Wrong Siren! A Location Spoofing Attack on Indoor Positioning Systems: The Starbucks Case Study

The Internet of Things interconnects a mass of billions devices, from smartphones to cars, to provide convenient services to people. This gives immediate access to various data about the objects and the environmental context - leading to smart services and increased efficiency. A number of retail stores have started to adopt IoT enabled services to attract customers. In particular, thanks to indoor proximity technologies, it is possible to introduce location-based smart services to customers, for example, transmitting identifiable signals that represent the locations of stores. In this article, we investigate a potential security risk involved in such technologies: physical signals used as identifiers can be captured and forged easily with today's widely available IoT software for implementing location spoofing attacks. We highlight this security risk by providing a case study: an in-depth security analysis of the recently launched Starbucks service called Siren Order.