Radio frequency based solutions have been introduced that deploy, low-cost radio frequency based tags at known, mapped locations within confined premises, such as a floor of a retail store. Such tags can include radio frequency identification (RFID) tags, Bluetooth™ Low Energy (BLE) tags, and the like, that periodically broadcast a beacon that includes each tag's unique identity. A client device, e.g. a smartphone running a locationing application, moving within the premises, and having the ability to receive the beacon and read the identity of any one (i.e. the strongest signaled) of such tags, can then be associated with that tag's location. The client device or other network device can provide this identity information to a server in a location update message, such that the server will then have known the location of the client device by referring the known location of the identified tag. This location data can be collected by the server over a time period to be used by an analytics engine to derive meaningful results, e.g. a substantial number of customers congregate at a tag location of a particular product of interest. The correctness of these collected results lies in the integrity of the location data collected by the server.
However, a problem arises from radio frequency based tag locationing, in that these simple, low-cost tags do not have much intelligence, and there is no encryption or any authorization involved with their use. As a result, there could be an opportunity for hackers to create security attacks for such solutions where client software is running on unmanaged/uncontrolled devices. Such an attack could corrupt the server database with spurious information. For example, an attacker could sniff the beacon packets, determine the format of the packet, and determine the deployed tag's identification. All that would be required for this is for the attacker to walk around the floor with a sniffer device and listen for beacons. The attacker could then create a fraudulent packet with a random list of beacons with known tag identifications, and send these fraudulent packets in a location update message to the server.
If the malicious device is operating on a wireless local area network (WLAN) when it sends these fraudulent packets, the server could be able to confirm a location of the malicious device using various locationing-over-WLAN techniques known in the art, such as Time Delay of Arrival or Radio Signal Strength Indicators, on the WLAN communication signals from the device to triangulate its location. However, if the malicious device is communicating with the server over a cellular network, for example, the device could have no physical presence on the premises and the server would have no way to determine the device location. Therefore, a hacker could simply walk into the premises with sniffer tool and collect all tag packets and identification. The hacker can also collect the packets on WLAN interface thereby correlating the tag with access point coverage areas in the region where the tags are installed. Since tag packets are not encrypted, the hacker can set up one or more malicious devices to mimic the tag packets in location update messages sent to the server over the cellular network. In this way, the hacker can flood the server locationing database with incorrect location update messages.
The hacker above can easily ensure that the rate of arrival of location update messages neither qualifies for thrashing nor violates tag to access point coverage area correlation. (When the arrival rate of location update messages exceeds a known threshold rate, a process called thrashing is applied wherein the source of location update message is considered compromised and the location update messages from that source is thereby discarded.) The hacker can wield such attacks while being geographically remote using the cellular network. Also, the hacker can impersonate multiple customers (which can be done programmatically, and thereby not limited in count). Such attacks can be paid for, too. For instance, an unscrupulous employee responsible for boosting sales of a product can pay a hacker to mislead an analytics engine of a system server to conclude that significant interests have been expressed by the customers for that product. To do so the hacker needs to maximize location update messages for the tag placed next to that product. The hacker then can connect remotely to server over a cellular network and start sending location update messages from multiple devices, statistically lopsided in favor of the tag. As a result, the analytics engine of the server will be misled to conclude a surge in customer interest for that product.
In addition, the attacker could use different Media Access Control (MAC) addresses to give an impression that there are multiple clients reporting the location update messages. Further, the attacker could spoof the MAC addresses from other clients, which could result in more serious issues. In particular, a rogue client using a spoofed MAC address could send the incorrect tag identifications in location update messages so that the location server would think the client is located at a wrong location. Collecting these false location update messages by the server could result in many false positive readings, corrupting the information being collected by the server, thereby misleading the analytics engine to generate wrong results or to generate results that unduly favor a party.
Hence, there is a need for a technique to validate that location update messages are coming from a device that is present within the confined premises. In particular, it is desirable to determine that location update messages are coming from a device having a presence in the confined area.
Skilled artisans will appreciate that elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. For example, the dimensions of some of the elements in the figures may be exaggerated relative to other elements to help to improve understanding of embodiments of the present invention.
The apparatus and method components have been represented where appropriate by conventional symbols in the drawings, showing only those specific details that are pertinent to understanding the embodiments of the present invention so as not to obscure the disclosure with details that will be readily apparent to those of ordinary skill in the art having the benefit of the description herein.