Who Tracks the Trackers? Circumventing Apple's Anti-Tracking Alerts in the Find My Network

Travis Mayberry, Ellis Fenske, Dane Brown, Jeremy Martin, Christine Fossaceca, Erik C. Rye, Sam Teplov, Lucas Foppe

US Naval Academy, MITRE, CMAND

Abstract

Apple's Find My protocol enables lost devices, such as AirTags, to relay their location via a network of over a billion active Apple devices. While this provides a convenient feature for device owners, it may also be exploited by malicious actors to track unsuspecting targets. Apple has introduced "item safety alerts" to mitigate this risk. This paper demonstrates the creation of a custom device, comparable to an AirTag in cost, size, and battery life, that can participate in the Find My network without triggering these alerts. This suggests that Apple's current protection mechanisms are insufficient. The paper proposes natural mitigations for two of the demonstrated malicious tracker techniques and notes that a third technique would necessitate substantial alterations to the Find My protocol.

CCS Concepts

Hardware → Wireless devices
Networks → Network privacy and anonymity

Keywords

tracking, privacy, apple, ble, airtags

Introduction

In 2019, Apple introduced "Offline Finding (OF)", a feature allowing users to locate lost devices even when they lack internet access. Previously, locating a lost device required it to connect to the internet and sync with iCloud. With OF, devices that lose internet connectivity broadcast advertising messages over Bluetooth Low Energy (BLE) using Apple's Continuity protocol. Nearby Apple devices (bystanders) log these BLE messages, including the device's location. When a bystander device connects to the internet, it forwards this data to Apple, enabling the owner to retrieve the location of their lost device.

This functionality is similar to that offered by other tracking token manufacturers like Tile, SmartTag, and Chipolo. Apple's AirTags, released in 2021, participate in the OF protocol. Apple's Find My network, encompassing over 1 billion active iPhones, offers a significantly larger potential network for locating lost devices compared to competitors like Tile, which has around 35 million devices.

Apple has implemented "item safety alerts" to prevent the misuse of AirTags for malicious tracking. These alerts notify users if an AirTag is following them from location to location. The iOS device can then connect to the AirTag via Bluetooth to cause it to emit a sound, and newer iPhones (iPhone 11 or later) can use ultra-wideband to pinpoint the AirTag's location.

Media reports suggest that Apple's anti-tracking feature can be unreliable. Alerts are only available on iPhones, and their appearance can be delayed, sometimes by hours or days. This paper presents an experimental analysis of the item safety alert feature to determine the criteria for alert activation. The analysis indicates that alerts require an iPhone to detect the same AirTag multiple times across different locations separated by a minimum distance.

The paper demonstrates that it is possible to create a custom device, similar in cost, size, and battery life to an AirTag, that can be located via Apple's servers without triggering item safety alerts and remaining unidentified as a tracker by nearby iOS devices. Three techniques are presented for achieving this. Two of these techniques can be addressed with software fixes to the item safety alert feature, and findings have been disclosed to Apple. The third technique is considered robust and difficult to detect, even if known.

Find My Protocol

Apple's Find My protocol specifications were initially released in October 2020 but were later moved behind a portal requiring enrollment as a partnering device manufacturer. While no public specifications are available, researchers have reverse-engineered key aspects of the protocol. This paper updates a Wireshark dissector for Apple's BLE Continuity protocol, contributing to community efforts and reproducing relevant details from prior work.

The protocol involves lost messages broadcast by AirTags, location reports sent by bystander devices to Apple's servers, and the process by which owners retrieve this information.

Lost Messages

When an AirTag is paired with an iCloud account, it jointly creates Elliptic Curve Diffie-Hellman (ECDH) public keys with a paired Apple device. These keys are used to generate rotating temporary public keys that the AirTag broadcasts in its BLE messages when lost. These keys are stored securely in the iCloud keychain and are not known to Apple.

An AirTag can be in one of three states: Connected, Nearby, or Separated. It starts in Connected state when paired. If it loses BLE connection with the paired device, it transitions to Nearby. After 15 minutes in the Nearby state without reconnecting, it enters the Separated state, considering itself "lost." In this state, it broadcasts a full BLE advertising message, referred to as a lost message. The structure of these messages is compact due to BLE advertising size constraints. The first 6 bytes of the public key (PWj) are encoded within the MAC address. Byte 2 contains battery status, and byte 26 is a "hint" byte.

Crucially, the public key in the message is random and does not identify the owner. The key rotates every 15 minutes in the Nearby state and every 24 hours in the Separated state, preventing long-term tracking via static identifiers. This allows for the creation of custom devices that mimic AirTag messages.

Location Reports

When a bystander device receives a lost message, it reconstructs the ECDH public key, encrypts its location, and sends it to Apple's servers with a hash of the public key. An owner can query Apple's servers for location reports using the public keys they possess. Apple's servers return reports that match the provided hashes. Owners can then decrypt these reports using their private key, which is derived from SKS and stored securely in their iCloud keychain, inaccessible to Apple.

Item Safety Alerts

To prevent the misuse of AirTags for malicious tracking, Apple implemented anti-tracking technology in iPhones. This technology issues a warning when an iPhone receives consistent lost messages from the same AirTag over time. Experimental observations indicate that these alerts are triggered when an AirTag is co-located with a device over a period and across a minimum distance (approximately one mile). While initial alerts were less reliable, an iOS 15 beta update reduced the alert time to about 30 minutes.

Experiments were conducted to determine the precise criteria for triggering an alert. iPhones were observed to record lost messages, flagging AirTags beaconing for extended periods as "suspicious." The exact mechanisms for this flagging remain undetermined and are a subject for future work.

Defeating Alerts

Three primary methods were identified, implemented, and tested to prevent item safety alerts. These were implemented using an Espruino Puck.js, a low-cost computing platform capable of sending BLE messages, which shares the same Bluetooth System on a Chip (SoC) as an AirTag. The methods are released as open-source implementations, along with a Wireshark dissector for verifying Find My BLE lost messages.

Instead of deriving keys from iCloud account information, a random P-224 keypair is generated and advertised. The OpenHaystack client, an open-source project, is used to query Apple's Find My servers for arbitrary public keys. OpenHaystack also provides the advantage of displaying multiple location report positions over time, unlike the Find My application which shows only the most recent report.

Tests were conducted on various devices, including iPhones 7, 8, and 12, and iPad Pro (4th Gen), using iOS versions 14.5, 14.5.1, and 14.6, with consistent behavior observed.

Approach 1: Bit Flipping

As noted in Section 2.1, bits 5, 6, and 7 of byte 2 in a lost message contain battery information. AirTags set bit 5 to 1. iPhones, when reporting themselves as lost, set byte 2 to 0x00. iPhones are not considered tracking devices due to their cost and battery life. By configuring custom devices to send lost messages in the iPhone format (bit 5 set to 0), item safety alerts are not produced.

Mitigation: This vulnerability was reported to Apple. Mitigation is expected to be trivial, involving the generation of item safety alerts even if a lost iPhone or an adversary device is used for tracking.

Approach 2: Rotating Keys

While separated-state AirTags use the same lost message, custom advertising devices can rotate their advertised public key regularly. By querying all keys on a fixed rotation schedule, relevant location reports can be recovered. While rotating keys can trigger alerts if the number of keys is small or rotation intervals are short, using a larger number of keys or longer intervals can prevent alerts.

Table 1 shows key rotation experiments. The number of keys appears to be the primary factor in preventing alerts, with a rotation cycle between 25-50 keys being sufficient. The Puck.js has limited memory, storing approximately 100 keys. With proper parameters, item safety alerts could potentially recognize these trackers.

Mitigation: This technique relies on item safety alerts not recognizing repeated keys as tracking threats if they occur too far apart or with too many other lost devices. The algorithm could be tuned to recognize repeated keys more aggressively. The limited number of keys on the Puck.js means that with proper parameters, item safety alerts could certainly recognize the tracker.

Approach 3: Generating Keys on the Puck

To avoid repeating keys due to memory limitations, keys can be organically generated on the Puck.js. This is challenging due to the device's limited hardware resources. Custom Espruino firmware with OpenSSL's Elliptic Curve functions was developed. Keys are generated deterministically using SHA256(seed + counter), where the counter increments every 15 minutes.

Mitigation: Devices could detect consistently observed lost messages, even with different keys. However, this could lead to false positives in dense areas. Alternatively, messages could include authentication to prevent forgery, requiring a significant redesign of devices and the protocol. Apple could also limit queries for location reports, potentially restricting access to the Find My app via the Secure Enclave. However, this would exclude devices without a Secure Enclave. Researchers have also demonstrated the ability to retrieve master keys from AirTags by accessing debug pins, making this approach potentially feasible.

Conclusion

Apple's Find My network is a powerful tool for locating lost devices due to its extensive network of devices. Apple has implemented "item safety alerts" to prevent the malicious use of AirTags for tracking. However, this paper demonstrates that Apple's threat model for anti-tracking is incomplete, allowing third-party devices to participate in the network without authentication. A custom device, similar to an AirTag in size, cost, and battery life, has been created that can be tracked via the Find My network while running custom code.

Three strategies for avoiding item safety alerts have been presented. Two can be addressed with iOS software updates, while the third requires a substantial redesign of the Find My protocol. The tracker software and analytical tools have been released as open-source implementations.

References

[1] [n.d.]. Find Your Keys, Wallet & Phone with Tile's App and Bluetooth Tracker Device. https://www.thetileapp.com/
[2] [n.d.]. Find your keys, wallet or anything you don't want to lose. https://chipolo.net/en-us/
[3] [n.d.]. Use the Samsung Galaxy SmartTag and SmartTag+. https://www.samsung.com/us/support/answer/ANS00088244/
[4] 2021. Create Innovative Accessories. https://mfi.apple.com/
[5] 2021. Keychain data protection. https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/web
[6] 2021. Puck.js. https://www.espruino.com/Puck.js
[7] Geoffrey A. Fowler. 2021. Apple's AirTag trackers made it frighteningly easy to ‘stalk’ me in a test. Washington Post (May 2021). https://www.washingtonpost.com/technology/2021/05/05/apple-airtags-stalking/
[8] furiousMAC. [n.d.]. furiousMAC/continuity: Apple Continuity Protocol Reverse Engineering and Dissector. https://github.com/furiousMAC/continuity
[9] Ghidraninja. 2021. Yesss!!! After hours of trying (and bricking 2 AirTags) I managed to break into the microcontroller of the AirTag! /cc @colinoflynn @LennertWo pic.twitter.com/zGALc2S2Ph. https://mobile.twitter.com/ghidraninja/status/1391148503196438529?s=20
[10] Todd Haselton. 2021. Here's how Apple's AirTag trackers compare to Tile, and why the company is so upset with Apple. https://www.cnbc.com/2021/04/27/apple-airtags-versus-tile-tracker-how-they-compare.html
[11] Alexander Heinrich, Milan Stute, Tim Kornhuber, and Matthias Hollick. 2021. Who Can Find My Devices? Security and Privacy of Apple's Crowd-Sourced Bluetooth Location Tracking System. Proceedings on Privacy Enhancing Technologies 3 (2021), 227-245.
[12] Jacob Kastrenakes. 2021. Apple says there are now over 1 billion active iPhones. https://www.theverge.com/2021/1/27/22253162/iphone-users-total-number-billion-apple-tim-cook-q1-2021
[13] John Koetsier. 2021. How To Track People With Apple AirTags. https://www.forbes.com/sites/johnkoetsier/2021/04/22/how-to-track-people-with-apple-airtags/?sh=3565bf6269df
[14] Jeremy Martin, Douglas Alpuche, Kristina Bodeman, Lamont Brown, Ellis Fenske, Lucas Foppe, Travis Mayberry, Erik C Rye, Brandon Sipes, and Sam Teplov. 2019. Handoff All Your Privacy: A Review of Apple's Bluetooth Low Energy Continuity Protocol. arXiv preprint arXiv:1904.10600 (2019).
[15] Philip Michaels. 2021. Apple updates AirTag to fix its biggest flaws. https://www.tomsguide.com/news/apple-updates-airtag-to-fix-its-biggest-flaws
[16] Seemoo-Lab. 2021. OpenHaystack. https://github.com/seemoo-lab/openhaystack

Example Images

The following example images and location histories were generated during experiments performed by the research group and are reproduced here with consent and foreknowledge of the participants.

Figure 2: Traveling across the US. Note increased density of reports in urban/suburban areas from more bystanders.

Figure 3: The item safety alert screen.

Figure 5: Tracking over a longer distance.

Figure 4: Tracking in a small urban area.

	Apple Privacy Policy Apple's commitment to privacy, detailing the types of personal data collected, how it's used, shared, and protected, and user rights regarding their data. Includes information on cookies, international data transfers, and child privacy.
	Apple Find My Compatible S3 Tag Item Finder: User Guide and Warranty This guide provides essential information for the S3 Tag item finder, compatible with Apple's Find My network. It covers setup, functions, warranty activation, battery replacement, privacy protection, and FCC compliance.
	Apple Find My Compatible Item Tracker Manual This manual provides instructions on how to set up and use an Apple Find My compatible item tracker, including pairing, locating, and managing the device through the Find My app.
	Health & Fitness Apps Privacy Overview: Protect Your Data on Apple Devices Learn how to protect your privacy when using third-party health and fitness apps on Apple devices. Understand data collection, permissions, and privacy tools like App Tracking Transparency and Privacy Nutrition Labels.
	Find My Network Accessory Specification - Developer Preview This document provides the technical specification for accessories that integrate with Apple's Find My network. It details the core concepts, requirements, features, and protocols necessary for developers to create Find My network-enabled accessories.
	iOS Security White Paper - Apple A comprehensive overview of Apple's iOS security features for iOS 9.0 and later, covering system, data, app, network, and privacy protections.
	Apple Find My Bicycle Bell User Manual User manual for the Apple Find My bicycle bell (model MO2601), detailing setup, features, specifications, and safety information for locating personal items.
	Apple Find My Anti-Lost Device Specifications and Features Detailed specifications for the Apple Find My anti-lost device, including features, technical details, and application scenarios. Officially authorized by Apple and integrated with the Find My network.