Share

Kontakt.io Vows Its Latest Beacons Are Resistant To All Types Of Data Breaches

Connected devices are always vulnerable to having their data hijacked in mid-communication. Kontakt.io believes it has the protection proximity marketers need.

As beacon installs and interest in reaching consumers through a variety of Internet of Things programs by major retailers continue to rise, proximity tech provider Kontakt.io is preparing a set of security features meant to prevent the systems these sensors rely on from most common forms of hacking.

“Beacons are a fundamentally simple piece of technology: they’re little automated radios that broadcast a short-range signal that’s made up of a string of numbers and letters,” said Kontakt.io CEO Szymon Niemczura. “That’s a simple piece of tech on which to rest so much of the promise of IoT.”

Looking at the inherent openings a hacker could exploit by dint of the Bluetooth connection, the Kontakt.io Secure, which will be available Oct. 15, has two main features. First, Kontakt.io “shuffles” the Major and Minor signals that give a beacon its unique identifier. In a sense, a constantly shifting signal format is harder for a determined invader to lock into and takeover.

Second, the Kontakt.io tool’s system is rounded out with an additional encryption layer that is password protected and is managed solely through the Kontakt.io Proximity API or SDK.risik_1-1

Safety First

Given that beacons are still an emerging technology, it’s no surprise that there have been few attempts at developing comprehensive security initiatives. As a global provider of beacon technology in an increasingly crowded space, Kontakt.io has a chance to differentiate itself by appealing to retailers and venues uncertain about IoT and mobile marketing by emphasizing a message of “safety first.”

“Beacon deployments all around the world are moving from POCs to deployment phase, and often involve money, mission-critical or valuable transactions where threat of hacking a beacon is high,” said Niemczura. “At Kontakt.io, we have a lot of beacon deployments that happen at enterprise scale, and our goal was to provide them with the most secure solution on the market.”

While other companies have developed security protocols to defend against one or a few types of security breach, Kontakt.io claims Kontakt.io Secure is a “complete security system,” meaning that it will protect spaces from every type of beacon security breach. Kontakt.io breaks them down into four categories.

  • Piggybacking: when a hacker steals information and infrastructure from your beacons to use in his or her own tech while cloning is when a hacker makes their own beacon impersonating yours, sending false or misleading information to customers under the guise of your business
  • Cloning: when a hacker makes their own beacon impersonating yours, sending false or misleading information to customers under the guise of your business
  • Hijacking: when a hacker changes the access measures or password to your beacons, effectively locking you out of your own system
  • Cracking: the least likely to happen of the four due to its difficulty, involves a hacker physically stealing the beacon off of your wall and analyzing the memory directly to get to valuable information. This is an extreme case, but if you’re working in a high-value business, like a bank, the potential payout for a “beacon cracker” could be worth the risk.

Other Security Measuresrisik_2-1-e1441977071539

A quick look at some other beacon providers gives context for what kinds of security services are at work in the beacosystem right now.

Estimote and iBeacons come with a Secure UUID system that prevents piggybacking and cloning, but makes their specs make no reference to hijacking or cracking.

Google’s Eddystone beacons utilize a system called Ephemeral Identifiers that generate IDs that change frequently, making hijacking more difficult, but a report from Make in August showed that the system is vulnerable to piggybacking. Eddystone makes no reference to other types of attacks like cloning or cracking.

Niemczura wrote in a blog post that the reason the company is talking about the security suite before its release is because “we want you to break it.” The company is inviting security personnel to personally test the security of its features by attempting to crack into it themselves.

About The Author
Daniel Parisi Daniel Parisi @daniel_parisi_

Daniel Parisi is a New York City-based writer and recent graduate of the University of Maryland. Daniel specializes in coverage of mobile payments, loyalty programs, and the Internet of Things.