I followed myself, for months, through Apple’s Find My network
A while ago, I read an interesting story about the Apple Find My network being reverse engineered. This had led to the creation of OpenHaystack, a tool that allows you to create your own AirTag-like device for tracking things… Or people. All you would need in order to do this, is a cheap ESP32 microcontroller board with built-in Bluetooth and a MacBook.
First, let's take a step back to explain what the Find My network is, for those who don’t know. The Find My network is a system, created by Apple, that allows you to track all your Apple devices. At first this was used to track Apple’s communications devices, like iPhones or MacBooks. In case of a stolen or misplaced device, this would allow you to recover it. Later it also became possible to track people, like friends and family members if they enabled this feature. This feature is often used by parents to keep tabs on where their children are or friends and family when a loved one goes to travel abroad. This system works through the devices sending their locations to Apple’s servers, for which they need an internet connection, of course.
When we travel, we bring much more than just our phones and laptops. So, Apple figured it would be a good idea to allow you to track other things, like backpacks, keys, suitcases and purses. These items, however, don’t have an internet connection so they had to find another way. Luckily, this wasn’t a new idea, Tile had been selling devices for this purpose for years. These devices worked through Bluetooth and connected to any devices with the Tile app nearby, in order to share their location. The bottleneck with this product was that not many devices had the Tile app. When Apple decided to create a similar product and install the necessary app on all Apple devices, suddenly, hundreds of millions of devices became available to use for tracking. And so, they released the AirTag, a small device that shares its location to the Find My network through Apple Devices in its proximity. They also opened the Find My network for other manufacturers of similar devices to use.
Obviously, to many, due to the price (~$30), size and availability, this tiny tracker became an instant hit with the most nefarious participants in our society. Nearly a year after the initial release, Apple issued a statement about unwanted tracking with these devices and added some prevention measures. They created warnings, so that people with Apple devices who were carrying unknown Airtags would get notified. They created an Android app, allowing android users to detect AirTags (which doesn't seem to work very well). They reduced the time after which an AirTag would start emitting an audible warning (which can quite easily be disabled by opening the device). So, while this isn’t waterproof, Apple certainly made an effort to reduce the danger of these devices.
Now let’s continue where I left off. Because Apple created the Find My network as an open platform, any device can broadcast data through Bluetooth that can be picked up by Apple devices and submitted to the network. The creators of OpenHaystack reverse engineered the protocol and created an application that allows you to create your own tracker from an ESP32. The ESP32 is a small, cheap (~$5) microcontroller with Wi-Fi and Bluetooth connectivity that is popular in the DIY community for creating internet connected devices, like a wireless thermometer. With OpenHaystack, all you have to do is connect the device, push a button and you have a tracking device. The main disadvantage compared to an AirTag is that it’s bigger and doesn’t include a battery, but there are also some advantages that make some more nefarious use cases a lot easier.
Cue my testing, where I wanted to see whether I could track myself without me noticing, hypothetically. Since AirTags have alle these safeguards built in, I figured my iPhone would at least warn me that I was being tracked.
So, I ordered myself an ESP32, downloaded and installed OpenHaystack and with a click of the button created my tracking device. Or so I thought, because due to driver issues and other shenanigans it took debugging, creating a virtual machine and running some stuff on the command line… and a couple of hours later it worked! I walked to my car, stuck a cable in the rear USB port and plugged in the device:
I drove around for a couple of days and checked the OpenHaystack app to see whether it had logged anything. This is what I saw:
The resolution of the data wasn’t incredibly high (which can probably be fixed with improved firmware), but it clearly showed my workplace at the time and some other places I’d visited. Another interesting thing was that I hadn’t been notified of any device following me around. So, I left the device in my car a while longer, five months to be exact. And during these five months, nothing happened, except my location being transmitted to Apple’s servers the whole time.
You might wonder what the implications of this are, since the device is bigger than an AirTag and doesn’t even have power. Well, there are some considerable ones:
First, there are smaller versions of the ESP32 than the one I used. They go down to about the same size as the AirTag. There are also even smaller devices to which the firmware could be adapted.
Secondly, the device can easily be hidden inside a vehicle. If I were to mount it behind the USB ports and power it straight from the 5V wires, you wouldn’t be able to see the device and it would always be powered on with the car. You could even use a voltage regulator to mount it to 12V wires and hide it in the dashboard.
Third, I can change the Bluetooth name and MAC address to make it look like it’s part of the vehicle it’s embedded in. This would make it really hard for anyone to distinguish its transmission from being part of the car, especially in a modern vehicle.
Finally, unlike with AirTags, Apple can’t provide law enforcement with details about whoever owns the tag. Because while AirTags are activated through an Apple device and connected to an AppleID, an ESP32 is neither.
So, to summarize, while the openness of Apple’s Find My network is a nice change, it also opens it up for abuse. Since devices that Apple doesn’t control also don’t seem to trigger any warnings, this allows nefarious people to abuse the system to create a cheap, hard to identify, tracking devices and follow anyone around, without having to pay for cell service and with only a small chance of getting caught.
I really hope Apple spends some more time to fine tune the system and finds a way to limit the possibilities for the Find My network to be abused, because right now it seems a bit too easy.
