Bluetooth beacons are wireless sensors that broadcast radio signals that are picked up by smartphones to unlock micro-location and contextual awareness. A connected app on your phone can interpret the beacon’s proximity to locations or objects by type, ownership, approximate location, and motion to connect your device to the real world.
The technology is used in a range of pubs and restaurants in Poland for verifying purchases in a smartphone app to collect points and earn rewards. In a recent post on BreakDev.org, Kuba Gretzky explains how he hacked an Android app to bypass the beacon and earn himself free beer.
The manufacturer’s SDK documentation shows what information the beacon transmits, and they also publish an Android library to simplify listening to beacon broadcasts via any application. He then discovered that the broadcast range is up to 70 metres, so in theory, the broadcasted values that are probably used for authorising rewards are broadcast over the air.
The manufacturer provides a Developer App for debugging and troubleshooting, and it also gathers critical information from the beacon. So, the author used the HTTP/HTTPS Windows proxy Fiddler so he could intercept and decrypt HTTPS communication from the phone in the restaurant to learn how the application communicates with the server.
Once Fiddler was set up, he was able to intercept the public app’s traffic since they hadn’t implemented certificate pinning. Without the target restaurant’s beacon nearby, Gretzky used the venue’s place_id instead, but could not guess the associated four-digit PIN. The account locked down for 30 minutes after five failed attempts, so he began setting up an interception VPN to be used over 3G/4G on his mobile phone while in the restaurant.
This required a minor workaround to connect the VPN on Android 6.0, but Gretzky then began visiting restaurants to test the live packet capturing with the developer app, finding success in the third venue and collecting the broadcast values for UUID, Major number, and Minor number.
Gretzky released a simple script for decoding the sslsplit packets into clear text form, allowing him to confirm the values were the same in the request authorisation packet as those detected in live broadcast with the developer app. It is more than likely that these values are constantly broadcast over the air in every affiliated restaurant, exposing multiple vulnerabilities to hackers.