Bluetooth beacons: one free privacy debate with your next order

Bluetooth beacons: one free privacy debate with your next order

Apps and their permissions have been in the news recently, particularly in relation to tracking/privacy issues and Bluetooth. Why Bluetooth, though? What is it, and what is it doing to raise concerns in some security quarters?

Bluetooth: your cool, then uncool, but mostly cool again cousin

Bluetooth has had a slightly odd reputation down the years. Pre-smart phones, for many people it was “that thing enabled by default, which you can also use to transfer photographs incredibly slowly.” When smart phones came around, it was relegated to “that thing enabled by default, but I’ll turn it off because I have Wi-Fi.”

Bluetooth technology actually has a lot of applications. It’s a short-range wireless communications protocol which doesn’t deserve its occasionally uncool reputation. Its limited range stops it from killing your battery, and from a security standpoint, it’s quite tricky to deliberately attack someone’s mobile device when everything hinges on a target being in a small space at a specific time.

If you want to send contacts or videos to someone, tether devices, talk to people safely while in a car, or even just fire up some wire-free headphones in the gym without hassle, Bluetooth is the place to be. That’s not to say people can’t do bad things with it, of course.

Apple’s AirDrop, which made use of Bluetooth, was caught up in some unsolicited message chaos back in 2018. Bluejacking did similar things and has been around for a long time. Bluetooth isn’t 100 percent secure, but then nothing is. There are multiple steps you can take to lock Bluetooth down, with the caveat that it works best by being open and accessible most of the time.

However, security concerns about Bluetooth are being raised today in the realm of beacon technology.

What is beacon technology?

I’m glad you asked. You likely run into beacons every day without knowing it. For clarity’s sake, there are many beacon types and we’re not focusing on all of them here. Web beacons, which typically track you across websites or email, are interesting but not our focus here. We’re exploring the kind of beacon located in a store you happen to enter, or even just pass by inside a mall, which sees you coming and helps to serve up (say) some targeted advertising on a billboard or helps ad networks push said ads when you get home in your web browser.

We’ll look at what happens once you step inside the store in a little while, but first we need to figure out how to get you to roll up to my wonderland emporium in the first place. The unexpected first step involves a fence, but not the wooden kind.

Putting up a fence

Geofencing has been around for a good while, and you may have come into contact with it without realizing what it’s called. If you’ve read a more recent “What is this technology?” article, you’ll probably see lots of mentions of advertising, marketing, leading offers, customer satisfaction, and more. You’d assume it was some sort of marketing be-all and end-all, created by Steven P. Advertising, CEO of geolocational advertising services.

That’s not quite the case. 

Geofencing allows you to carve out virtual space around a real area. It’ll help prevent toddlers escaping from a nursery, or stop people wearing an ankle bracelet going on the run. It could alert workers in dangerous environments that they’ve wandered into the danger zone, or help businesses keep curious employees or intruders out of secure areas.

As you’ll be aware, some of this has been around seemingly forever. However, marketing and sales have adopted it as a major method for driving sales. If you go searching online, most of the primary results will be for slick marketing operation dot com as opposed oil rig platform safety dot net.

A trail of breadcrumbs

How do I let you know about my cool store if it’s quite a way off from your current location? I could throw up a chain of geofences along the roads you happen to be traveling down. As you pass through the geofenced area, you might start to receive mobile notifications about the awesome and very cheaply priced goods I’m selling.

Why not think bigger? I could geofence some digital billboards as you go driving past.

From your car, to my store: You may not have intended to pay me a visit when you set out this morning, but those adverts for…let’s say delicious sweet rolls…were too good an opportunity to pass up.

My selection of fences has brought you to the store, and now the in-house beacons will do the rest. Everything from your movement around the building to the products you linger on is now potentially up for grabs. But how do I send you some of those juicy beacon ads or follow you round the store like a digital ghost in the first place? How do I know if you’re lingering in front of my sweet rolls or walking on by to reach something more interesting?

The answer is: I need to introduce your mobile device to my good friend, Bluetooth McBeacon.

Bluetooth McBeacon: your new in-store guide

Well, what is a beacon? It’s most frequently a small, randomly shaped device. Could be a box, it might look like a router, or it could resemble one of those targets you strap to your chest in a game of laser tag. Put simply, it could be pretty much anything. It pulses out an ID and when a phone or other device recognises said ID, they’ll have a sales-based marketing conversation.

How to begin that sales-based marketing conversation?

The most common way for this to happen is to create an app, and include Bluetooth pairing as one of the permissions. If I’m strapped for cash or don’t know where to begin cobbling an app together, I don’t have to; there are multiple third-party apps out there which will pop your content via the beacon.

That’s the app part sorted out. My beacon device will make use of various protocols to howl its ID out into the void. Did you know Google made one of these protocols? How about Apple? It’s a whole new world of void howling.

Anyway, my beacon howls into the void at regular intervals—the shorter the better because it allows for more accurate tracking. When someone running the relevant mobile app wanders into the store, the beacon stops howling and starts hi-fiving as the mobile recognises the beacon ID. One quick permission request later, and we’re officially up and running with our previously mentioned sales-based marketing conversation.

The world is now our marketing oyster, and a barrage of targeted advertising, in-store offers, and even ads for objects you lingered in front of (but didn’t buy) will follow you home as a gentle reminder to maybe pick it up online at a discount. Depending on which ad platforms the beacon owner makes use of, they may be able to plug said platform directly into the beacon’s functionality, which would assist in even more detailed forms of tracking.

These techniques, combined with geofencing for maximum marketing impact, are how stores are pushing you to buy their stock and leading you to a marketing metrics bonanza behind the scenes.

There are many other forms of real-world ad pushing techniques, but in terms of Bluetooth and beacons, they’re a little more accessible and straightforward and this is probably why they’re so present in our everyday lives (even if we don’t realise it).

The future of Bluetooth tracking

Various attempts to make augmented reality shopping aids (dragging and dropping VR furniture into your room so you can see if it fits perfectly, waving your phone around to click on digital coupons as you pick up tins of soup, sales assistants knowing which product you hovered your phone over the longest) haven’t exactly exploded the way developers probably thought.

Nice ideas, but a little convoluted and often not practical. Dropping a router-like device in your store and asking people to download your app for some discounts instead? That is the way to go.

What can I do to avoid Bluetooth tracking?

Whether you’re not keen on election-related Bluetooth antics, or simply don’t want to be followed offline or otherwise by a growing collection of stores and malls, Bluetooth is easy to keep a handle on. Most phone models will have it as a default setting whenever you open your options menu, usually next to Wi-Fi. Don’t want Bluetooth doing its thing? Just turn it off.

If you desperately need to use Bluetooth for something specific, enable then disable right after. Keeping an eye on app permissions at install will help, and of course you should be in the habit of doing that anyway, and not just for Bluetooth. A huge range of apps ask for Bluetooth permissions, but that doesn’t necessarily mean they’re up to no good. As mentioned above, Bluetooth has a ton of valid uses, and even tech directly adjacent to it like ringfencing can be used for entirely useful purposes.

The trick is figuring out what the value proposition for the app is and knowing what its owners intend to do with your data once they have it. If you’re happy with their intentions, feel free to grant permission. If you’re unsure, save the install for another day and do some Internet sleuthing before making a commitment.

Because once your device and identity are plugged into an online/offline marketing profile, you may find it almost impossible to extract yourself. Perhaps it’s better to give that tempting-looking sweet roll store a pass.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.