Secure Advertising with Secure Beacon & Eddystone-EID

Documentation about secure beacon advertising with ephemeral IDs

This guide describes the pros and cons of secure beacon advertising. It's an essential element of privacy-sensitive beacon networks. There are two advertising profiles than can be used to achieve this, the Beaconinside proprietary Secure Beacon profile and the Eddystone-EID profile.

Eddystone-EID is the official extension of the Eddystone standard to use ephemeral/temporary IDs (EID) while broadcasting. It's in an early access stage. Beacons are available for pre-order here. Please contact support if interested in evaluating Eddystone-EID. The technical architecture behind Eddystone-EID is described in the official Google announcement blog post. Beaconinside worked with Google on the integration of the newest Eddystone features into our products, read the announcement on our news blog.

When do I need secure beacon advertising?

Bluetooth beacons by default broadcast public information (e.g. UUID, Major, Minor for iBeacon). This data can be easily discovered, stored and shared by nearby smartphones or computers.

Secure beacon advertising is recommended when you want to protect your beacon network from the following two scenarios:

  • Beacon Spoofing & Cloning: You want to avoid that beacons are cloned and be faked at other locations.
  • Beacon Harvesting: You want to avoid that someone else is misusing your beacon networks.

How does secure beacon advertising work?

Typically beacons advertise static data, like UUID, Major and Minor values. This data can be easily harvested and used by other parties. Rotating temporary IDs based on cryptographic algorithms are used to change the static identifiers up to every minute. The default is 1 rotation per day.

The Beaconinside Beacon already contains a secret hash key which is known to the server as well. The mobile BeaconService SDKs synchronize with the server to get the most recent IDs that are used to resolve the original beacon ID and it's meta data (e.g. ZoneID=231 or BeaconID=A101).

Secure beacon advertising requires the Beaconinside SDK and an online connection at least once per day to synchronize beacon data with the server.

How can I enable secure beacon advertising?

The Beaconinside SDKs support secure advertising out of the box, no additional code changes or method calls have to be done. We take care about the complexity for you. Please test with the Android SDK first, see latest releases.

To enable secure advertising you have to activate the Secure Beacon profile for the Beaconinside Beacon on the device itself and within the Beaconinside MANAGE web portal. We can also pre-configure beacons before shipping.

Set the Secure Beacon Profile in the MANAGE beacon dashboard.

Set the Secure Beacon profile within the Beacon Manager App for Android.

The BeaconService SDKs will now detect secured beacons in the same way as regular non-secured devices. It requires up to 1 day for the initial synchronization of the mobile clients and the server to be aware of the rotating IDs.