A stealth AirTag clone that bypasses all of Apple's tracking protection features

Related tags

Database find-you
Overview

Find You

A modified version of OpenHaystack to showcase the possibility of building a stealth AirTag clone that bypasses all of Apple's tracking protection features.

More information can be found here: https://positive.security/blog/find-you

Find You Cover

Please note: The below mentioned generate_keypairs.py has been purposefully left out of this repository and as an exercise for the reader.

Changes

Tracker side

  • Added a python script (not included in this release as noted above) that pregenerates EC key pairs and generates:
    • A list of public keys in C source code format to add to the firmware
    • A list of private keys as an OpenHaystack-compatible .plist file to import in the retrieval application
  • Added support to iterate over a preloaded list of public keys with 1 beacon per key and a configurable delay

Retrieval side

  • Optimized the application to be able to handle thousands of tags
    • Combined public keys to request across different tags into a single HTTP request
    • Slightly optimized quadratic complexity when assigning decrypted reports to accessories
    • Removed keychain operations (the app will always start without any tags configured)

Instructions

  1. Run generate_keypairs.py with the number of keypairs to generate as argument (e.g. python3 generate_keypairs.py 2000)
  2. Copy the array definition in pub_keys_c.txt into Firmware/ESP32/main/openhaystack_main.c (if desired, also change the delay time between beacons)
  3. Compile firmware and flash ESP32
  4. Compile and run the macOS retrieval application and import accessory_list.plist (generated in step #1)

OpenHaystack application icon OpenHaystack

OpenHaystack is a framework for tracking personal Bluetooth devices via Apple's massive Find My network. Use it to create your own tracking tags that you can append to physical objects (keyrings, backpacks, ...) or integrate it into other Bluetooth-capable devices such as notebooks.

Screenshot of the app

Table of contents

What is OpenHaystack?

OpenHaystack is an application that allows you to create your own accessories that are tracked by Apple's Find My network. All you need is a Mac and a BBC micro:bit or any other Bluetooth-capable device. By using the app, you can track your accessories anywhere on earth without cellular coverage. Nearby iPhones will discover your accessories and upload their location to Apple's servers when they have a network connection.

History

OpenHaystack is the result of reverse-engineering and security analysis work of Apple's Find My network (or offline finding). We at the Secure Mobile Networking Lab of TU Darmstadt started analyzing offline finding after its initial announcement in June 2019. We identified how Apple devices can be found by iPhones devices, even when they are offline through this work. The whole system is a clever combination of Bluetooth advertisements, public-key cryptography, and a central database of encrypted location reports. We disclosed a specification of the closed parts of offline finding and conducted a comprehensive security and privacy analysis. We found two distinct vulnerabilities. The most severe one, which allowed a malicious application to access location data, has meanwhile been fixed by Apple (CVE-2020-9986). For more information about the security analysis, please read our paper. Since its release, we received quite a bit of press and media coverage.

Disclaimer

OpenHaystack is experimental software. The code is untested and incomplete. For example, OpenHaystack accessories using our firmware broadcast a fixed public key and, therefore, are trackable by other devices in proximity (this might change in a future release). OpenHaystack is not affiliated with or endorsed by Apple Inc.

How to use OpenHaystack?

OpenHaystack consists of two components. First, we provide a macOS application that can display the last reported location of your personal Bluetooth devices. Second, the firmware image enables Bluetooth devices to broadcast beacons that make them discoverable by iPhones.

System requirements

OpenHaystack requires macOS 11 (Big Sur).

Installation

The OpenHaystack application requires a custom plugin for Apple Mail. It is used to download location reports from Apple's servers via a private API (technical explanation: the plugin inherits Apple Mail's entitlements required to use this API). Therefore, the installation procedure is slightly different and requires you to temporarily disable Gatekeeper. Our plugin does not access any other private data such as emails (see source code).

  1. Download a precompiled binary release from our GitHub page.
    Alternative: build the application from source via Xcode.
  2. Open OpenHaystack. This will ask you to install the Mail plugin in ~/Library/Mail/Bundle.
  3. Open a terminal and run sudo spctl --master-disable, which will disable Gatekeeper and allow our Apple Mail plugin to run.
  4. Open Apple Mail. Go to Preferences โ†’ General โ†’ Manage Plug-Ins... and activate the checkbox next to OpenHaystackMail.mailbundle.
    • If the Manage Plug-Ins... button does not appear. Run this command in terminal sudo defaults write "/Library/Preferences/com.apple.mail" EnableBundles 1
  5. Allow access and restart Mail.
  6. Open a terminal and enter sudo spctl --master-enable, which will enable Gatekeeper again.

Usage

Adding a new accessory. To create a new accessory, you just need to enter a name for it and optionally select a suitable icon and a color. The app then generates a new key pair that is used to encrypt and decrypt the location reports. The private key is stored in your Mac's keychain.

Deploy to device. Connect a supported device via USB to your Mac and hit the Deploy button next to the accessory's name and choose the corresponding. Instead of using OpenHaystack's integrated deployment, you may also copy the public key used for advertising (right click on accessory) and deploy it manually.

Display devices' locations. It can take up to 30 minutes until you will see the first location report on the map on the right side. The map will always show all your items' most recent locations. You can click on every item to check when the last update was received. By clicking the reload button, you can update the location reports.

How does Apple's Find My network work?

We briefly explain Apple's offline finding system (aka Find My network). Please refer to our PETS paper and Apple's accessory specification for more details. We provide a schematic overview (from our paper) and explain how we integrate the different steps in OpenHaystack below.

Find My Overview

Pairing (1)

To use Apple's Find My network, we generate a public-private key pair on an elliptic curve (P-224). The private key remains on the Mac securely stored in the keychain, and the public key is deployed on the accessory, e.g., an attached micro:bit.

Losing (2)

In short, the accessories broadcast the public key as Bluetooth Low Energy (BLE) advertisements (see firmware). Nearby iPhones will not be able to distinguish our accessories from a genuine Apple device or certified accessory.

Finding (3)

When a nearby iPhone receives a BLE advertisement, the iPhone fetches its current location via GPS, encrypts it using public key from the advertisement, and uploads the encrypted report to Apple's server. All iPhones on iOS 13 or newer do this by default. OpenHaystack is not involved in this step.

Searching (4)

Apple does not know which encrypted locations belong to which Apple account or device. Therefore, every Apple user can download any location report as long as they know the corresponding public key. This is not a security issue: all reports are end-to-end encrypted and cannot be decrypted unless one knows the corresponding private key (stored in the keychain). We leverage this feature to download the reports from Apple that have been created for our OpenHaystack accessories. We use our private keys to decrypt the location reports and show the most recent one on the map.

Apple protects their database against arbitrary access by requiring an authenticated Apple user to download location reports. We use our Apple Mail plugin, which runs with elevated privileges, to access the required authentication information. The OpenHaystack app communicates with the plugin while downloading reports. This is why you need to keep Mail open while using OpenHaystack.

How to track other Bluetooth devices?

In principle, any Bluetooth device can be turned into an OpenHaystack accessory that is trackable via Apple's Find My network. Currently, we provide a convenient deployment method of our OpenHaystack firmwares for a small number of embedded devices (see table below). We also support Linux devices via our generic HCI script. Feel free to port OpenHaystack to other devices that support Bluetooth Low Energy based on the source code of our firmware and the specification in our paper. Please share your results with us!

Platform Tested on Deploy via app Comment
Nordic nRF51 BBC micro:bit v1 โœ“ Only supports nRF51822 at this time (see issue #6).
Espressif ESP32 SP32-WROOM, ESP32-WROVER โœ“ Deployment can take up to 3 minutes. Requires Python 3. Thanks @fhessel.
Linux HCI Raspberry Pi 4 w/ Raspbian Should support any Linux machine.

Setup

Authors

References

  • Alexander Heinrich, Milan Stute, Tim Kornhuber, Matthias Hollick. Who Can Find My Devices? Security and Privacy of Apple's Crowd-Sourced Bluetooth Location Tracking System. Proceedings on Privacy Enhancing Technologies (PoPETs), 2021. doi:10.2478/popets-2021-0045 ๐Ÿ“„ Paper ๐Ÿ“„ Preprint.
  • Alexander Heinrich, Milan Stute, and Matthias Hollick. DEMO: OpenHaystack: A Framework for Tracking Personal Bluetooth Devices via Appleโ€™s Massive Find My Network. 14th ACM Conference on Security and Privacy in Wireless and Mobile (WiSec โ€™21), 2021.
  • Tim Kornhuber. Analysis of Apple's Crowd-Sourced Location Tracking System. Technical University of Darmstadt, Master's thesis, 2020.
  • Apple Inc. Find My Network Accessory Specification โ€“ Developer Preview โ€“ Release R3. 2020. ๐Ÿ“„ Download.

License

OpenHaystack and Find You is licensed under the GNU Affero General Public License v3.0.

You might also like...
An open source Instapaper clone that features apps and extensions that use native UI Components for Mac and iOS.
An open source Instapaper clone that features apps and extensions that use native UI Components for Mac and iOS.

TODO: Screenshot outdated Hipstapaper - iOS and Mac Reading List App A macOS, iOS, and iPadOS app written 100% in SwiftUI. Hipstapaper is an app that

Fast Campus iOS App Development All-in-one Package Online Clone Coding
Fast Campus iOS App Development All-in-one Package Online Clone Coding

์• ํ”Œ๋ฎค์ง ํด๋ก  ์ฝ”๋”ฉ ํŒจ์ŠคํŠธ์บ ํผ์Šค iOS ์•ฑ ๊ฐœ๋ฐœ ์˜ฌ์ธ์› ํŒจํ‚ค์ง€ Online ํด๋ก ์ฝ”๋”ฉ ์‚ฌ์šฉ์š”์†Œ UICollectionReusableView , c

Xcode-developer-disk-image-all-platforms - A repo which shares all developer disk images for iOS, tvOS, watchOS
Xcode-developer-disk-image-all-platforms - A repo which shares all developer disk images for iOS, tvOS, watchOS

Disclaimer: The available resources and files from this repo are uploaded from many contributors. The files are unverified, untested, and could have n

RaceMe is a run tracking + ghosting iOS mobile application.
RaceMe is a run tracking + ghosting iOS mobile application.

RaceMe RaceMe is a run tracking + ghosting iOS mobile application. Core features: run tracking ghost runner simulation in real time compete with runne

Menubar app to remove link tracking parameters automatically
Menubar app to remove link tracking parameters automatically

TrackerZapper Website and more info TrackerZapper is a Mac app that sits in your menubar and silently removes tracking parameters from any links you c

 A library that allows you to generate and update environment maps in real-time using the camera feed and ARKit's tracking capabilities.
A library that allows you to generate and update environment maps in real-time using the camera feed and ARKit's tracking capabilities.

ARKitEnvironmentMapper Example To run the example project, clone the repo, and run pod install from the Example directory first. Installation ARKitEnv

This library uses ARKit Face Tracking in order to catch user's smile.
This library uses ARKit Face Tracking in order to catch user's smile.

SmileToUnlock Make your users smile before opening the app :) Gif with the demonstration Installation Cocoapods The most preferable way to use this li

 A library that allows you to generate and update environment maps in real-time using the camera feed and ARKit's tracking capabilities.
A library that allows you to generate and update environment maps in real-time using the camera feed and ARKit's tracking capabilities.

ARKitEnvironmentMapper Example To run the example project, clone the repo, and run pod install from the Example directory first. Installation ARKitEnv

Build your own 'AirTags' ๐Ÿท today! Framework for tracking personal Bluetooth devices via Apple's massive Find My network.
Build your own 'AirTags' ๐Ÿท today! Framework for tracking personal Bluetooth devices via Apple's massive Find My network.

OpenHaystack is a framework for tracking personal Bluetooth devices via Apple's massive Find My network.

Augmented Reality image tracking with SwiftUI, RealityKit and ARKit 4.

ARImageTracking This is an Augmented Reality Xcode project that uses Apple's newest RealityKit framework and ARKit 4 features, to dynamically track a

Restoration tracking & research app for iOS
Restoration tracking & research app for iOS

Tugz Restoration tracking & research app for iOS For Android check out Tea Time Logger Several discussions on the restoration subreddit the idea of a

An interactive body tracking installation

SharingElements An interactive body tracking installation Requirements Hardware requirements: MacOS computer (preferably (M1 chip)[https://en.wikipedi

๐ŸŒ Nearby earthquake tracking app
๐ŸŒ Nearby earthquake tracking app

Earthquake Tracker Description An application for tracking earthquakes in a radius of 2500 km from the user's location in the last month. Information

Nearby earthquake tracking app
Nearby earthquake tracking app

Earthquake Tracker Description An application for tracking earthquakes in a radius of 2500 km from the user's location in the last month. Information

Objective-C library for tracking keyboard in iOS apps.
Objective-C library for tracking keyboard in iOS apps.

NgKeyboardTracker Objective-c library for tracking keyboard in iOS apps. Adding to your project If you are using CocoaPods, add to your Podfile: pod '

Simple and Lightweight App Version Tracking for iOS written in Swift

AEAppVersion Simple and lightweight iOS App Version Tracking written in Swift I made this for personal use, but feel free to use it or contribute. For

SwiftUI iOS app for tracking daily hydration, logs to HealthKit!
SwiftUI iOS app for tracking daily hydration, logs to HealthKit!

HydrationCompanion SwiftUI iOS app for tracking daily hydration, logs to HealthKit! Screenshots: Home view: see all intake logs and progress Settings

MoneySafe - Application for tracking income and expenses and analyzing expenses. VIPER architecture, CoreData, Charts
MoneySafe - Application for tracking income and expenses and analyzing expenses. VIPER architecture, CoreData, Charts

๐Ÿ’ธ MoneySafe ๐Ÿ’ธ Application for tracking income and expenses and analyzing expen

Audio-ar-playground - Tracking Geographic Locations in AR
Audio-ar-playground - Tracking Geographic Locations in AR

Tracking Geographic Locations in AR Track specific geographic areas of interest

Comments
  • Rebase onto seemoo-lab/openhaystack

    Rebase onto seemoo-lab/openhaystack

    Could you make this repository a fork of seemoo-lab/openhaystack and do a commit with your changes on top? This would allow people to easily see the changes you did to the app and esp code.

    question 
    opened by 0xDEAD 0
Owner
Positive Security
Holistic IT security research & consulting
Positive Security
GraphQLite is a toolkit to work with GraphQL servers easily. It also provides several other features to make life easier during iOS application development.

What is this? GraphQLite is a toolkit to work with GraphQL servers easily. It also provides several other features to make life easier during iOS appl

Related Code 2.8k Jan 9, 2023
An elegant, fast, thread-safe, multipurpose key-value storage, compatible with all Apple platforms.

KeyValueStorage An elegant, fast, thread-safe, multipurpose key-value storage, compatible with all Apple platforms. Supported Platforms iOS macOS watc

null 3 Aug 21, 2022
๐ŸตFooling around with Apples private framework AvatarKit

Fooling around with Apples private framework AvatarKit, the framework used in Messages.app for recording Animoji videos. If you are looking to create your own Animoji, take a look at SBSCustomAnimoji.

Simon Stรธvring 968 Dec 25, 2022
Alejandro Piguave 24 Dec 30, 2022
Intuitive cycling tracker app for iOS built with SwiftUI using Xcode. Features live route tracking, live metrics, storage of past cycling routes and many customization settings.

GoCycling Available on the iOS App Store https://apps.apple.com/app/go-cycling/id1565861313 App Icon About Go Cycling is a cycling tracker app built e

Anthony Hopkins 64 Dec 19, 2022
An application on the iPad for people who cook. It comes with features such as smart recipes, recipe management and ingredient inventory tracking.

ChopChop ChopChop is an application on the iPad for people who cook. It comes with features such as smart recipes, recipe management and ingredient in

Seow Alex 0 Dec 23, 2021
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Dec 30, 2022
๐Ÿ”ฅ ๐Ÿ”ฅ ๐Ÿ”ฅSupport for ORM operation,Customize the PQL syntax for quick queries,Support dynamic query,Secure thread protection mechanism,Support native operation,Support for XML configuration operations,Support compression, backup, porting MySQL, SQL Server operation,Support transaction operations.

?? ?? ??Support for ORM operation,Customize the PQL syntax for quick queries,Support dynamic query,Secure thread protection mechanism,Support native operation,Support for XML configuration operations,Support compression, backup, porting MySQL, SQL Server operation,Support transaction operations.

null 60 Dec 12, 2022
macOS menu bar app that displays the current status of SIP (System Integrity Protection)

MenuBarSIPDetector This is a DEMO app for my Swift library TINURecovery and it is a macOS menu bar app that displays the current status of SIP (System

null 19 Dec 18, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Dec 30, 2022