Hacking the CES Scavenger Hunt for a Second Time

Alasdair Allan

Alasdair Allan is a scientist, author, hacker and tinkerer, who is spending a lot of his time thinking about the Internet of Things. In the past he has mesh networked the Moscone Center, caused a U.S. Senate hearing, and contributed to the detection of what was—at the time—the most distant object yet discovered.

255 Articles

By Alasdair Allan

Alasdair Allan is a scientist, author, hacker and tinkerer, who is spending a lot of his time thinking about the Internet of Things. In the past he has mesh networked the Moscone Center, caused a U.S. Senate hearing, and contributed to the detection of what was—at the time—the most distant object yet discovered.

255 Articles

Sandeep Mistry

Sandeep Mistry is a professional software engineer, who enjoys tinkering with the Internet of Things and Bluetooth Low Energy (BLE) devices.

255 Articles

By Sandeep Mistry

Sandeep Mistry is a professional software engineer, who enjoys tinkering with the Internet of Things and Bluetooth Low Energy (BLE) devices.

255 Articles

Article Featured Image

cessign

The CES promotional scavenger hunt, based around Bluetooth Beacon technology, is back. Unfortunately, it doesn’t look like security around the hunt is any better than last time. Because, just like last time, it’s possible to win the hunt without ever going to CES. However, we also found that while you’re looking for the beacons, these aren’t the only beacons you’ll find. If you’re attending CES this year, there are over a 1,000 beacons scattered throughout the venue tracking you as you move around the show floor.

“The Scavenger Hunt is back,” said Jeff Joseph, senior vice president of communications and strategic relationships at CTA, “Beacon technology has taken off since we first used it at the 2014 CES. Using proximity beacons to drive a Scavenger Hunt is in line with our show mission — to promote innovation and showcase the latest in emerging technologies.”

When we heard that the scavenger hunt was returning we decided to take a look — using the same methods we used to investigate the last scavenger hunt and to find the vulnerability in the Estimote Eddystone beacons towards the end of last year — inside the official CES app.

Things have improved since last time, when the identities of the beacons were hard coded inside the app. This year’s app fetches the beacon information using the Radius Networks’ ProximityKit cloud service. Unfortunately all the information you need to retrieve the beacon identities from the cloud service is still present inside the application.

Winning the CES iBeacon scavenger hunt, without ever having to go to CES.

Winning the CES iBeacon scavenger hunt, without ever having to go to CES.

This consists of app tokens used to authenticate to the cloud service. Bundling tokens inside mobile apps like this isn’t particularly secure, as they can be revealed relatively easily, allowing people to tamper with your cloud service data. Using the token you can go ahead and grab a full list of the beacons deployed across the CES floor directly from the command line.

% curl -H 'Authorization: Token token=a00723c600c97d3aa96ad13475252be945cb1f0539b54ed4f66f9a0dcd18ae0b' https://proximitykit.radiusnetworks.com/api/kits/4276 > file.json

Looking through the JSON data, it’s easy to pick out the eight beacons involved in the scavenger hunt, here’s the first of the eight beacons you need to find.

{
 "id": 12451,
 "identifier": "pk-beacon-12451",
 "created_at": "2015-11-18T16:41:21.723Z",
 "updated_at": "2015-12-07T21:42:36.438Z",
 "uuid": "A9BB0001-8816-4D85-A627-0D69EEF758D3",
 "major": 101,
 "minor": 1,
 "latitude": null,
 "longitude": null,
 "name": "Scavenger Hunt #1",
 "enable_monitoring": false,
 "enable_ranging": false,
 "attributes": {
 "description": "C-Space, Aria",
 "hunt_id": "1",
 "image_url": "https:\/\/s3.amazonaws.com\/media.radiusnetworks.com\/CES_2016\/target_1.png",
 "title": "C Space Aria",
 "trigger_distance": "5"
 },
 "notify_on_entry": true,
 "notify_on_exit": true,
 "notify_entry_state_on_display": true
 }

The beacon UUID we’re looking for is A9BB0001-8816-4D85-A627-0D69EEF758D3, and all eight beacons share the same Major number of 101, while the beacons have Minor numbers incrementing from 1 up to 8.

From here it’s relatively simple to simulate the beacons. For instance we can use the bleno library for Node.js to fake the beacons in just a few lines of code.

  var bleno = require('bleno'),
        uuid = 'A9BB000188164D85A6270D69EEF758D3',
        major = 101,
        minor = 1,
        measuredPower = -59;

  var intervalId = setInterval(function() {
        bleno.stopAdvertising();
        minor++;
        if (minor > 8) {
            clearInterval(intervalId);
            console.log("Bye!");
            return;
        }
        console.log(minor);
        bleno.startAdvertisingIBeacon(uuid, major, minor, measuredPower);
    }, 2000);
    console.log("CES Scavenger Hunt");

Running this script on your laptop whilst it’s near a phone running the CES app will rather quickly make you a winner. All without having to wander the hallways at CES hoping to get into the approximately 100-foot range of all of the beacons they’ve scattered across the show floor.

Winning the CES Scavenger Hunt

Winning the CES Scavenger Hunt without leaving your desk.

However the fact you can win the scavenger hunt from your desk isn’t all that we found. Along with the identities of the eight hunt beacons came the latitude and longitude of over 1,000 other beacons scattered over the three CES venues that — so long as you have the app installed — will be picked up CES app as you make your way around the show.

There are over 1,000 beacons scattered across the CES 2016 venues.

There are over 1,000 beacons scattered across the three CES 2016 venues.

The announcement of the return of the scavenger hunt discussed the use of beacons for indoor navigation, so it’s possible that these beacons have been deployed to provide exactly that. If so, your location as you make your way around CES probably won’t be leaving your phone, despite how creepy the beacon notifications sometimes seem.

The beacon notifications from the CES app can get somewhat creepy.

The beacon notifications from the CES app can get somewhat creepy?

However it’d be equally possible to set things up so that, each time your phone sees a beacon, it “calls home” to report your location back to the powers that be, certainly the CES app from 2014 was sending analytics data up to the cloud when a scavenger beacon was detected. 

If that’s the case — and we haven’t yet found any code that would suggest this is happening — then a minute-by-minute log of you position at CES could conceivably be saved in the cloud, and your location tracked the whole time you’re there.

Until recently this sort of mass deployment of beacon technology has been rare, and there has been very little debate about the privacy implications underlying them. This deployment by CES makes us think we should have that debate soon, before they become commonplace.