Internet of Things Technology
Hacking the CES Scavenger Hunt for a Second Time

cessign

The CES promotional scavenger hunt, based around Bluetooth Beacon technology, is back. Unfortunately, it doesn’t look like security around the hunt is any better than last time. Because, just like last time, it’s possible to win the hunt without ever going to CES. However, we also found that while you’re looking for the beacons, these aren’t the only beacons you’ll find. If you’re attending CES this year, there are over a 1,000 beacons scattered throughout the venue tracking you as you move around the show floor.

“The Scavenger Hunt is back,” said Jeff Joseph, senior vice president of communications and strategic relationships at CTA, “Beacon technology has taken off since we first used it at the 2014 CES. Using proximity beacons to drive a Scavenger Hunt is in line with our show mission — to promote innovation and showcase the latest in emerging technologies.”

When we heard that the scavenger hunt was returning we decided to take a look — using the same methods we used to investigate the last scavenger hunt and to find the vulnerability in the Estimote Eddystone beacons towards the end of last year — inside the official CES app.

Things have improved since last time, when the identities of the beacons were hard coded inside the app. This year’s app fetches the beacon information using the Radius Networks’ ProximityKit cloud service. Unfortunately all the information you need to retrieve the beacon identities from the cloud service is still present inside the application.

Winning the CES iBeacon scavenger hunt, without ever having to go to CES.
Winning the CES iBeacon scavenger hunt, without ever having to go to CES.

This consists of app tokens used to authenticate to the cloud service. Bundling tokens inside mobile apps like this isn’t particularly secure, as they can be revealed relatively easily, allowing people to tamper with your cloud service data. Using the token you can go ahead and grab a full list of the beacons deployed across the CES floor directly from the command line.

% curl -H 'Authorization: Token token=a00723c600c97d3aa96ad13475252be945cb1f0539b54ed4f66f9a0dcd18ae0b' https://proximitykit.radiusnetworks.com/api/kits/4276 > file.json

Looking through the JSON data, it’s easy to pick out the eight beacons involved in the scavenger hunt, here’s the first of the eight beacons you need to find.

{
 "id": 12451,
 "identifier": "pk-beacon-12451",
 "created_at": "2015-11-18T16:41:21.723Z",
 "updated_at": "2015-12-07T21:42:36.438Z",
 "uuid": "A9BB0001-8816-4D85-A627-0D69EEF758D3",
 "major": 101,
 "minor": 1,
 "latitude": null,
 "longitude": null,
 "name": "Scavenger Hunt #1",
 "enable_monitoring": false,
 "enable_ranging": false,
 "attributes": {
 "description": "C-Space, Aria",
 "hunt_id": "1",
 "image_url": "https:\/\/s3.amazonaws.com\/media.radiusnetworks.com\/CES_2016\/target_1.png",
 "title": "C Space Aria",
 "trigger_distance": "5"
 },
 "notify_on_entry": true,
 "notify_on_exit": true,
 "notify_entry_state_on_display": true
 }

The beacon UUID we’re looking for is A9BB0001-8816-4D85-A627-0D69EEF758D3, and all eight beacons share the same Major number of 101, while the beacons have Minor numbers incrementing from 1 up to 8.

From here it’s relatively simple to simulate the beacons. For instance we can use the bleno library for Node.js to fake the beacons in just a few lines of code.

  var bleno = require('bleno'),
        uuid = 'A9BB000188164D85A6270D69EEF758D3',
        major = 101,
        minor = 1,
        measuredPower = -59;

  var intervalId = setInterval(function() {
        bleno.stopAdvertising();
        minor++;
        if (minor > 8) {
            clearInterval(intervalId);
            console.log("Bye!");
            return;
        }
        console.log(minor);
        bleno.startAdvertisingIBeacon(uuid, major, minor, measuredPower);
    }, 2000);
    console.log("CES Scavenger Hunt");

Running this script on your laptop whilst it’s near a phone running the CES app will rather quickly make you a winner. All without having to wander the hallways at CES hoping to get into the approximately 100-foot range of all of the beacons they’ve scattered across the show floor.

Winning the CES Scavenger Hunt
Winning the CES Scavenger Hunt without leaving your desk.

However the fact you can win the scavenger hunt from your desk isn’t all that we found. Along with the identities of the eight hunt beacons came the latitude and longitude of over 1,000 other beacons scattered over the three CES venues that — so long as you have the app installed — will be picked up CES app as you make your way around the show.

There are over 1,000 beacons scattered across the CES 2016 venues.
There are over 1,000 beacons scattered across the three CES 2016 venues.

The announcement of the return of the scavenger hunt discussed the use of beacons for indoor navigation, so it’s possible that these beacons have been deployed to provide exactly that. If so, your location as you make your way around CES probably won’t be leaving your phone, despite how creepy the beacon notifications sometimes seem.

The beacon notifications from the CES app can get somewhat creepy.
The beacon notifications from the CES app can get somewhat creepy?

However it’d be equally possible to set things up so that, each time your phone sees a beacon, it “calls home” to report your location back to the powers that be, certainly the CES app from 2014 was sending analytics data up to the cloud when a scavenger beacon was detected. 

If that’s the case — and we haven’t yet found any code that would suggest this is happening — then a minute-by-minute log of you position at CES could conceivably be saved in the cloud, and your location tracked the whole time you’re there.

Until recently this sort of mass deployment of beacon technology has been rare, and there has been very little debate about the privacy implications underlying them. This deployment by CES makes us think we should have that debate soon, before they become commonplace.

3 thoughts on “Hacking the CES Scavenger Hunt for a Second Time

  1. Hey Alasdair and Sandeep, Marc Wallace at Radius Networks here.

    A few comments on your post…

    1. Hacking the Scavenger Hunt

    The purpose of the Scavenger Hunt is to encourage attendees to explore areas of the show floor that they might otherwise have missed. If you complete the scavenger hunt, you get a token that you can present at the CES office and win a prize.

    For the top prize winners, we use a procedure to validate that they actually visited the scavenger hunt locations at CES. Simulating the beacons at your desk generates a token in the mobile app, but it doesn’t mean you completed the scavenger hunt. It just means you missed out on seeing some really cool stuff at CES.

    2. Tracking of Attendees

    Radius Networks and CTA take mobile privacy very seriously. Beacons are used to generate venue foot traffic analytics which do not contain personally identifiable information.

    Also, the message that was pictured and described as creepy, and possibly as a result of tracking using beacons, has nothing to do with our beacon implementation.

    3. Indoor Navigation Beacon Information

    In addition to scavenger hunt beacon information, you also accessed indoor navigation beacon definitions with related lat-long information. These beacons are in support of our extremely successful indoor navigation implementation at CES. As with the scavenger hunt beacons, this information is not considered sensitive, and the identifiers are essentially public information.

    As a general approach, it’s important to use the appropriate security mechanisms for the sensitivity of the information involved. We feel we accomplished this for CES, that the integrity of the Scavenger Hunt has been maintained, and that attendees at CES will continue to enjoy the benefits of the beacon network.

    1. ❝my neighbor’s mate is getting 98$. HOURLY on the internet❞….

      A few days ago new McLaren F1 subsequent after earning 18,512$,,,this was my previous month’s paycheck ,and-a little over, 17k$ Last month ..3-5 h/r of work a day ..with extra open doors & weekly paychecks.. it’s realy the easiest work I have ever Do. I Joined This 7 months ago and now making over 87$, p/h.Learn More right Here
      bm…….
      ➤➤
      ➤➤➤ http://GlobalSuperEmploymentVacanciesReportsJobs/GetPaid/98$hourly❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦

    2. ❝my neighbor’s mate is getting 98$. HOURLY on the internet❞….

      A few days ago new McLaren F1 subsequent after earning 18,512$,,,this was my previous month’s paycheck ,and-a little over, 17k$ Last month ..3-5 h/r of work a day ..with extra open doors & weekly paychecks.. it’s realy the easiest work I have ever Do. I Joined This 7 months ago and now making over 87$, p/h.Learn More right Here
      vs………
      ➤➤
      ➤➤➤ http://GlobalSuperEmploymentVacanciesReportsuk/GetPaid/98$hourly❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦.❦

Comments are closed.

Tagged

Alasdair Allan is a scientist, author, hacker and tinkerer, who is spending a lot of his time thinking about the Internet of Things. In the past he has mesh networked the Moscone Center, caused a U.S. Senate hearing, and contributed to the detection of what was—at the time—the most distant object yet discovered.

View more articles by Alasdair Allan

Sandeep Mistry is a professional software engineer, who enjoys tinkering with the Internet of Things and Bluetooth Low Energy (BLE) devices.

View more articles by Sandeep Mistry