Security Researchers Develop Framework for Tracking Bluetooth Devices Using Find My

Ahead of the debut of AirTags and support for locating third-party Bluetooth items through Find My in iOS 14.5, a team of security researchers from the Secure Mobile Networking Lab at the Technical University of Darmstadt in Germany has reverse engineered the ‌Find My‌ protocol and developed an app that's designed to let anyone create an "AirTag" based on a Bluetooth-capable device.

openhaystack mac app
Called OpenHaystack, the app and the source code are available on GitHub for those who are interested in taking a look. The app allows users to create their own Bluetooth tags based on the ‌Find My‌ network by installing an "‌AirTag‌" firmware image on a Bluetooth dongle.

The app displays the most recent location of a created Bluetooth tag reported by any iPhone using Apple's ‌Find My‌ network that was implemented in iOS 13, plus it shows the location of the tag on a map.

According to the security researchers, the created tags send out Bluetooth beacons, which are picked up by nearby iPhones that interpret the sending device as lost. The current geolocation is end-to-end encrypted and then uploaded to Apple, with the OpenHaystack app then downloading the encrypted report from Apple and decrypting it locally on the Mac.

In the process of developing this tool, the Secure Mobile Networking Lab researchers also identified a macOS Catalina ‌Find My‌ vulnerability that was reported to Apple and addressed in a 10.15.7 update released back in November. The vulnerability allowed a malicious app to access iCloud decryption keys to download and decrypt location reports submitted by the ‌Find My‌ network.

Apple's iOS 14.5 update includes support for tracking third-party Bluetooth devices in the ‌Find My‌ app using a new "Items" tab, which takes advantage of the same ‌Find My‌ protocol used for the Mac app.

At the current time, in-app tracking is limited to Beats headphones and upcoming Belkin wireless earbuds, but in the future, many third-party Bluetooth devices may include ‌Find My‌ integration, making it easier to keep track of them. This system will also be used by Apple's own rumored AirTags, which have yet to be released.

Popular Stories

election results 2024 live activities

Track 2024 U.S. Election Results Live on Your iPhone Lock Screen

Tuesday November 5, 2024 5:02 am PST by
Apple News is providing Live Activities support for the 2024 U.S. presidential election, allowing iPhone and iPad users to track electoral results in real time directly from their Lock Screen. The feature is rolling out for U.S. users over the course of Election Day, November 5, providing continuous updates of the electoral count. So if you're interested, you don't need to repeatedly check...
Generic iOS 18

Everything New in iOS 18.2 Beta 2

Monday November 4, 2024 12:34 pm PST by
Apple today seeded the second betas of upcoming iOS 18.2 and iPadOS 18.2 updates to developers, and Apple is continuing to refine the Apple Intelligence capabilities. There are also a handful of smaller features that are worth knowing about. Find My Find My has a new option to Share Item Location with an "airline or trusted person" that can help you locate something that you've misplaced....
ios 18 2 chatgpt plus

iOS 18.2 Beta 2 Shows Siri ChatGPT Limit, Offers 'Plus' Upgrade Option

Monday November 4, 2024 10:54 am PST by
With the second beta of iOS 18.2 that's available for developers today, Apple has further fleshed out the ChatGPT integration that's available with Siri. In the Settings app, there's now a section that shows the ChatGPT daily limit, and offers an option to upgrade to the paid ChatGPT Plus plan. The beta includes an Advanced Capabilities section with a "Daily Limit" reading that shows up as...
iCloud General Feature

Here's What's New in Apple's Updated iCloud Terms and Conditions Taking Effect Next Week

Friday September 13, 2024 7:39 am PDT by
Apple has started notifying users about an upcoming revision to its iCloud Terms and Conditions, which takes effect on Monday, September 16. We compared the text of the upcoming iCloud Terms and Conditions with the current U.S. version from September 18, 2023 and identified four key changes: "Apple ID" references have been changed to "Apple Account" throughout. iCloud users must agree to ...
ipads early bf deals

The Best Early Black Friday iPad Deals

Tuesday November 5, 2024 7:02 am PST by
Black Friday is still a few weeks away, but you can already find great prices on numerous iPads, including the 9th generation iPad, 10th generation iPad, iPad Air, and iPad mini. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. Of course, there is a chance that ...
New Things Your iPhone Can Do in iOS 18

10 New Things Your iPhone Can Do in iOS 18.2

Thursday October 31, 2024 9:42 am PDT by
Apple is set to release iOS 18.2 in December, bringing the second round of Apple Intelligence features to iPhone 15 Pro and iPhone 16 models. This update brings several major advancements to Apple's AI integration, including completely new image generation tools and a range of Visual Intelligence-based enhancements. There are a handful of new non-AI related feature controls incoming as well. ...
M4 M4 Pro vs M4 Max Feature

When to Expect New M4 MacBook Air, Mac Studio, and Mac Pro Models

Monday November 4, 2024 2:36 am PST by
Apple's fall 2024 Mac announcements have included new iMac, Mac mini, and MacBook Pro models, all of which debuted with variants of Apple's M4 chip. Apple intends to update the rest of its Mac lineup with M4 series processors over the next 12 months, which will make it the first time that Apple has used the same chip generation across all of its Macs. This means we can expect new M4...

Top Rated Comments

Apple_Robert Avatar
48 months ago

This is good stuff guys! Apple is on top of it
Apple is on top of it? What does that mean?
Score: 7 Votes (Like | Disagree)
coolfactor Avatar
48 months ago
This strikes me as concerning.
Score: 6 Votes (Like | Disagree)
Corsig Avatar
48 months ago
Yeah that won’t last long
Score: 5 Votes (Like | Disagree)
Apple_Robert Avatar
48 months ago

The privacy.. security...
The article is about a couple of researchers creating an app that reverse engineers Find My. This isn't awesome stuff. This is concerning.

Edited to correct my misunderstanding.
Score: 5 Votes (Like | Disagree)
cmaier Avatar
48 months ago

Awesome! Let’s hope Apple don’t try to patch this.
Why not? Security holes are bad. Anyone who wants to integrate into the Find My network can do so the official way.
Score: 5 Votes (Like | Disagree)
Apple_Robert Avatar
48 months ago

Awesome! Let’s hope Apple don’t try to patch this.
I hope Apple does patch the vulnerability and render this app useless.
Score: 4 Votes (Like | Disagree)