At Estimote, we maintain a philosophy that software is never complete. We optimize for shipping updates often, to every part of our stack (firmware, mobile SDK’s, cloud back-end & API’s). Simultaneously, we optimize our release cycles for developers, typically pushing new features to our 50,000-strong community even if our early code has a few rough edges. But we release with those imperfections precisely because we know that you - our robust, vocal, and demanding community - will help us find bugs, ideate new features, and push the limits of what’s possible. That constant feedback loop between our product and our customers is vital to our success.
Today we’re pushing a new beacon firmware live (version 3.2) to build upon the latest version that included our recently-announced support for Eddystone, an open BLE format released by Google. The new firmware includes a security patch to make your beacon hardware even more secure and can be installed on every beacon you already own.
Beacon security
As with any new technology, security is always a paramount concern for those implementing it. These concerns are only more valid as the velocity and scale of enterprise beacon deployments accelerate. Keeping your Estimote Beacon infrastructure secure has always been - and will always be - one of our top priorities.
Back in 2013, during the first days of iBeacon, we shipped dev kits without any security mechanisms in place, precisely because it was early days. We knew it was more important to get early adopters testing and sending us feedback than optimizing for an “enterprise checklist.” Of course, as the months progressed and our customers began to move from in-office prototypes to full-scale public deployments, we’ve layered on many important enterprise-grade improvements required by any good mobile leader: integration with Estimote Cloud for beacon authentication, Secure UUID to encrypt beacon IDs, and Infrastructure Sharing to safely share your beacon network. These mechanisms combine to prevent any actors with malicious intent from compromising your beacon infrastructure.
Network security, however, is an ongoing effort. Today’s update patches a vulnerability brought to our attention by the good folks at MAKE: Magazine. We rely on our developer community to challenge us and help us improve Estimote’s platform, every single day. It was possible to hack the previous implementation of beacon authorization to obtain the keys necessary to configure beacons to which you had no rightful claim or ownership. With today’s firmware update, that is no longer possible. This new firmware has already been tested by many of our customers in their production environments and now it’s ready to be publicly available for all Estimote developers, even those just experimenting with a few dev kits.
Update your beacons today
We’re not aware of any incidents related to this vulnerability and the risk of exposure remains small; an attacker would need to build an app with the right key, physically approach every single beacon they wished to alter, and then programmatically connect to it. We nonetheless encourage you to update your beacon firmware today. Every beacon we’ve ever shipped is compatible with today’s update and you can already install it via our iOS app (version 2.15.1) and Android app (version 1.0.5), or the Estimote SDK 3.4.0.
If you have any concerns, questions, or feedback about today’s update, our current security mechanisms, or the nuances of deploying beacons at scale, you can reach out to us anytime. We’re committed to building a secure beacon platform and are proud to have a community of developers helping us keep this commitment. We’re waiting for your tweets and emails!