Wi-attack: Cross-technology Impersonation Attack against iBeacon Services

TL;DR

This paper demonstrates a novel WiFi-based impersonation attack called Wi-attack that can target iBeacon services, causing significant location errors without hardware modifications, by exploiting cross-technology communication techniques.

Contribution

The paper introduces Wi-attack, a new cross-technology impersonation attack on iBeacon that overcomes previous hardware restrictions and achieves high packet reception rates.

Findings

Wi-attack achieves up to 66.2% packet reception rate.

It causes over 20 meters average error in fingerprint localization.

Effective in multiple iBeacon deployment scenarios.

Abstract

iBeacon protocol is widely deployed to provide location-based services. By receiving its BLE advertisements, nearby devices can estimate the proximity to the iBeacon or calculate indoor positions. However, the open nature of these advertisements brings vulnerability to impersonation attacks. Such attacks could lead to spam, unreliable positioning, and even security breaches. In this paper, we propose Wi-attack, revealing the feasibility of using WiFi devices to conduct impersonation attacks on iBeacon services. Different from impersonation attacks using BLE compatible hardware, Wi-attack is not restricted by broadcasting intervals and is able to impersonate multiple iBeacons at the same time. Effective attacks can be launched on iBeacon services without modifications to WiFi hardware or firmware. To enable direct communication from WiFi to BLE, we use the digital emulation technique of cross technology communication. To enhance the packet reception along with its stability, we add redundant packets to eliminate cyclic prefix error entirely. The emulation provides an iBeacon packet reception rate up to 66.2%. We conduct attacks on three iBeacon services scenarios, point deployment, multilateration, and fingerprint-based localization. The evaluation results show that Wi-attack can bring an average distance error of more than 20 meters on fingerprint-based localization using only 3 APs.