What iBeacon May Mean for Your Security

co-authored by Dr. Stephen Bryen, Chairman, ZiklagSystems

A story appeared in Forbes on March 12th about an Apple product called iBeacon. Written by Forbess staff writer Kashmir Hill, the story said that updates authored by Apple for iPhones was turning the phone's Bluetooth function "on." Some of us wondered if this wasn't a security risk.

So far, Apple has not denied the story. And so it seems that Apple is turning iPhone Bluetooth on with its update without first informing iPhone users.

The reason is Apple is boosting its new product, iBeacon. iBeacon is intended to help retailers track shoppers and push information to them. The Motley Fools says in an overblown headline, "Apple's iBeacon Could Make or Break the Retain Industry."

It is a good idea to know a little about iBeacon and other programs like it. Apple is not alone in promoting this kind of system, and it impacts shoppers and buyers, but it has many other uses that are, to say the least, potentially nefarious.

iBeacon is a system that works through bluetooth. Virtually all smartphones have bluetooth installed. It is a great feature for enabling hands free phones in autos and trucks, and it can also support many other devices such as wireless headphones, speakers, wireless keyboards and much more.

Bluetooth is a relatively short range radio transmission. But today there is sensitive equipment that can intercept bluetooth at considerable distance from the phone's RF emitter.

Shops and stores are using technology such as iBeacon to try and "enhance" the shopping experience. Basically when a shopper enters a store area, the iBeacon tracks him or her. A retailer will see the shopper in a particular area, and can send pop up messages about offers and deals, or additional information you might not see on the shelves or floor area.

A lot of information can be picked up by location-sensitive tracking. For example, the shopping "profile" of a user can be learned and matched to the phone's IMEI number, which can always be accessed. This means a store will know how many times someone visits the store, what their preferences are, and even who they were with (if they also had a smartphone with them).

Under the Apple system, there is an option to "opt in", that is, to allow yourself to be tracked. But not all systems have this option and, in fact, not all systems use bluetooth. Some use WIFI or other tracking systems that follow Smartphones.

Many people don't leave their bluetooth or WIFI in the "on" position because it uses up the battery too quickly. Smartphone batteries are a major performance problem for phone users and there are a host of techniques to try and minimize the load on the telephone battery.

Every telephone can be tracked to some degree by GPS, but GPS tracking is not fine enough to pinpoint where a person is in a building. In fact, most of the time GPS won't even work in a building because the connection to the GPS satellites (3 are needed for triangulation) isn't available. The government can still track to some reduced level of accuracy by traingulating your location by nearby cell phone transmitting towers, a feature you cannot turn on or off, presumably for your safety in case of emergency (it is called Enhanced 911), but it is not nearly as good as what Apple and others are pushing for retail shopping.

So what is the problem? The immediate concern is that your bluetooth or WIFI can be switched on without you knowing it. This exposes you to risk of being tracked not only inside a store, but anywhere --in a parking lot, on a street, in an office, at a lunch or dinner. There is no end of mischief possible.

Because Smartphones are incredibly powerful platforms with inherently poor security, Smartphone users need to realize the risks. Opting "in" or "out" won't help you much if someone with bad intentions is trying to track or harass you or your family or your colleagues. The data that will immediately fall into the hands of store employees is not benign. Knowing who you are, who you are with, and what you are doing is information that can be bartered and used against your interests.

This is not to say that anyone intends for systems such as iBeacon to be used for anything other than promoting sales of products and services. But there are no meaningful security rules that protect you, and none on the horizon.

Want to do something about it? If you don't like being tracked, and you see your phone's bluetooth or WIFI turned on in a store, instead of just turning it off, complain to the manager that he is compromising your privacy and security and you are mad about it. Retailers won't keep doing it if they think the public is against it, because they will lose customers.

The above action is not a solution to the problem, but it is a first step in fighting back.