How Apple's "Find My" Feature Works

Matthew Green intelligently speculates about how Apple’s new “Find My” feature works.

If you haven’t already been inspired by the description above, let me phrase the question you ought to be asking: how is this system going to avoid being a massive privacy nightmare?

Let me count the concerns:

  • If your device is constantly emitting a BLE signal that uniquely identifies it, the whole world is going to have (yet another) way to track you. Marketers already use WiFi and Bluetooth MAC addresses to do this: Find My could create yet another tracking channel.
  • It also exposes the phones who are doing the tracking. These people are now going to be sending their current location to Apple (which they may or may not already be doing). Now they’ll also be potentially sharing this information with strangers who “lose” their devices. That could go badly.
  • Scammers might also run active attacks in which they fake the location of your device. While this seems unlikely, people will always surprise you.

The good news is that Apple claims that their system actually does provide strong privacy, and that it accomplishes this using clever cryptography. But as is typical, they’ve declined to give out the details how they’re going to do it. Andy Greenberg talked me through an incomplete technical description that Apple provided to Wired, so that provides many hints. Unfortunately, what Apple provided still leaves huge gaps. It’s into those gaps that I’m going to fill in my best guess for what Apple is actually doing.

Tags: , , , , , ,

Posted on June 20, 2019 at 12:27 PM19 Comments

Comments

Nobody June 20, 2019 3:35 PM

Unless bluetooth can be disabled and this feature be turned off, we can safely assume apple will have all private keys and will track us all the time without anyone being able to disable it.

Bluetooth being on will drain battery.
The feature itself is designed to always send data, hiding itself within normal traffic. Does not inspire confidence.

Apple has control over your device and any pretense they will honor any private keys on your device is laughable.

I find it hard to believe Matthew Green doesn’t consider such basic issues.

If bluetooth can be disabled then this feature will turn useless. If it turns itself on during standby it will enable tracking. Only disabled bluetooth can’t be tracked or triangulated.

Using this feature will equate to accepting tracking. Enabled bluetooth, wifi, nfc, always means you can be tracked, the equation and logistics to make use of it just becomes harder to solve.

Encryption gets broken and badly implemented all the time, it cannot solve this problem because the end user will remain unable to verify everything required for this to work properly. One exploit and you’ve lost your keys.

Alejandro June 20, 2019 4:53 PM

The secret sauce in the new “Find My” feature is that the encryption key will be stored LOCALLY on your SECOND mandatory Apple device. Actually, that works for me.

I have to think true Apple fans have at least two devices, even if one is an old beater iPhone.

Nonetheless, will that mean I can NOT turn off Blue tooth via normal settings, …or not?

Considering Bluetooth tracking is all the rage amongst our corporate masters these days, to require it to be on, in the form of BLE, Bluetooth low energy, might be considered a step backward.

However, the new feature isn’t available yet so maybe a full explanation will be available when it does.

Basically, I am going with a thumbs up on this one, until I hear different.

No One / Ex Cathedra June 20, 2019 9:35 PM

Could one of the networking experts here please tell me how to mask
the metadata of a normal, low-traffic router?

I am not sure how to do that.

David June 20, 2019 9:50 PM

@Alejandro wrote, “Considering Bluetooth tracking is all the rage amongst our corporate masters these days, to require it to be on, in the form of BLE, Bluetooth low energy, might be considered a step backward.”

BLE tracking is a redundant feature IMHO. Our cellphones must connect to a cellular network in order to meet its basic function as a cellphone. The easiest most simple and scalable way is thru mobile towers and telcos.

A stolen phone without cell network does not function like a phone. There’s no point to track it down via BLE or any other nefarious means if a thief chooses to keep the phone without utilizing its basic feature he doesnt not want it to be found.

Balfour June 20, 2019 10:42 PM

What’s to stop a thief from spoofing multiple locations to frustrate the legitimate owner into giving up the search? One could easily deploy this as a service to mask stolen phones amid a torrent of false coordinates.

Also, if this survives wiping the phone (would have to assume it does), then how does the phone “de-couple” from the other Apple devices? Or do I just get to track the location of a phone forever after ii sell it?

65535 June 20, 2019 11:34 PM

Bruce’s second bullet is explain by Matt Green

“This is bad for at least a couple of reasons. Each time Lassie detects some device broadcasting a message, she needs to transmit her current position (along with the pseudonym she sees) to Apple’s servers. This means Lassie is constantly telling Apple where she is. And moreover, even if Apple promises not to store Lassie‘s identity, the result of all these messages is a huge centralized database that shows every GPS location where some Apple device has been detected.”- Matt Green

I agree. It could turn in to a mass tracking network.

[Next]

“Note that this data, in the aggregate, can be pretty revealing. Yes, the identifiers of the devices might be pseudonyms — but that doesn’t make the information useless. For example: a record showing that some Apple device is broadcasting from my home address at certain hours of the day would probably reveal when I’m in my house.” -Matt Green

True, and its only one facet of the location game. What would happen when the cell phone and individual are bound by GDPR?

What happens if say a powerful person, say heads of state or military personnel buy this new Apple product? What about their family members buy this Apple product? Will they also be tracked?

All cell phones have IMSA IDs, MAC or several MAC[s] hardcoded in the cell phone which are necessary for cell phone billing and hand-off to cell towers while on the while traveling a significant distances. I see no real way of stopping tracking except for putting a cell phone in an RF bag or the like.

Next, to the hot-button China issue: “…people like me, who are constantly losing their stuff: if I leave my backpack [on a tour bus in China strike through] in my office, sooner or later someone else will stumble on its signal and I’ll instantly know where to find it…” – Matt Green

I note the strike through text which reads “on a tour bus in China…” and changes to an “office” to avoid the discussion of the cell phone tracking in China [PRC]… and in the USA…UK and so on. That could be good or bad.

I doubt if Matt Green were to misplace his cell phone in China and fly back to the USA that said phone would make its way back to him in the USA – without being “Cellebrited”. Or, even make it back at to the USA all. It possible but I doubt it.

[Cellebrite Mobile is an Israeli company that manufactures data extraction, transfer and analysis devices for cellular phones and mobile devices]

Matt Green also notes, “…(It’s worth mentioning that Apple didn’t invent this idea. In fact, companies like Tile have been doing this for quite a while. And yes, they should probably be worried.)…”- Matt Green

I think that is a fair statement. This type of cell phone BT tracking has been done before.

I guess the idea of having at least 2 cell phones [devices] from Apple could double Apple’s sales let alone “anonymous data sales” to other data broker corporations wand ould appeal to Apple’s investors and Apple’s corporate officers.

[Finally]

Matt Green goes on to say, “…nasty thing about this problem setting is that, with many weird edge cases, there just isn’t a perfect solution. For example, what if Timmy is evil and wants to make Lassie reveal her location to Apple? What if Old Man Smithers tries to kidnap Lassie?” -Matt Green

ht tps://blog.cryptographyengineering.com/2019/06/05/how-does-apple-privately-find-your-offline-devices/

[link fractured for saftey]

Yes, bad people are out there. And yes, there are troubling questions about this extra layer of surveillance. What can go wrong will eventually go wrong.

The dual Apple sales and geo-location tracking sounds good for big data corporations but bad for individual’s [location] privacy. A lot of things could go wrong. I would have second thoughts about buying Apple products from now on.

Rachel June 21, 2019 12:56 AM

I’m pleased Lassie gets a mention. Lassie, she is such a good dog

I resolve the issues inherent to this discussion by

  1. Not owning a product produced by a company whose ethics clearly communicate to me ‘I hate you, and I hate this world you live in, but I love your paycheck’

  2. Not misplacing nor having stolen something as useful and necessary to me as my phone

  3. Nonetheless feeling confused by why #2 is so difficult for people to comprehend? C’mon people! We’re adults! We take care of our precious possessions!

Winter June 21, 2019 2:16 AM

It is a truism that “Anonymized data is not useful, and useful data is not anonymous”. If you have enough data points, you can re-identify the person.

But let’s give Apple the benefit of the doubt (devils advocate etc.).

The point about the privacy of sensor devices can easily be remediated. Every device location send can be stripped of the sender information. When finding a lost device, there is no need to store the identity of the device that found it. If this is done well, those who help finding a device will not be implicated and no information about them is stored. To re-identify the senders, you now need to know their positions, which is then discloses nothing.

For the privacy of the devices that are to be found, Apple would need to encrypt the positions stored with a key not in their possession. That is doable (the second device in the comments above). However, it will be possible to correlate the times of positions received with changes in the device. Anyone who observes the incoming locations and which devices will be updated will be able to deduce the positions of the devices. However, this can be obfuscated in several ways, e.g., by doing the updates in batch.

I am sure there are many more modes of failure not remediated in this way.

Otter June 21, 2019 4:21 AM

Almost everybody who owns or carries a cellphone has declared by their actions that they don’t care what data is collected about them nor by whom.

Very few were telling the truth when they clicked the box beside the text “I have read and understood …”.

wiredog June 21, 2019 5:50 AM

Wait. People are worried that the device they carry which constantly provides a unique identifier to the corporate network that is tied to the owner, may be providing a unique identifier to a corporate network?

If you’re that worried about being tracked via a unique identifier over a corporate owned network then just turn the damn phone off.

Martin Seebach June 21, 2019 6:11 AM

Wouldn’t something like this work?

Timmy broadcasts a continually updated beacon value, similar to TOTP second factor password (but longer). When Timmy gets lost, Ruth tells Apple to look for Timmy’s current beacon value. Apple builds a bloom filter of all currently missing devices which is distributed to all iPhones on a regular basis. All iPhones keep a local list of beacon values it’s seen in the past short window of time paired with it’s own location at these times, and filters this list against the received bloom filter and echos any matches back to Apple. Apple then matches it against the full, real list and informs Ruth of any matches. I think this should alleviate the stated privacy concerns?

Alejandro June 21, 2019 6:49 AM

Wired has a pretty good explanation about how this will work:

https://www.wired.com/story/apple-find-my-cryptography-bluetooth/

Excerpt:

Apple explained “how its “encrypted and anonymous” system avoids leaking your location data willy nilly, even as your devices broadcast a Bluetooth signal explicitly designed to let you track your device.

The solution to that paradox, it turns out, is a trick that requires you to own at least two Apple devices. Each one emits a constantly changing key that nearby Apple devices use to encrypt and upload your geolocation data, such that only the other Apple device you own possesses the key to decrypt those locations.

Sounds like the data and unique ID will be encrypted every which way. Can it be hacked? That remains to be seen. However, for everyday use, I am thinking this will work.

BTW, I have a whole drawer full of tin hats for different occasions, so I don’t think I am entirely naive about this.

Petre Peter June 21, 2019 7:42 AM

At least I will know that Apple will not sell that data-they are clearly making money from hardware.

David Leppik June 21, 2019 11:36 AM

This replaces an existing opt-in feature where Apple devices check in with Apple from time to time to see if they are being pinged. Only if they are being pinged do they send their position. I believe it will still be opt-in.

From a security standpoint, the biggest loophole could be in indirectly tracking the helper device (Lassie). Lassie has the most low-risk part in the process, so opt-out is likely to be buried, and side-channel attacks on Lassie’s location may be less thought out.

What I find interesting is that Apple is providing a mechanism for devices without Wi-Fi or GPS to share their position, even though practically every device Apple sells supports Wi-Fi and GPS. The only devices I can think of that don’t are their lower-end watches. It’s possible that this signals that Apple plans to sell more mobile, non-GPS devices.

I use the “Find my Phone” feature all the time, usually for my kids’ devices. The biggest problem with it is that they check in with Apple only infrequently when not in use, which is exactly when this feature is needed most. This feature allows Apple to keep a database of past locations, and to use only low-power Bluetooth when devices are not in use.

Jeremy P June 22, 2019 7:21 PM

I don’t see why this require a second device to find yours and not just a iCloud account. I don’t see the issue with a device sharing its location for this bacon. Your carrier already knows where your device it all the time. Also it doesn’t need to record or send the observers ID to record what devices it sees. Also with standard encryption the device is even if the same in many pings will not be the same to an observer. A ask packet encrypted it’s the the same value each time it sends.

Pat Niemeyer July 12, 2019 10:16 AM

Apple uses rotating advertising ids in their bluetooth (iBeacon) technologies to avoid simple tracking schemes.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.