Security Researchers Develop Framework for Tracking Bluetooth Devices Using Find My

[MacRumors]

Ahead of the debut of AirTags and support for locating third-party Bluetooth items through Find My in iOS 14.5, a team of security researchers from the Secure Mobile Networking Lab at the Technical University of Darmstadt in Germany has reverse engineered the Find My protocol and developed an app that's designed to let anyone create an "AirTag" based on a Bluetooth-capable device.

Called OpenHaystack, the app and the source code are available on GitHub for those who are interested in taking a look. The app allows users to create their own Bluetooth tags based on the Find My network by installing an "AirTag" firmware image on a Bluetooth dongle.

The app displays the most recent location of a created Bluetooth tag reported by any iPhone using Apple's Find My network that was implemented in iOS 13, plus it shows the location of the tag on a map.

According to the security researchers, the created tags send out Bluetooth beacons, which are picked up by nearby iPhones that interpret the sending device as lost. The current geolocation is end-to-end encrypted and then uploaded to Apple, with the OpenHaystack app then downloading the encrypted report from Apple and decrypting it locally on the Mac.

In the process of developing this tool, the Secure Mobile Networking Lab researchers also identified a macOS Catalina Find My vulnerability that was reported to Apple and addressed in a 10.15.7 update released back in November. The vulnerability allowed a malicious app to access iCloud decryption keys to download and decrypt location reports submitted by the Find My network.

Apple's iOS 14.5 update includes support for tracking third-party Bluetooth devices in the Find My app using a new "Items" tab, which takes advantage of the same Find My protocol used for the Mac app.

At the current time, in-app tracking is limited to Beats headphones and upcoming Belkin wireless earbuds, but in the future, many third-party Bluetooth devices may include Find My integration, making it easier to keep track of them. This system will also be used by Apple's own rumored AirTags, which have yet to be released.

Article Link: Security Researchers Develop Framework for Tracking Bluetooth Devices Using Find My

 

[zakarhino]

Awesome! Let’s hope Apple don’t try to patch this.

 

[chucker23n1]

Interesting.

They point to the BBC micro:bit in particular, but… that's just way too large for this use case. Anything smaller?

 

[Realityck]

From 9to5 >OpenHaystack currently uses a single, static public key for each device, which means that in theory, it would be possible for someone to track the same device between different locations

Well this is certainly to garner some discussion.

 

[coolfactor]

This strikes me as concerning.

 

[Okasian]

Does anyone know what the deal is with the special-snowflake iCloud tokens?

Is this security hole intentional for Mail.app, and/or why is Mail.app the entry point?

 

[TheYayAreaLiving 🎗️]

This is good stuff guys! Apple is on top of it

 

[cmaier]

Awesome! Let’s hope Apple don’t try to patch this.

Why not? Security holes are bad. Anyone who wants to integrate into the Find My network can do so the official way.

 

[Apple_Robert]

This is good stuff guys! Apple is on top of it

Apple is on top of it? What does that mean?

 

[IowaLynn]

Samsung expands 'offline finding' in Find My Mobile to countries outside the US

The feature is now available on any Samsung phone running Android 10

www.androidpolice.com

 

[Apple_Robert]

Awesome! Let’s hope Apple don’t try to patch this.

I hope Apple does patch the vulnerability and render this app useless.

 

[Corsig]

Yeah that won’t last long

 

[TheYayAreaLiving 🎗️]

Apple is on top of it? What does that mean?

The privacy.. security...

 

[Apple_Robert]

The privacy.. security...

The article is about a couple of researchers creating an app that reverse engineers Find My. This isn't awesome stuff. This is concerning.

Edited to correct my misunderstanding.

 

[realjerk]

The article is about a couple of researchers creating an app that makes use of a security vulnerability with Find My. There is no indication that Apple is "on top of it," in regards to this third party Github app." This isn't awesome stuff. This is concerning.

No, that is not what it says.
It says that they have managed to reverse engineer the protocol enough to make their own trackable devices.
It also mentions a vulnerability, that has been fixed, and has nothing to do with the above.

 

[maxfromdenmark]

I’m afraid AirTags release time will be postponed again. Security and privacy seems to be something big for Apple.

 

[NT1440]

The article is about a couple of researchers creating an app that makes use of a security vulnerability with Find My. There is no indication that Apple is "on top of it," in regards to this third party Github app." This isn't awesome stuff. This is concerning.

You’re reading it wrong. The vulnerability was related to macOS, not the reverse engineering of the Find My network.

Edit: Looking at the paper, they indeed did find two vulnerabilities, one of which has been addressed. Both vulnerabilities have been reported to Apple.

 

[Nuno Lopes]

So basically I buy one of these Air Tags. Pair with my iPhone. Swing it in someone else garment or purse ... start tracking anyone?

How does this really work?

 

[Apple_Robert]

You’re reading it wrong. The vulnerability was related to macOS, not the reverse engineering of the Find My network.

Edit: Looking at the paper, they indeed did find two vulnerabilities, one of which has been addressed. Both vulnerabilities have been reported to Apple.

Thanks to you and @realjerk for the correction. I will amend my post.

 

[SkyRom]

It's official, I'm buying a Jitterbug lol

 

[zakarhino]

I hope Apple does patch the vulnerability and render this app useless.

Why not? Security holes are bad. Anyone who wants to integrate into the Find My network can do so the official way.

Why is it a vulnerability or bug? All it means is people have a way to integrate unofficial hardware into their Find My system, the same way Homebridge lets you integrate unofficial HomeKit devices into your HomeKit network. You guys are so weird for thinking it's a problem when people find ways to better utilize services like this.

 

[nanosaur]

Does anyone know what the deal is with the special-snowflake iCloud tokens?

Is this security hole intentional for Mail.app, and/or why is Mail.app the entry point?
View attachment 1738683

If I had to hazard a complete guess, I'd reckon it'd be because icloud mail is one of the few icloud services that has to be able to run on non-apple hardware/software? So maybe it's the easiest to obtain a token from? I'm kind of going the Cunningham's Law approach with this one lol

 

[macsareveryinteresting]

Again I don’t think Airtags are coming out anytime soon.

 

[DekuBleep]

That's pretty cool. I am not sure what is the point of these Airtag's that keep hitting the rumor mill...

 

[luvbug]

So basically I buy one of these Air Tags. Pair with my iPhone. Swing it in someone else garment or purse ... start tracking anyone?

How does this really work?

Read down the front page of MR and you'll see. Apple already has a function in iOS 14.5 that will detect unknown tags/devices and alert you and disable them, if you give permission.