openhaystack icon indicating copy to clipboard operation
openhaystack copied to clipboard

Published 20 hours ago verified publisher icon seemoo-lab

Compatibility with Apple's Find My app.

Open StefanNienhuis opened this issue 4 years ago • 13 comments

Awesome project!

I was just wondering, now that Apple has released the 'Items' tab in the Find My app, does this project work with it or could it be made compatible?

StefanNienhuis avatar Apr 08 '21 15:04 StefanNienhuis

+1 I would like to see this too

Bubba8291 avatar Apr 09 '21 01:04 Bubba8291

TL;DR: In principle, this could work. In practice, it won't.

There are essentially two ways that we could implement this. Option 1: We extract the advertisement keys from the genuine Find My app and display all devices in our OpenHaystack app (this is what #37 suggests). Option 2: We inject the advertisement keys of our OpenHaystack devices into Apple's Find My app.

Both options would require us to access the secured storage (e.g., keychain) of the Find My processes. To do this on macOS, you need to disable system integrity protection (SIP), which would leave your system vulnerable to all sorts of attacks. This is nothing that you should do on a production machine. And this is why we won't go down that road. Also, we would need to conduct more manual reverse-engineering to figure out where to inject/from where to extract the keys.

For completeness sake: Certified third-party Find My devices use a proprietary pairing process involving Apple-issued certificates to appear in Apple's Find My app.

schmittner avatar Apr 09 '21 06:04 schmittner

Thanks for the detailed response.

StefanNienhuis avatar Apr 09 '21 08:04 StefanNienhuis

I'll leave this open so others can easily find it

schmittner avatar Apr 14 '21 20:04 schmittner

Interesting, the site below says:

  • the app generates ONE private key per user
  • and multiple public keys, which are assigned to devices

https://news.ycombinator.com/item?id=20129942

So chances are it assigns public keys in plain text. (no point encrypting) And the tag simply broadcasts that public key. The mac will need to connect to the tag for assignment. The type of the tag I guess is simply identified by the BLE MAC with a random id part. (I guess it will work offline, so it wouldn't check for copycat tags) An ad said it does this automaticaly for connected earpods.

Would be interesting to record the BLE traffic for assigning an original airtag and see the broadcast at the end. Does anyone have one?

If Apple took the shortest path everywhere then we can easily mass produce airtags.

mrx23dot avatar Apr 21 '21 19:04 mrx23dot

Also it would be easy to trigger a sound from any nearby tags since a 3rd party user can also do this (stalking mode). It would be easy to destroy the whole apple airtag brand :dagger:

mrx23dot avatar Apr 21 '21 19:04 mrx23dot

To me the text hacker news post basically looks like the person paraphrased our paper about the Find My network.

The main difference for OpenHaystack for now is that our firmware and apps do not change the advertised public keys and it seems like AirTags send a slightly different BLE advertisement. The rest is almost identical and that's why OpenHaystack actually worked before AirTags have been released.

I plan on buying some AirTags so analyze their Bluetooth packets.

Sn0wfreezeDev avatar Apr 22 '21 21:04 Sn0wfreezeDev

If you have some wireless accessory (like earpods) you can already use the finding feature for those.

mrx23dot avatar May 04 '21 18:05 mrx23dot

Someone dumped the airtag's firmware: https://twitter.com/ghidraninja/status/1391148503196438529

mrx23dot avatar May 11 '21 09:05 mrx23dot

There are essentially two ways that we could implement this. Option 1: We extract the advertisement keys from the genuine Find My app and display all devices in our OpenHaystack app (this is what #37 suggests). Option 2: We inject the advertisement keys of our OpenHaystack devices into Apple's Find My app. Both options would require us to access the secured storage (e.g., keychain) of the Find My processes. To do this on macOS, you need to disable system integrity protection (SIP), which would leave your system vulnerable to all sorts of attacks. This is nothing that you should do on a production machine. And this is why we won't go down that road. Also, we would need to conduct more manual reverse-engineering to figure out where to inject/from where to extract the keys.

How possible is it to do this on a jailbroken iOS device? Or, on a version of macOS running in a VM? Not exposing your main machine would make this a whole lot safer. Heck, getting an iOS device with findmy support is probably cheaper than a pack of airtags now.

throwaways avatar May 11 '21 17:05 throwaways

@throwaways this would work in principle as I mentioned. But quoting myself:

Also, we would need to conduct more manual reverse-engineering to figure out where to inject/from where to extract the keys.

schmittner avatar May 12 '21 06:05 schmittner

Both options would require us to access the secured storage (e.g., keychain) of the Find My processes. To do this on macOS, you need to disable system integrity protection (SIP)

I have SIP enabled. When I run, for example, security find-generic-password -l 'FindMyAccessories' -g, I'm able to see the keychain data for OpenHaystack accessories. What's different about the BeaconStore keychain item that prevents me printing it in this way (at least without SIP disabled)?

Is there really no way to extract it from the keychain without disabling SIP? Even if so, as long as this key does not change it should only be necessary to obtain once, then SIP could be reenabled.

Thanks for your awesome work!

llama avatar Jun 03 '21 07:06 llama