Aerohive, Euclid partner on using Wi-Fi to decode shoppers' behavior
Is it well designed and implemented? At first sight it is, but is it temper proof against malicious activities? I'm not that sure...
Copy/paste from the AeroHive Solution Brief
Every Wi-Fi radio sends out standard probe signals searching for a Wi-Fi access point (AP) to attach to. The Aerohive AP detects that probe, “anonymizes” the unique MAC address by using a cryptographic hash function (or “hash”) then encrypts the data for transport to the Euclid cloud platform for processing. From that point, Euclid advanced heuristics use several different factors – including signal strength, ping frequency, and proximity to other access points (if any) – to determine the phone’s approximate location including if it is inside or outside the retail store, and then employs proprietary algorithms to create the analytics information used by business operations.
The Aerohive Cloud Services Platform connects to the Euclid cloud through a secure JavaScript Object Notation (JSON) connection to retrieve and present the resultant analytic information in a simple screen in our HiveManager Online cloud application.
As Security practitioner I am always wondering whether an implementation hasn't any weaknesses that would allow for malicious activities to take place. In this case my concerns would be that as this solution is not using RFID, but MAC addresses, what about someone sitting in front of my store and constantly forging MAC addresses?
Examples of tools to change MAC:
- on GNU/Linux: macchanger, or even ifconfig...
- on MS Windows: etherchange (run from the command prompt, thus easy to script),
- on MAC OS X:
sudo ifconfig en0 Wi-Fi <New_MAC> (Lion) orsudo ifconfig en0 ether <New_MAC> if the former is not working. - myself I would opt for scapy (src_mac and the like) and Python, but any ifconfig trick can be scripted.
The other concern is the business model. Statistics are sent to Amazon AWS Cloud services in a secure manner, fine with me... But in the case of a DOS (MAC forging and flood) the collected data becomes irrelevant, and the amount of useless data shall increases the cost of the solution (AWS services fees are rather complicated to understand I must admit).
Are they any protection (counter)measures available against such issues?
Threshold on the AP, or when data are mangled on the Amazon's side?
What about sending inexistant MAC OUI ? Is the "input" sanitized? (maybe, see the above figure which states that "Data is processed, cleaned and stored securely").
Well, they are for sure more concerns, but these are just the ones that are on top of my head at time of writing...
Oh yes! A "funny" one... Imagine anon distributing a DDOS program that would intentionally send the exact same MAC address for a given period of time, then generate a new one or fetch it from a C&C server and do it all again and again. I guess the statistics will become just a nice piece of (well, you got the idea I presume).
I hope that I am all wrong with my assumptions. I really like the AeroHive technology... Actually, this is maybe why I am affected and therefore writing this post ;-)
