It has just been announced that at this year’s Consumer Electronics Show (CES) will feature a promotional scavenger hunt based around Apple’s iBeacon technology. What if you could win the hunt, without ever having to go to CES?
Quietly introduced by Apple at WWDC last year, iBeacon is a technology that allows you to add real world context to smart phone applications. Based around Bluetooth LE—part of the new Bluetooth 4.0 standard—it’s a way to provide basic indoor navigation and proximity detection.
As we talked about earlier today when we reverse engineered the Estimote beacons, there are three properties of an iBeacon that work together to create the beacon’s identity. These are:
- UUID — This is a property which is unique to each company, in most use cases the same UUID would be given to all beacons deployed by a company (or group).
- Major — The property that you use to specify a related set of beacons, e.g. in a retail setting all the beacons in one store would share the same Major value.
- Minor — The property that you use to specify a particular beacon in a location.
The scavenger hunt is therefore a hunt for a number of beacons that will probably all share the same UUID and Major numbers, but will have different Minor numbers. Effectively, we’re looking for a set of beacons.
However wandering the hallways at CES hoping to get into the—approximate 100 foot range—of all of the iBeacons they’ve scattered across the show floor sounds like a lot of work.
CES has teamed up with Radius Networks who are providing the iBeacon hardware, and Marc Wallace—CEO and cofounder of Radius Networks—has this to say about the hunt,
This is one of the coolest proximity-aware apps we have worked on. This is also one of the first, tangible applications that leverages iBeacon technology. And it is a great example of how iBeacon technology is not just about advertising as it is about bringing new and innovative solutions to the marketplace. We are very excited to be a part of it.
Since they’re using hardware from Radius Networks we can’t just assume—as we could with the Estimote hardware—that we know the UUID of the beacons. However the identities of the beacons—all of the beacons—are somewhere where we can easily get our hands on them, the CES mobile app.
Sure enough looking at the CES Android application—it’s fairly easy just to download the APK without having to install—there are some hints there for us and using a decompiler it was fairly easy to find the details of the target beacons.
The iBeacon UUID we’re looking for is 842AF9C4-08F51-1E39-282F-23C91AEC05E, while the Major number—interestingly not actually needed and just ignored by the Android application—is 65000, while the nine beacons scattered throughout the CES venue have Minor numbers from 65001 to 65009.
Since we now know the identities of the beacons, it’s trivial to finish the scavenger hunt without ever going to CES as it’s actually fairly simple to build your own iBeacon hardware and “fake” the app into thinking you’ve found the beacons. To do that you can either use a Raspberry Pi, or a Bluetooth LE board like the Red Bear Labs BLE Mini board—Radius Networks, the people supplying the hardware to CES, is even selling a “iBeacon Development Kit” which would work just fine for our purposes.
At which point—now you have your own iBeacon hardware—you can just go ahead and set the UUID, Major and Minor numbers of your beacon to each of the CES scavenger hunt beacon identities in turn, and then bring your beacon into range of your cell phone running which should be running the CES mobile app. Once you’ve shown the app all of the beacons, you’ll have “finished” the scavenger hunt and can claim your prize. Of course doing that isn’t legal. It’s called fraud and will probably land you in serious trouble. Don’t do that.
Of course it could be worse. If they are using Estimote hardware it’d be easy for someone to make the hunt impossible to complete. Because as we’ve shown, anyone with the Estimote SDK can modify the UUID, Major and Minor number of the Estimote beacons in the field. Which would have meant that the beacons deployed across the CES floor didn’t work for the scavenger hunt anymore. Again, we don’t suggest you do this. Hacking technology to understand how it works and make it work better for you is one thing, but gratuitous monkeywrenching that wrecks someone else’s experience is not nice.
We talked about both of the ability to configure “fake” beacons, and the ability to disable beacon in the field—in our discussion of our reverse engineering of the Estimote iBeacon hardware. However, we didn’t think we’d see something like this quite as soon.
Update: Thanks to Binoy Joy for the reminder. The Radius Networks application—for both iOS and Android (Android doesn’t support peripheral roles)—includes the ability to make your device into an iBeacon, and allows you to configure the UUID, Major and Minor number for the beacon. So if you have two devices with you at CES today—say a phone and a tablet—then you too can be a winner in the great CES Scavenger Hunt.
22 thoughts on “Hacking the CES Scavenger Hunt”
Comments are closed.
ADVERTISEMENT
Join Make: Community Today
[…] the same authors also ‘hacked’ the CES app – completing the Scavenger Hunt without even getting on a plane to Vegas. Hardly a […]
You can use Sandeep’s bleno library and NodeJS to emulate iBeacons. https://gist.github.com/don/8248454
var bleno = require(‘bleno’),
uuid = ‘842AF9C408F511E39282F23C91AEC05E’,
major = 65000,
minor = 65000,
measuredPower = -59;
var intervalId = setInterval(function() {
bleno.stopAdvertising();
minor++;
if (minor > 65009) {
clearInterval(intervalId);
console.log(“Bye!”);
return;
}
console.log(minor);
bleno.startAdvertisingIBeacon(uuid, major, minor, measuredPower);
}, 2000);
console.log(“CES Scavenger Hunt”);
That’s awesome. I must admit I was still thinking along the lines hardware and hacking on a Raspberry Pi. But that’s a neat solution. I think it’d be hard to do in fewer lines of code…
[…] At this most basic level, it’s discoverable by anyone. This is how they guys at MAKEzine were able to “hack” into the CES Scavenger hunt. And it’s true, Estimote beacons can be hacked. But, at this level, so can any beacon. […]
[…] CES scavenger Hunt: http://bit.ly/1c09eFN (and how it was hacked) […]
[…] The CES scavenger hunt application is a simple listener that implements a “virtual punch card.” Nine locations on the CES show floor were equipped with beacons, and conference attendees who visited all nine locations completed a virtual card in the application and were entitled to receive a gift from the show. Each of the nine beacons had a unique signature, decoded by Alasdair Allan and Sandeep Mistry in Make magazine. […]
[…] The CES scavenger hunt application is a simple listener that implements a “virtual punch card.” Nine locations on the CES show floor were equipped with beacons, and conference attendees who visited all nine locations completed a virtual card in the application and were entitled to receive a gift from the show. Each of the nine beacons had a unique signature, decoded by Alasdair Allan and Sandeep Mistry in Make magazine. […]
[…] iBeacon’s fundamentally open design means any mobile app can be designed to detect a retailer’s location broadcast, and such vulnerabilities have been already exposed in competitors’ models. By using passive devices to collect the network of IDs assigned to BLE devices in a store, competitors or third party developers have the same ability as the retailer to broadcast information to locate and track users (possibly without their permission). These third parties are then able to send shoppers offers for cheaper product alternatives or other perks at a competitor’s store or website (for example), thereby driving shoppers from the retailer’s own store. In addition, once certain characteristics of a beacon are changed by outside parties, any consumer application configured to use that particular beacon could potentially be disabled, negating the retailer’s investment. Third parties can also configure impostor beacons within a store’s own system, thereby gaining access potentially to gift cards, promotions and other location-dependent experiences tied to the beacons being impersonated. This particular vulnerability was showcased (unintentionally) at last year’s Consumer Electronics Show (CES), which featured a promotional scavenger hunt based around Apple’s iBeacon technology. According to Makerzine, someone won the hunt without ever attending the show! […]
[…] that was obvious when we looked at the Estimote beacons earlier this year, although even doing this doesn’t mean that iBeacons are a good fit for all applications as it’s easy to fake iBeacon signals — the UUID, Major, and […]
[…] o anda etkinlik alanında bile olmayan bir kişi kazanmış. Vaktiniz varsa, bu haber ile ilgili yazıyı mutlaka okumanızı tavsiye […]
[…] to the critical vulnerability of “naked” beacons is an important one. Beacon hijacking is a proven occurrence and retailers and others who deploy insecure networks are vulnerable to third party […]
[…] of growth has understandably created some security concerns about how businesses and organizations can secure their Beacons. Today we will address that […]
The software for the game or a clone of it is on the github of the RadiusNetworks (https://github.com/RadiusNetworks/scavenger-hunt-ios-os) from last November
[…] This one’s a bit more funky. There are many ways to get a UUID. If a competitor stores their UUIDs in their app, you can often decompile the app and retrieve them. This is how the CES Scavenger hunt was ‘hacked’. […]
este articulo
Hacking the CES Scavenger Hunt | Make:
[…] there have been some interesting attempts to generate novel use cases for beacon hardware, some less successful than others, for the most part the beacons haven’t been used that much […]
[…] procedure, but with a new fixed key being used. By using the techniques we utilised to hack the CES Scavenger Hunt, and peek inside their app, you can just as easily peak inside the Estimote Android SDK and […]
[…] to the critical vulnerability of “naked” beacons is an important one. Beacon hijacking is a proven occurrence and retailers and others who deploy insecure networks are vulnerable to third party […]
[…] it doesn’t look like security around the hunt is any better than last time. Because, just like last time, it’s possible to win the hunt without ever going to CES. However, we also found that while […]
[…] a smartphone app into thinking it is near a beacon when it isn't. There is a story of how the staff at Make Magazine hacked a scavenger hunt at the 2014 Consumer Electronics Show. They showed how they could win the hunt without ever being in Las […]
[…] the door. But it’s easy to spoof iBeacons, as Alasdair Allan and Sandeep Mistry demonstrated in an article in Make documenting their hack of a CES iBeacon scavenger hunt two years ago. There are simply a number of potential security and privacy problems that could […]
[…] the door. But it’s easy to spoof iBeacons, as Alasdair Allan and Sandeep Mistry demonstrated in an article in Make documenting their hack of a CES iBeacon scavenger hunt two years ago. There are simply a number of potential security and privacy problems that could […]