Are Estimote beacons secure? How does Secure UUID work?

Estimote platforms offers two layers of security:

  • cloud-based authentication protecting beacons from unauthorized access
  • Secure UUID, preventing piggybacking on your beacon network

Both features are integrated with Estimote Cloud, but please note that while authentication is mandatory, using Secure UUID is optional.


Every beacon is automatically registered in the Estimote Cloud and assigned to its owner in the factory, based on the email address using during purchase. If a user is not an owner of the beacon, they won’t be able to change any settings.

When you connect to a beacon with Estimote app, you will see its basic properties like UUID, Major, Minor, and Color. But to be able to configure beacons’ settings with Estimote app, you need to be logged in to your Estimote Account and Estimote Cloud needs to authenticate you as the owner. If you don’t have an account, you can sign up here.

The same applies to Estimote SDK, but instead of Estimote Account login and password, we use API tokens to authorize access for third party apps.

We explain how the API token works in a separate article.

If you want to learn more about ownership management and transferring beacons between users, there’s another article that will help.


Secure UUID

Enabling Secure UUID causes rotation of the beacon’s ID (UUID, Major and Minor) so it’s broadcasting unpredictable, encrypted values. We advise using it in production environment, especially in case of large deployments.

By default the IDs that beacons broadcast(UUID, Major, Minor), used by apps to identify them, are visible to any device supporting Bluetooth Low Energy. This means anyone could piggyback on your beacon network. For instance, imagine you’re a store owner and your customers are using your app that is integrated with beacons. Beacons broadcast their IDs, so your competitor can easily build an app that will show competing offers to your customers. Secure UUID solves that problem.

With Secure UUID enabled, the only way to resolve the beacon’s ID is via authorized access to Estimote Cloud which requires your username and password or the proper app ID & app token.

Estimote SDK detects whether Secure UUID is enabled on the beacon and automatically takes care of the decryption—you are able to use ranging & monitoring as usual.

Pro tip: don't forget to change ESTBeaconManager to ESTSecureBeaconManager.

How to enable Secure UUID?

It’s pretty easy. First, UUID rotation requires beacons to have Estimote firmware version 2.2 or later. All you need is log into your Estimote Account in the Estimote iOS app and connect to the beacon. Secure UUID will appear in the settings list.

You can also secure your beacons directly from Estimote Cloud dashboard. Simply go to beacon settings and set Secure UUID and save changes. The change will be applied via remote settings update.