Important announcement - Onyx Beacon hardware and services to be discontinued! More info...



How can we protect the beacons, so that nobody can change their UUID?

Our Beacons have a high level of security due to a mix of encryption, randomness and simplicity. The encryption is based on a combination of AES-128 and MAC (Message Authentication Code), relying on a dedicated hardware coprocessor embedded in our beacons. The configuration process is greatly simplified by moving away from the mobile client and assigning this responsibility to the server side Beacon Management Software. This provides a secure way to configure and manage large-scale deployments, avoiding beacon loss to UUID hijacking.


What exactly is AES-128 Encryption?

The configuration packet is encrypted using AES-128 CBC. The packet also contains a MAC for packet validation.
The private key is stored on the beacon and on CMS. A new configuration can be created on phone or on CMS. If it is created on phone, it is sent to CMS for encryption. After the configuration is ready, it is encrypted with the private key and sent to the phone and then transferred to the beacon. If the packet is valid, it is decrypted and new values are applied. If not, the packet is discarded. You need to have a connection between phone and CMS in order to obtain the encrypted version of the config.