The Clever Cryptography Behind Apple's 'FIND MY' Feature

[Alex5723]

https://www.wired.com/story/apple-find-my-cryptography-bluetooth/

In upcoming versions of iOS and macOS, the new Find My feature will broadcast Bluetooth signals from Apple devices even when they’re offline, allowing nearby Apple devices to relay their location to the cloud. That should help you locate your stolen laptop even when it’s sleeping in a thief’s bag…

“Now what’s amazing is that this whole interaction is end-to-end encrypted and anonymous,” Federighi said at the WWDC keynote. “It uses just tiny bits of data that piggyback on existing network traffic so there’s no need to worry about your battery life, your data usage, or your privacy.”..

2 users thanked author for this post.

Nathan Parker, Myst

[mn–]

So. Anyone can determine whether a given storage locker, backpack, handbag, parked car, etc contains an Apple device, or whether there’s any such device nearby.

[Myst]

mn– wrote:

So. Anyone can determine whether a given storage locker, backpack, handbag, parked car, etc contains an Apple device, or whether there’s any such device nearby.

Sounds to me like it should avoid picking up just any iDevice –
More on privacy/location and the ability to remain anonymous …

https://www.wired.com/story/apple-find-my-cryptography-bluetooth/
“And it turns out that Apple’s elaborate encryption scheme is also designed not only to prevent interlopers from identifying or tracking an iDevice from its Bluetooth signal, but also to keep Apple itself from learning device locations, even as it allows you to pinpoint yours.”

Win7 SP1 Home x64, MacOS / Chromebook

1 user thanked author for this post.

Elly

[Alex5723]

mn– wrote:

So. Anyone can determine whether a given storage locker, backpack, handbag, parked car, etc contains an Apple device, or whether there’s any such device nearby.

What gave you that idea ?
The owner (as well as Apple) searching for his lost/stolen iDevice doesn’t know/get any information regarding the iDevice that’s sending the location data of his lost iDevice to iCloud. The data sent and the data received are both encrypted.

This and the new privacy log-in with AppleID are tremendous features that no one else has.

• This reply was modified 1 year, 1 month ago by Alex5723.
• This reply was modified 1 year, 1 month ago by PKCano.

2 users thanked author for this post.

Elly, Myst

[mn–]

Alex5723 wrote:

What gave you that idea ?

This:

Alex5723 wrote:

the new Find My feature will broadcast Bluetooth signals from Apple devices even when they’re offline,

So. They’re broadcasting. Even if the device isn’t individually identifiable, being a source of signals that have Apple encryption is sufficient to determine that there is a device present.

Hiding in ambient RF noise only helps as long as the receiver is a point target. Array antennas are getting common and those aren’t a single point so…

This is really the kind of thing that Apple should pay everyone else to use too, just to make it *not* automatically mean there’s an Apple device present if such a signal is detected.

[Alex5723]

mn– wrote:

They’re broadcasting. Even if the device isn’t individually identifiable, being a source of signals that have Apple encryption is sufficient to determine that there is a device present.

When I walk the streets I can detect smartphones’ BT, CarPlay/Android Auto BT, Smartwatchs’ BT, Beacons, Dogs BT Fobs, BT key Fobs, BT headphones…Apple’s devices are no different in this regard and the devices does not manifest themselves as being Apple devices.

[mn–]

Alex5723 wrote:

mn– wrote:

They’re broadcasting. Even if the device isn’t individually identifiable, being a source of signals that have Apple encryption is sufficient to determine that there is a device present.

When I walk the streets I can detect smartphones’ BT, CarPlay/Android Auto BT, Smartwatchs’ BT, Beacons, Dogs BT Fobs, BT key Fobs, BT headphones…Apple’s devices are no different in this regard and the devices does not manifest themselves as being Apple devices.

Exactly – current devices don’t, as they don’t have this feature yet. Besides it likely uses a non-default signaling mode that isn’t by default exposed by a random listener.

But given the thing from the Wired article:

your laptop will emit its rotating public key via Bluetooth. A nearby stranger’s iPhone, with no interaction from its owner, will pick up the signal, check its own location, and encrypt that location data using the public key it picked up from the laptop.

That means that there *has* to be a signal that can be identified as belonging to a device with this feature.

Do note that this also depends on the stranger’s device keeping the location encrypted. It essentially goes, “Apple device with secret hash xxxxxxxxxxx detected near my current location” … you’d need to trust the stranger’s device to keep the location sufficiently secure.

So yeah. Without that trust, privacy is dependent on there ALWAYS being a sufficient mass of such devices that the mere presence of one doesn’t stand out… and that in turn is very much of a challenge against any kind of a selective antenna, even a simple directional portable one…

Also sort of bad that they keep emitting while “offline”.

[Paul T]

mn– wrote:

Also sort of bad that they keep emitting while “offline”.

What will the airlines make of an always on device during take off / landing?

cheers, Paul

[Author]

Posts