20 comments

[ 0.28 ms ] story [ 38.2 ms ] thread
Hi HN, this is Jakub, founder of Estimote, Inc. (YC S13).

We just released a new revision of our Location Beacons. We implemented new, low power Nordic nRF52 chip and extended range to 200 metres (+10dB).

Beacons can simultanously advertise both iBeacon and Eddystone packets as well as telemetry & sensor data + they have built-in GPIO slot.

There is also 1Mb EEPROM, so you can read/write data directly in the beacon.

You can read more on our blog: http://blog.estimote.com/post/149362004575/updated-location-...

I will be more than happy to answer any questions here.

My power is out so I can't browse too much atm. I vaguely remember the Google beacon being a always-on notification that launched a website link pressed. How well does that work in android and iOS? Would it be feasible to make an "SOS help" beacon and expect every phone nearby to be notified or similarly spammed with an ad message?
I wish they were actually programmable. The available programmable BLE hardware is a bit clunky (I'm using stuff from RedBearLabs currently).
These should be great for attackers - a long-range Bluetooth device with years of battery life. Reprogram these for the MouseJack attack.[1] Get a bag of 50 and spread them around. Profit! If you want to attack a specific company, spread them around that company's building and nearby restaurants. If you repaint them, who's going to notice an extra rock in the landscaping?

If the "remote updating for fleet management" can be attacked, you don't even need to buy them; you can take over other people's.

[1] http://www.computerworld.com/article/3037377/security/mousej...

I'm not sure if I understand how these devices can be used to attack. Can you explain it in more detail?
Bluetooth devices can do MITM attacks on anything with a wireless keyboard or mouse. This device isn't designed to do that, but it's a programmable long-range Bluetooth device designed to be unobtrusive, so it's hardware that can be repurposed for an attack.
I don't think the beacons are "programmable" in the sense you think they are. They have a protocol which allows for configuring a root password and changing the string that it broadcasts, but it's not like you can install a different Bluetooth stack or profile (short of some profound vulnerability, but the same could be said for a pair of Bluetooth headphones).
They might not be intended to be, but from their dev site:

"Estimote Beacon is a small computer. Its 32-bit ARM® Cortex M0 CPU is accompanied by accelerometer, temperature sensor, and what is most important—2.4 GHz radio using Bluetooth 4.0 Smart, also known as BLE or Bluetooth low energy."

And from here: http://makezine.com/2014/01/03/reverse-engineering-the-estim...

"The Estimote is built around the Nordic Semiconductor nRF51822, which explains their presence on the Nordic booth at CES. It’s a nice chip, basically a 32-bit ARM Cortex M0 CPU with 256KB of flash and 16KB of RAM with a built-in 2.4GHz radio supporting both Bluetooth LE as well as 2.4GHz operation—where the 2.4GHz mode is on air compatible with the nRF24L series products from Nordic."

They might not be "easily programmable", but how much would you be against Travis Goodspeed being able to do something similar to what he's done here with an Estimote beacon? http://travisgoodspeed.blogspot.com.au/2011/02/promiscuity-i... (You can't see it very well in the image in the Makezine article of the board, but under the "CH3" in the label for the smaller chip is a 4 pin header that I'm 99.9% sure will be a jtag header...)

This version is based off the nRF52, which is still in preproduction as I understand it ( disclosure: I write firmware for the nRF51 for an IoT startup).

Both the 51 and 52 can have a BLE DFU programmed into the chip, allowing over the air firmware updates, so you wouldn't need a JTag. Most companies lock this down with a secure boot loader, meaning you would need to be able to flash the device using a JTag (only $500!)

It's not similar to the devices covered in the article. This is how a beacon work:

1- A beacon broadcast a UUID.

2- The users should install my app, the app reads the UUID.

3- The app requests the picture or video related to this UUID from my server.

If an attacker can access the beacon and modify it, then my app is not going to find the UUID's i added to the server.

and here is the attack:

-evul haxor learns about those beacons at the target location

-finds a weakness in remote firmware update

-prepares special firmware with added Microsoft/logitech mouse/keyboard emulation (nRF52 can do this). Bonus points if he can make one beacon flash other beacons in range.

-infects one beacon using long range setup (yagi, amp)

-profit

MouseJack was targeting vulnerabilities in non-BT mice and keyboards, like those using the Logitech dongles.

BT pairing prevents trivial MITM attacks.

This is really cool, but I can't figure out a use case to buy any :/
Said everyone working in IoT.
Yeah, like a sibling comment suggests, beacons are definitely in the bottom of the trough of disillusionment on the Gartner hype cycle chart.

There is a ton of potential for them though, but perhaps more in the autonomous vehicles and robotics space than in the realm of current consumer devices. Of course, there are plenty of competing technologies in the micro-location space.

Making beacons more computationally powerful beyond just broadcasting a UUID is an interesting development, and one competing tech, like location fingerprinting, can't easily do.

Yea I can see usage for big shops like wallmart etc where its next to impossible to find something if you dont know the store. Image if these where available for each area, and you just put in what you are looking for and it guides you to the correct section.
imagine this would work great .. if cellphones on the market were equipped with location tracking phase arrays instead of piece of wire for antenna.
You can place them in physical locations and let users download your app that will trigger when it sees them, it almost makes sense versus app with GPS coordinate list, almost ....
How can these devices pass BLE certification and go to +10dBm?
? its only 10mW, old BT Class 1 goes up to 100mW (20dbm)