Understanding the security of Estimote Beacons

So I am developing an app that would require multiple beacons to be deployed in stores. The unique values of these beacons (UUID) is very important to my app and backend that it will be connecting to.

The Security page states this:

  • Enabling UUID rotation causes periodic changes of the beacon’s ID
    (UUID, major and minor) so that it’s broadcasting unpredictable,
    encrypted values.
  • The only way to resolve the beacon’s identity is
    via authorized access to Estimote Cloud which requires your username
    and password or the proper app ID & app token.

Without the security feature enabled
1. Aren’t malicious users able to ruin my service by using your Estimote app, and changing the UUID?
Now with security enabled
2. With this feature, am I preventing users from changing my beacon values?
3. Does enabling this feature have any consequences on the battery life of the beacons?
4. And do I now have to have my backend service make a request to your cloud to get the identification I need?

No, it’s not possible. Secure UUID protects from UUID spoofing which I’ll explain in a second. There’s also a second layer of security. To connect to a beacon you need to authenticate with Estimote Cloud with appId and appToken. Users that don’t have these vales can’t change UUID.

Proximity UUID, Major and Minor are publicly available, so anyone could build an app that uses your beacons. Secure UUID prevents from that and encrypts your values. You can read more here.

Sure, a beacon rotates UUID, so there’s battery consumption but it’s negligible. Also you don’t implement security in your backend, it’s already in our SDK as ESTSecureBeaconManager.

I encourage you to read our newest blogpost about privacy&security.