Compatibility with Apple's Find My app.

[StefanNienhuis]

Awesome project!

I was just wondering, now that Apple has released the 'Items' tab in the Find My app, does this project work with it or could it be made compatible?

[Bubba8291]

+1
I would like to see this too

[schmittner]

TL;DR: In principle, this could work. In practice, it won't.

There are essentially two ways that we could implement this.
Option 1: We extract the advertisement keys from the genuine Find My app and display all devices in our OpenHaystack app (this is what #37 suggests).
Option 2: We inject the advertisement keys of our OpenHaystack devices into Apple's Find My app.

Both options would require us to access the secured storage (e.g., keychain) of the Find My processes. To do this on macOS, you need to disable system integrity protection (SIP), which would leave your system vulnerable to all sorts of attacks. This is nothing that you should do on a production machine. And this is why we won't go down that road. Also, we would need to conduct more manual reverse-engineering to figure out where to inject/from where to extract the keys.

For completeness sake: Certified third-party Find My devices use a proprietary pairing process involving Apple-issued certificates to appear in Apple's Find My app.

[StefanNienhuis]

Thanks for the detailed response.

[schmittner]

I'll leave this open so others can easily find it

[mrx23dot]

Interesting, the site below says:

• the app generates ONE private key per user
• and multiple public keys, which are assigned to devices

https://news.ycombinator.com/item?id=20129942

So chances are it assigns public keys in plain text. (no point encrypting)
And the tag simply broadcasts that public key.
The mac will need to connect to the tag for assignment. The type of the tag I guess is simply identified by the BLE MAC with a random id part. (I guess it will work offline, so it wouldn't check for copycat tags)
An ad said it does this automaticaly for connected earpods.

Would be interesting to record the BLE traffic for assigning an original airtag and see the broadcast at the end. Does anyone have one?

If Apple took the shortest path everywhere then we can easily mass produce airtags.

[mrx23dot]

Also it would be easy to trigger a sound from any nearby tags since a 3rd party user can also do this (stalking mode). It would be easy to destroy the whole apple airtag brand 🗡️

[Sn0wfreezeDev]

To me the text hacker news post basically looks like the person paraphrased our paper about the Find My network.

The main difference for OpenHaystack for now is that our firmware and apps do not change the advertised public keys and it seems like AirTags send a slightly different BLE advertisement. The rest is almost identical and that's why OpenHaystack actually worked before AirTags have been released.

I plan on buying some AirTags so analyze their Bluetooth packets.

[mrx23dot]

If you have some wireless accessory (like earpods) you can already use the finding feature for those.

[mrx23dot]

Someone dumped the airtag's firmware:
https://twitter.com/ghidraninja/status/1391148503196438529

[throwaways]

There are essentially two ways that we could implement this.
Option 1: We extract the advertisement keys from the genuine Find My app and display all devices in our OpenHaystack app (this is what #37 suggests).
Option 2: We inject the advertisement keys of our OpenHaystack devices into Apple's Find My app.
Both options would require us to access the secured storage (e.g., keychain) of the Find My processes. To do this on macOS, you need to disable system integrity protection (SIP), which would leave your system vulnerable to all sorts of attacks. This is nothing that you should do on a production machine. And this is why we won't go down that road. Also, we would need to conduct more manual reverse-engineering to figure out where to inject/from where to extract the keys.

How possible is it to do this on a jailbroken iOS device? Or, on a version of macOS running in a VM?
Not exposing your main machine would make this a whole lot safer. Heck, getting an iOS device with findmy support is probably cheaper than a pack of airtags now.

[schmittner]

@throwaways this would work in principle as I mentioned. But quoting myself:

Also, we would need to conduct more manual reverse-engineering to figure out where to inject/from where to extract the keys.

[llama]

Both options would require us to access the secured storage (e.g., keychain) of the Find My processes. To do this on macOS, you need to disable system integrity protection (SIP)

I have SIP enabled. When I run, for example, security find-generic-password -l 'FindMyAccessories' -g, I'm able to see the keychain data for OpenHaystack accessories. What's different about the BeaconStore keychain item that prevents me printing it in this way (at least without SIP disabled)?

Is there really no way to extract it from the keychain without disabling SIP? Even if so, as long as this key does not change it should only be necessary to obtain once, then SIP could be reenabled.

Thanks for your awesome work!