iBeacon is a promising new technology. But how secure is it? Bluetooth Low Energy (BLE) can be secure when encryption is enabled. However, this is only the case when communication is established. But the iBeacon framework isn't meant to allow communication between devices. It even isn't possible to communicate through the iBeacon framework (CoreBluetooth should then be used). An iBeacon is only capable of advertising (data). But are those advertising packets secured or are these open for public?

I am missing a more detailed (technical) report on iBeacon.

Another thing which isn't very clear: who starts 'talking'? Is it the advertising iBeacon device or the monitoring application/device. Is an advertising iBeacon device always advertising?

Security is entirely up to you.

iBeacons are secure in the sense that they are very simple devices that do nothing but transmit a 3 part identifier (and a transmitter power measurement). They are always advertising unless you go out of your way to stop them.

Anybody can see this identifier, so you had better not expect to keep it secret! Last week for example, I went to the Washington, DC Apple store and used my Android iBeacon Locate app to find out the three part identifier of the iBeacon near the entrance to Apple's store.

With this info, I then configured my own iBeacon to transmit the very same tree part identifier, theoretically enabling me to push offers to apps configured to respond to Apple's iBeacon.

Is this a security problem? Only if you design a system that incorrectly assumes the an iBeacon identifier is secret.

Interestingly, Apple's iOS APIs forbid scanning for completely unknown iBeacon identifiers (you must at least know the first of the three part identifier), suggesting they want to maintain this secrecy. Given that Android and OSX offer no such prohibition, it is best not to expect your iBeacon identifier remain secret.

Security for iBeacon is not interpretable as there is no connection established between the receiver and the iBeacon. An iBeacon is nothing more than a BLE peripheral advertising a special packet. You can read about the details in this SO question: What is the iBeacon Bluetooth Profile

You best think of an iBeacon as a special type of road sign. The software on iOS can detect the road sign and read what's printed on it. But anyone can go to the San Diego zoo, see a sign saying "San Diego Zoo, Monkey house", make a copy of the sign and put it up somewhere in Shanghai near a police station. So if you are in Shanghai, and your San Diego Zoo application is running, and tells you you are entering the Monkey house, don't call the police officers monkeys.

Despite all the attention from the tech world, beacons are yet to go mainstream because businesses have quite a few security concerns around beacons. Especially with a team having managed to crack the CES 2014 Scavenger Hunt, a beacon powered app without even being present at the venue physically. Therefore, when it comes to developing apps for proximity solutions, you should incorporate a security model that addresses the common risks involved such as device spoofing and man-in-the-middle interception. Another important thing to note is that, the compensation security mechanism you employ should suit the concerned application. We have compiled a checklist on vafrious ways to assess beacon security here; http://blog.beaconstac.com/6-myths-around-beacon-security-and-privacy/