Tesla Model 3 is an iBeacon

There’s an article at The Parallax on how the Tesla Model 3 constantly sends out iBeacon advertising. This allows the Android/iOS app to see the car and consequently unlock and start the car without a key. Martin Herfurt, a security expert for Austria, claims this is a security and privacy vulnerability.

Tesla’s response has been:

“BLE tracking is something we’ve discussed internally, and we revisited this discussion after receiving your report. However, our current assessment is that randomizing BLE identifiers would not result in significant privacy gains due to the ubiquity of automated license plate readers”

What Tesla is saying is that there are other ways to track cars so they believe it’s not a issue.

The security researcher can detect cars up to 50m away and said…

“… the range can be easily extended with a directional antenna, possibly to reach up to a mile away”

We would like to know how to ‘easily’ get such a directional antenna as, to our knowledge, no such thing exists. 50m range advertising is just that and can’t be extended significantly by changing the receiver antenna.

However, the Tesla Model 3 being an iBeacon raises the question whether this is a significant privacy concern. Indeed, anything or anyone advertising Bluetooth can turn into a privacy concern. In the article, connected-car security researcher Tim Brom says it can be a concern if you’re a high-value target of any kind or worried about a stalker.

Even when id’s or randomized or cycled, as in the case of Eddystone EID, the mere presence of Bluetooth advertising can reveal the presence of something that needs to be concealed. For example, Wired recently wrote Burglars Really Do Use Bluetooth Scanners to Find Laptops and Phones.

The learning is that you shouldn’t blindly implement Bluetooth without considering the security implications and providing mitigations. In the case of Tesla, they could have had an option for security conscious users to turn off Bluetooth and instead use a key.

Changing the Battery in the F4 Tracker Beacon

We recently started selling the Minew F4, a quality tracking beacon with external on/off button, 85dBm buzzer and range of up to 50m. The battery last about 6 months. Minew have a video how to change the battery:

There’s a T-Finder iOS and Android app on the app stores but the intention is that this beacon will be used with your own apps and solutions using the supplied Android and iOS SDK.

View Tracker Beacons

iBeacon App Development Companies

There are a large number of offshore development companies currently spamming social media, claiming to do iBeacon development. We recommend you do your due dilligence before engaging development as many like to say ‘yes’ to anything and it’s often companies such as ours that have to pick up the pieces.

Here’s are some things to consider when looking for an iBeacon app developer:

  • Can they give examples of iBeacon apps they have written?
  • Can they give you references to past work who you can talk to?
  • Do they release development versions regularly so you can test and gauge progress? If everything is released at the end, it’s likely you are going to end up disappointed.
  • Who will actually be doing the development? There can be intermediaries in the development ecosystem that confuse and compound communications problems. Right from the start, you need to be talking direct with the person who will be doing the development.
  • Do they really understand you? Many aren’t native English speakers and if you are getting misunderstandings during initial engagement, this doesn’t bode well for the development.
  • Have they provided constructive comments on your proposed app rather than just saying ‘yes’? Developers should be able to improve on your ideas so as to get the best out of iOS and Android.
  • Getting iBeacon apps through Apple approval can be difficult. Can they give you examples why and the possible mitigations?

App development is an area where cheapest isn’t usually the best. Compromised development will cost you in the longer term through late or aborted development, tricky problems, significant end user support, poor app reviews and difficulty adapting the apps in the future for future phones and new features.

Beaconzone was founded by app developers in 2015 after we had previously created several iBeacon art gallery apps. We have since written many more iBeacon and Bluetooth LE apps on iOS and Android.
Read about beaconzone solutions

What’s Wrong with Bluetooth Mesh?

Researchers from TU Darmstadt, Germany have a new paper Toxic Friends in Your Network: Breaking the Bluetooth Mesh Friendship Concept that looks into weaknesses in the security model underlying the Bluetooth mesh friendship mechanism.

Friendship allows a low-power IoT device to go to sleep with a separate higher-power node caching packets until the lower power device wakes up. The paper provides an overview of friendship and the Friendship Security Material(FSM) unique to this type of communication.

The researchers found three flaws in the Bluetooth friendship mechanism related to:

  • The possibility of eavesdropping on communication and selectively jamming based on size of the control messages.
  • The lack of protection of the friend security keys against an insider attack.
  • The possibility of misuse of Friend Clear messages to cause a form of denial of service attack through flattening the battery.

The paper includes a reference to tools that demonstrate these problems and discusses possible mitigations.

The Bluetooth SIG responded:

Compromise of the friendship relationship results only in a compromise of the availability of the low power node to the other nodes in the subnet.

It is the conclusion of the working group that the friendship relationship between an LPN and its friend within a mesh subnet is not intended to be secured against attack by a party already in possession of the network key.

It is the position of the Mesh Working Group and the Bluetooth SIG that neither scenario provides additional security risk for a user of the Mesh profile

In other words, the risks are appropriate to the level to which the mesh is expected to be used or attacked.

We have yet to come across any devices using friendship. Friendship is an edge case that isn’t required in most instances. Also, most existing low power devices can’t be upgraded to use mesh due to the higher memory requirement of Bluetooth Mesh.

Read about Beacons and the Bluetooth Mesh

nRF Connect Features

Nordic, the manufacturer of the System on a Chip (SoC) in most beacons, has a new blog post on Five Things You Didn’t Know About Nordic’s Mobile Development Apps. The post mentions less visible features of nRF Connect on iOS and Android. For example, you can get a useful RSSI graph by dragging the screen towards the right from the centre:

nRF Connect is the main app we recommend for testing beacons. iOS recently received a completely new version. nRF Connect also has macros that can speed up testing.

Battery Power Use When Advertising Multiple Bluetooth LE Channels

Most beacons can transmit more than one type of advertising , for example iBeacon, Eddystone and sensor data. In practice, no beacon can send more than one kind of data simultaneously. Instead, they send the different data sequentially, one transmission very shortly, milliseconds, after the other. Many manufacturers describe this as sending data in different channels which shouldn’t be confused with different Bluetooth LE frequency channels used to reduce the affects of wireless interference.

Some devices such as Minew and Sato can send 6 channels that can include iBeacon, Eddystone UID, Eddystone URL, Eddystone TLM, sensor, acceleration and device info:

Sato setup: Channel types are shown at the bottom

Transmitting one type of data takes of the order of 1 millisecond (ms) every configurable 100ms to 10secs period. It’s during the sending that the majority of the battery power is used with the beacon sleeping between transmissions. The following oscilloscope trace shows the battery power used, over time, with one channel:

Care should be taken to configure only those types of data that are required. If you configure more than one channel then there’s a corresponding, almost linear, increase in use of battery power for every extra channel.

Bluetooth 5 Range Tests

Unseen Tech has a recent whitepaper on Bluetooth 5 range. It describes some tests that were performed to assess Bluetooth 5 to see the improvements in range compared to Bluetooth 4’s typical 30m to 100m. The tests used development boards from Texas Instruments and Nordic that, used outside, achieved about 650m and 750m respectively.

While some companies are claiming Bluetooth 5 support in products, many don’t actually use Bluetooth 5 yet but instead offer an upgrade path to Bluetooth 5. Other’s do offer Bluetooth 5 but downgrade to Bluetooth 4 when communicating with Bluetooth 4 devices (e.g. smartphones) which are still the large majority of devices.

There are also some ultra long range Bluetooth 4 devices that include output power amplifers that can achieve ranges of hundreds of metres and we have one USB powered beacon that reaches up to 4Km.

TRBOnet Update

There’s been an update to TRBOnet to allow DIMETRA Express to use iBeacon-based Indoor Location.

TRBOnet is the system used by Motorola for managing 2-way radios and pinpoints handsets on maps:

The 2-way radios upload GPS data but this obviously doesn’t work indoors where iBeacons are used instead. TRBOnet works with any iBeacons.

Are you an established 2-way radio company?
Contact us for advice on which beacons we have supplied for use with TRBOnet.

Maximising Bluetooth Gateway Throughput

Our article on What are Beacons shows the kind of data sent by beacons. While this might be iBeacon or Eddystone, both are a subset of all Bluetooth advertising as sent out by all Bluetooth LE devices such as smartphones, Fitbits and even industrial machines. The Bluetooth LE advertising advertising is just a short series of numbers.

Gateways look for Bluetooth advertising and send this on to a web server together with the signal strength of the detected device, the gateway’s own Bluetooth MAC address and MAC address of the detected Bluetooth device.

Bluetooth WiFi Gateway

In some situations a very large number of devices can be detected, most of which aren’t the ones that need to be detected. This can cause either the gateway to become overloaded or too much extraneous data to be sent to the server.

All gateways have ways of filtering what advertising is sent to the server. This usually includes matching some or all of the advertising with a given hexadecimal string and the ability to ignore devices weaker than a given signal strength.

Even after filtering, it’s possible in extreme circumstances that a gateway processes too many beacons and becomes overloaded. In these cases it’s important to have a gateway that can support the highest throughput. Gateway specifications detail the typical maximum number of devices that can be detected which varies considerably between devices. Ethernet connected devices tend to be more performant than those connected by WiFi. Also consider setting the gateway to only detect beacons close by and use more gateways per given area. Consider using MQTT in preference to HTTP so as to cause the gateway to do less work.