too late.
All of the recent hacks should prove one thing to big corporations: With the continued rise of The Internet of Things and dependency upon electronic payments…
Let me try to make this as clear as possible.
Security. Is. Everything.
It doesn’t matter if you’ve created the single greatest opt-in program in the history of all things. If it is hacked, it will become less than relevant. You may have set up what you thought was the unhackable network. As long as it is connected to the internet, it will eventually be hacked.
I applaud Target for testing new programs… especially ones that aid the impaired. But when you’re using a technology as easily hacked as bluetooth, know that your system is vulnerable. Just do a search on bluetooth hacking tools and you’ll see just how easy the bluetooth system is to break.
What does this all mean? It means that the likes of Apple, Google, and Microsoft need to put their heads together and come up with a much more secure means of transmitting data between devices than bluetooth. Either that, or the whole of the bluetooth protocol needs to be upgraded. Period.
According to the NSA’s Bluetooth Security whitepaper:
Bluetooth links use optional pre-shared key authentication and encryption algorithms that are widely considered acceptably strong when both implemented and used correctly.
The operative word there is correctly. That same paper goes on to mention, due to the complexity of the bluetooth protocol it is particularly susceptible to a diverse set of security vulnerabilities.
So with companies like Target (who have been hacked before) using vulnerable technology (especially when not implemented correctly) to deploy programs into stores that see millions of consumers per year… it should come as no surprise when these systems are hacked.
I get it. Bluetooth is an incredible easy and handy bit of technology. I use it to connect headphones and other peripherals to mobile devices and desktops. I also understand the risks of using this technology and just how insecure a piece of hardware is that works with the common bluetooth pre-share key of 0000.
The answer? As I said, the best solution to this is for the bluetooth protocol to get a much-needed overhaul. Until that happens, any system (such as the beacon program to be rolled out by Target) will be vulnerable.
What would you do to change the bluetooth protocol?