Hacking the CES Scavenger Hunt

Computers & Mobile
Hacking the CES Scavenger Hunt

make_ces_612x64

It has just been announced that at this year’s Consumer Electronics Show (CES) will feature a promotional scavenger hunt based around Apple’s iBeacon technology. What if you could win the hunt, without ever having to go to CES?

Quietly introduced by Apple at WWDC last year, iBeacon is a technology that allows you to add real world context to smart phone applications. Based around Bluetooth LE—part of the new Bluetooth 4.0 standard—it’s a way to provide basic indoor navigation and proximity detection.

As we talked about earlier today when we reverse engineered the Estimote beacons, there are three properties of an iBeacon that work together to create the beacon’s identity. These are:

  • UUID — This is a property which is unique to each company, in most use cases the same UUID would be given to all beacons deployed by a company (or group).
  • Major — The property that you use to specify a related set of beacons, e.g. in a retail setting all the beacons in one store would share the same Major value.
  • Minor — The property that you use to specify a particular beacon in a location.

The scavenger hunt is therefore a hunt for a number of beacons that will probably all share the same UUID and Major numbers, but will have different Minor numbers. Effectively, we’re looking for a set of beacons.

However wandering the hallways at CES hoping to get into the—approximate 100 foot range—of all of the iBeacons they’ve scattered across the show floor sounds like a lot of work.

CES has teamed up with Radius Networks who are providing the iBeacon hardware, and Marc Wallace—CEO and cofounder of Radius Networks—has this to say about the hunt,

This is one of the coolest proximity-aware apps we have worked on. This is also one of the first, tangible applications that leverages iBeacon technology. And it is a great example of how iBeacon technology is not just about advertising as it is about bringing new and innovative solutions to the marketplace. We are very excited to be a part of it.

Since they’re using hardware from Radius Networks we can’t just assume—as we could with the Estimote hardware—that we know the UUID of the beacons. However the identities of the beacons—all of the beacons—are somewhere where we can easily get our hands on them, the CES mobile app.

Sure enough looking at the CES Android application—it’s fairly easy just to download the APK without having to install—there are some hints there for us and using a decompiler it was fairly easy to find the details of the target beacons.

The Minor numbers of the nine target beacons in the code of the CES mobile application.
The Minor numbers of the nine target beacons in the code of the CES mobile application.

The iBeacon UUID we’re looking for is 842AF9C4-08F51-1E39-282F-23C91AEC05E, while the Major number—interestingly not actually needed and just ignored by the Android application—is 65000, while the nine beacons scattered throughout the CES venue have Minor numbers from 65001 to 65009.

The completed scavenger hunt—all nine beacons.
An almost completed scavenger hunt—with eight of the nine beacons already “found”.

Since we now know the identities of the beacons, it’s trivial to finish the scavenger hunt without ever going to CES as it’s actually fairly simple to build your own iBeacon hardware and “fake” the app into thinking you’ve found the beacons. To do that you can either use a Raspberry Pi, or a Bluetooth LE board like the Red Bear Labs BLE Mini board—Radius Networks, the people supplying the hardware to CES, is even selling a “iBeacon Development Kit” which would work just fine for our purposes.

At which point—now you have your own iBeacon hardware—you can just go ahead and set the UUID, Major and Minor numbers of your beacon to each of the CES scavenger hunt beacon identities in turn, and then bring your beacon into range of your cell phone running which should be running the CES mobile app. Once you’ve shown the app all of the beacons, you’ll have “finished” the scavenger hunt and can claim your prize. Of course doing that isn’t legal. It’s called fraud and will probably land you in serious trouble. Don’t do that. 

Of course it could be worse. If they are using Estimote hardware it’d be easy for someone to make the hunt impossible to complete. Because as we’ve shown, anyone with the Estimote SDK can modify the UUID, Major and Minor number of the Estimote beacons in the field. Which would have meant that the beacons deployed across the CES floor didn’t work for the scavenger hunt anymore. Again, we don’t suggest you do this. Hacking technology to understand how it works and make it work better for you is one thing, but gratuitous monkeywrenching that wrecks someone else’s experience is not nice.

We talked about both of the ability to configure “fake” beacons, and the ability to disable beacon in the field—in our discussion of our reverse engineering of the Estimote iBeacon hardware. However, we didn’t think we’d see something like this quite as soon.

Update: Thanks to Binoy Joy for the reminder. The Radius Networks application—for both iOS and Android (Android doesn’t support peripheral roles)—includes the ability to make your device into an iBeacon, and allows you to configure the UUID, Major and Minor number for the beacon. So if you have two devices with you at CES today—say a phone and a tablet—then you too can be a winner in the great CES Scavenger Hunt.

22 thoughts on “Hacking the CES Scavenger Hunt

  1. Can Estimote Be Hacked? Yes It Can - For Now says:

    […] the same authors also ‘hacked’ the CES app – completing the Scavenger Hunt without even getting on a plane to Vegas. Hardly a […]

  2. Don Coleman (@doncoleman) says:

    You can use Sandeep’s bleno library and NodeJS to emulate iBeacons. https://gist.github.com/don/8248454

    var bleno = require(‘bleno’),
    uuid = ‘842AF9C408F511E39282F23C91AEC05E’,
    major = 65000,
    minor = 65000,
    measuredPower = -59;

    var intervalId = setInterval(function() {
    bleno.stopAdvertising();
    minor++;
    if (minor > 65009) {
    clearInterval(intervalId);
    console.log(“Bye!”);
    return;
    }
    console.log(minor);
    bleno.startAdvertisingIBeacon(uuid, major, minor, measuredPower);
    }, 2000);

    console.log(“CES Scavenger Hunt”);

    1. Alasdair Allan says:

      That’s awesome. I must admit I was still thinking along the lines hardware and hacking on a Raspberry Pi. But that’s a neat solution. I think it’d be hard to do in fewer lines of code…

  3. Two Chief iBeacon Threats: Privacy and Security | BestFit Mobile - App Development for Mobile DevicesBestFit Mobile – App Development for Mobile Devices says:

    […] At this most basic level, it’s discoverable by anyone. This is how they guys at MAKEzine were able to “hack” into the CES Scavenger hunt.  And it’s true, Estimote beacons can be hacked. But, at this level, so can any beacon. […]

  4. Overview of indoor tracking and other localization tactics | Digital Producer and Stategist | says:

    […] CES scavenger Hunt: http://bit.ly/1c09eFN (and how it was hacked) […]

  5. iBeacon basics - O'Reilly Radar says:

    […] The CES scavenger hunt application is a simple listener that implements a “virtual punch card.”  Nine locations on the CES show floor were equipped with beacons, and conference attendees who visited all nine locations completed a virtual card in the application and were entitled to receive a gift from the show. Each of the nine beacons had a unique signature, decoded by Alasdair Allan and Sandeep Mistry in Make magazine. […]

  6. iBeacon basics | InnovationAfrica says:

    […] The CES scavenger hunt application is a simple listener that implements a “virtual punch card.”  Nine locations on the CES show floor were equipped with beacons, and conference attendees who visited all nine locations completed a virtual card in the application and were entitled to receive a gift from the show. Each of the nine beacons had a unique signature, decoded by Alasdair Allan and Sandeep Mistry in Make magazine. […]

  7. As the iBeacon™ Gospel Spreads, Security becomes the Focus: | Footmarks BlogFootmarks Blog | Digital Intelligence says:

    […] iBeacon’s fundamentally open design means any mobile app can be designed to detect a retailer’s location broadcast, and such vulnerabilities have been already exposed in competitors’ models. By using passive devices to collect the network of IDs assigned to BLE devices in a store, competitors or third party developers have the same ability as the retailer to broadcast information to locate and track users (possibly without their permission). These third parties are then able to send shoppers offers for cheaper product alternatives or other perks at a competitor’s store or website (for example), thereby driving shoppers from the retailer’s own store. In addition, once certain characteristics of a beacon are changed by outside parties, any consumer application configured to use that particular beacon could potentially be disabled, negating the retailer’s investment. Third parties can also configure impostor beacons within a store’s own system, thereby gaining access potentially to gift cards, promotions and other location-dependent experiences tied to the beacons being impersonated. This particular vulnerability was showcased (unintentionally) at last year’s Consumer Electronics Show (CES), which featured a promotional scavenger hunt based around Apple’s iBeacon technology. According to Makerzine, someone won the hunt without ever attending the show! […]

  8. The TI SensorTag—now with added iBeacon | MAKE says:

    […] that was obvious when we looked at the Estimote beacons earlier this year, although even doing this doesn’t mean that iBeacons are a good fit for all applications as it’s easy to fake iBeacon signals — the UUID, Major, and […]

  9. Rakibimin iBeacon’ı Baldan Tatlıdır | MOBİL PAZARLAMA says:

    […] o anda etkinlik alanında bile olmayan bir kişi kazanmış. Vaktiniz varsa, bu haber ile ilgili yazıyı mutlaka okumanızı tavsiye […]

  10. 5 Questions for Beacon Providers, Answered | Footmarks BlogFootmarks Blog | Digital Intelligence says:

    […] to the critical vulnerability of “naked” beacons is an important one. Beacon hijacking is a proven occurrence and retailers and others who deploy insecure networks are vulnerable to third party […]

  11. How we protect our Beacons / iBeacon against piggybacking and hijacking - Kontakt.io iBeacon compatible solution says:

    […] of growth has understandably created some security concerns about how businesses and organizations can secure their Beacons. Today we will address that […]

  12. Diogo Serra says:

    The software for the game or a clone of it is on the github of the RadiusNetworks (https://github.com/RadiusNetworks/scavenger-hunt-ios-os) from last November

  13. Beacon Hijacking | We Are Base says:

    […] This one’s a bit more funky. There are many ways to get a UUID. If a competitor stores their UUIDs in their app, you can often decompile the app and retrieve them. This is how the CES Scavenger hunt was ‘hacked’. […]

  14. este articulo says:

    este articulo

    Hacking the CES Scavenger Hunt | Make:

  15. Google Introduces the Eddystone Beacon | Make: says:

    […] there have been some interesting attempts to generate novel use cases for beacon hardware, some less successful than others, for the most part the beacons haven’t been used that much […]

  16. Security Problems With Google's Eddystone Beacon | Make: says:

    […] procedure, but with a new fixed key being used. By using the techniques we utilised to hack the CES Scavenger Hunt, and peek inside their app, you can just as easily peak inside the Estimote Android SDK and […]

  17. 5 Questions for Beacon Providers, Answered – Footmarks says:

    […] to the critical vulnerability of “naked” beacons is an important one. Beacon hijacking is a proven occurrence and retailers and others who deploy insecure networks are vulnerable to third party […]

  18. Hacking the CES Scavenger Hunt for a Second Time | Make: says:

    […] it doesn’t look like security around the hunt is any better than last time. Because, just like last time, it’s possible to win the hunt without ever going to CES. However, we also found that while […]

  19. Emerging Tech: Bluetooth Beacons and the DPLA | Disruptive Library Technology Jester says:

    […] a smartphone app into thinking it is near a beacon when it isn't. There is a story of how the staff at Make Magazine hacked a scavenger hunt at the 2014 Consumer Electronics Show. They showed how they could win the hunt without ever being in Las […]

  20. Hands-on: Blue Hydra can expose the all-too-unhidden world of Bluetooth (ArsTechnica) – sec.uno says:

    […] the door. But it’s easy to spoof iBeacons, as Alasdair Allan and Sandeep Mistry demonstrated in an article in Make documenting their hack of a CES iBeacon scavenger hunt two years ago. There are simply a number of potential security and privacy problems that could […]

  21. Hands-on: Blue Hydra can expose the all-too-unhidden world of Bluetooth - Cyber Guardian says:

    […] the door. But it’s easy to spoof iBeacons, as Alasdair Allan and Sandeep Mistry demonstrated in an article in Make documenting their hack of a CES iBeacon scavenger hunt two years ago. There are simply a number of potential security and privacy problems that could […]

Comments are closed.

Tagged

Alasdair Allan is a scientist, author, hacker and tinkerer, who is spending a lot of his time thinking about the Internet of Things. In the past he has mesh networked the Moscone Center, caused a U.S. Senate hearing, and contributed to the detection of what was—at the time—the most distant object yet discovered.

View more articles by Alasdair Allan

Sandeep Mistry is a professional software engineer, who enjoys tinkering with the Internet of Things and Bluetooth Low Energy (BLE) devices.

View more articles by Sandeep Mistry
Send this to a friend
FEEDBACK