Every iPhone listens for lost Bluetooth devices in the area: So far, only the location of missing iPhones, iPads and Macs can be tracked down, and soon Apple wants to open its huge “Where is?” Network (“Find my”) to third-party manufacturers as well. Researchers at TU Darmstadt have now published an extensive security and data protection analysis of the Apple protocol, for the implementation of which the Apple protocol was reverse-engineered. At the same time, they have developed software that allows you to connect to the network and create your own Bluetooth tags that can be located by third-party iPhones (and iPads with cellular support).
The researchers have published their Mac tool on Github for the general public to download, it runs from macOS 11 Big Sur. The program called OpenHaystack enables the location of Apple’s “Where is?” Network for its own Bluetooth tags to be queried. To create this, there is firmware for the Nordic chip nRF51822, which is located in the BBC micro: bit, for example. Even a Raspberry Pi can easily be used as a Bluetooth tag for “Where is?” do, write the security researchers.
OpenHaystack is listed as “experimental software”. In order to grant the tool the necessary rights to query a private Apple interface, users have to install a plug-in for Apple Mail, which “inherits” the necessary rights of the email client. The installation requires the temporary deactivation of the Gatekeeper protection system.
iOS 14.5 is preparing the opening of “Where is?” for third-party hardware, users can add objects to the app in the future, which can then be located via the network in the event of loss. If a strange object is discovered that “accompanies” the user for a longer period of time, the “Where is?” App should provide information, as the latest beta of the operating system shows – a protection against unintentional tracking by third parties.
Vulnerability in macOS plugged
The location transmitted by the external devices to Apple’s server is protected by end-to-end encryption to make it impossible for third parties – including Apple – to see it, only the owner of the tag should be able to see it. Apple’s design of the protocol fulfills the data protection goals, the researchers write in their paper.
However, a vulnerability in macOS allowed locally installed malware to view the user’s whereabouts over the past week and then to carry out location tracking for a further nine weeks based on knowledge of the keys precalculated by macOS – unnoticed by the user. Apple plugged the vulnerability with macOS 10.15.7 Catalina following a tip from security researchers. A bug bounty has not yet been paid out for this, according to the TU Darmstadt.