The CES promotional scavenger hunt, based around Bluetoothย Beacon technology,ย is back.ย Unfortunately, it doesn’t look like security around the hunt is any better than last time. Because,ย just like last time, it’s possible to win the hunt without ever going to CES. However, we also found thatย while you’re looking for the beacons, these aren’t the only beacons you’llย find. If you’re attending CES this year, thereย are over a 1,000ย beacons scattered throughout the venue tracking you as you move around the show floor.
โThe Scavenger Hunt is back,โ said Jeff Joseph, senior vice president of communications and strategic relationships at CTA, โBeacon technology has taken off since we first used it at the 2014 CES. Using proximity beacons to drive a Scavenger Hunt is in line with our show mission โ to promote innovation and showcase the latest in emerging technologies.โ
When we heard that the scavenger hunt was returning we decided toย take a look โ usingย the same methods we used to investigate the last scavenger huntย and to find the vulnerability in the Estimote Eddystone beacons towards the end of last yearย โย insideย the officialย CES app.
Things have improved since last time, whenย the identities of the beacons were hard coded inside the app. This year’s app fetches the beacon information using theย Radius Networks’ย ProximityKit cloud service.ย Unfortunately all the information you need to retrieve the beacon identities from the cloud service is still present inside the application.
This consists of app tokens used to authenticate to the cloud service. Bundling tokens inside mobile apps like this isn’t particularly secure, asย they can be revealed relatively easily, allowing people to tamper with your cloud service data.ย Using the token you can go ahead and grab a full list of the beacons deployed across the CES floor directly from the command line.
% curl -H 'Authorization: Token token=a00723c600c97d3aa96ad13475252be945cb1f0539b54ed4f66f9a0dcd18ae0b' https://proximitykit.radiusnetworks.com/api/kits/4276 > file.json
Looking through the JSON data, it’s easy to pick out the eight beacons involved in the scavenger hunt, here’s the first of the eight beacons you need to find.
{
"id": 12451,
"identifier": "pk-beacon-12451",
"created_at": "2015-11-18T16:41:21.723Z",
"updated_at": "2015-12-07T21:42:36.438Z",
"uuid": "A9BB0001-8816-4D85-A627-0D69EEF758D3",
"major": 101,
"minor": 1,
"latitude": null,
"longitude": null,
"name": "Scavenger Hunt #1",
"enable_monitoring": false,
"enable_ranging": false,
"attributes": {
"description": "C-Space, Aria",
"hunt_id": "1",
"image_url": "https:\/\/s3.amazonaws.com\/media.radiusnetworks.com\/CES_2016\/target_1.png",
"title": "C Space Aria",
"trigger_distance": "5"
},
"notify_on_entry": true,
"notify_on_exit": true,
"notify_entry_state_on_display": true
}
The beacon UUID we’re looking for is A9BB0001-8816-4D85-A627-0D69EEF758D3, and all eight beacons share the same Major number of 101, while the beacons have Minor numbers incrementing from 1 up to 8.
From here it’s relatively simple to simulate the beacons. For instance we can use the bleno libraryย for Node.js toย fake the beacons in just a few lines of code.
ย var bleno = require('bleno'), ย ย ย ย uuid = 'A9BB000188164D85A6270D69EEF758D3', ย ย ย ย major = 101, ย ย ย ย minor = 1, ย ย ย ย measuredPower = -59; ย var intervalId = setInterval(function() { ย ย ย ย bleno.stopAdvertising(); ย ย ย ย minor++; ย ย ย ย if (minor > 8) { ย ย ย ย ย ย clearInterval(intervalId); ย ย ย ย ย ย console.log("Bye!"); ย ย ย ย ย ย return; ย ย ย ย } ย ย ย ย console.log(minor); ย ย ย ย bleno.startAdvertisingIBeacon(uuid, major, minor, measuredPower); ย ย }, 2000); ย ย console.log("CES Scavenger Hunt");
Running this script on your laptop whilst it’s near a phone running the CES app will rather quickly make you a winner. All without having toย wander the hallways at CES hoping to get into the approximately 100-foot range of all of theย beacons theyโve scattered across the show floor.
However the fact you can winย the scavenger hunt from your desk isn’t all that we found. Along with the identitiesย of the eight hunt beacons came the latitude and longitude of over 1,000ย other beacons scattered over the three CES venuesย that โ so long as you have the app installed โ will be picked up CES app as you make your way around the show.
Theย announcement ofย the return of the scavenger hunt discussedย the use of beacons for indoor navigation, so it’s possible that these beacons have been deployed to provide exactly that. If so, your location as you make your way around CES probably won’t be leaving your phone, despite how creepyย the beacon notifications sometimes seem.
However it’d be equally possible to set things up so that, each time your phone sees a beacon, it “calls home” to report your location back to the powers that be, certainly the CES app from 2014ย was sending analytics data up to the cloudย when a scavenger beacon was detected.ย
If that’s the case โ and we haven’t yet found any code that would suggest this is happening โ then a minute-by-minute log of you position at CES could conceivably be saved in the cloud, and your location tracked the whole time you’re there.
Until recently this sortย of mass deployment of beacon technology hasย been rare, and there has been very little debate about the privacy implications underlying them. This deployment by CES makes usย think we should have that debate soon, before they become commonplace.
ADVERTISEMENT
