Find My: DIY Airtag Tracker
You've probably heard of Apple's Find My network protocol for offline searching. Now implemented in over a billion devices, Find My enabled Apple to introduce the AirTag, an electric location tracking tag with worldwide coverage, but without the need for GPS or a cellular modem.
But did you know you can use the Locate network with your own tracker? And even transmit arbitrary data over the network? Or use a special "stealth" mode to track your stuff without alerting potential thieves?
This article will explain how the protocol works and explore how this ubiquitous network can be layered - and even extended - with self-built AirTag clones.
How do people find my work?When AirTags are not near their paired device, they constantly emit Bluetooth Low Energy Beacon messages. Nearby Apple devices that receive these beacon signals recognize them as Find My broadcasts and upload their own location to Apple. Location reports are associated with the received broadcast and encrypted in such a way that only the owner of the AirTag can decipher the location, not even Apple.
In more detail, the AirTag pairing and search process works like this:
1. When associating an AirTag with an Apple device, a key pair and a shared secret are generated. Both the shared secret and the public key are stored on the AirTag, but only the Apple device knows the corresponding private key.
2. Every 2 seconds the AirTag sends a Bluetooth Low Energy broadcast with a public key as content, which periodically changes and is generated using the previously shared secret.
3. Nearby Apple devices recognize the Find My broadcast, retrieve their current location, encrypt the location with the broadcast public key, and then download the encrypted location report.
4. When searching for the AirTag, the paired Apple device generates a list of live public keys that the AirTag has used over the past few days and queries an Apple service for their hashes. The Apple backend returns encrypted location reports for the requested public key hashes.
5. The owner's device decrypts location reports and displays an approximate location.
< /p>
Fortunately for hackers and manufacturers, this design does not differentiate broadcasts of legitimate Apple (or licensed third-party) devices from those of homemade clones. Also, Apple's location retrieval backend does not (and cannot) verify if the user actually owns the AirTag they are requesting location reports for...
You've probably heard of Apple's Find My network protocol for offline searching. Now implemented in over a billion devices, Find My enabled Apple to introduce the AirTag, an electric location tracking tag with worldwide coverage, but without the need for GPS or a cellular modem.
But did you know you can use the Locate network with your own tracker? And even transmit arbitrary data over the network? Or use a special "stealth" mode to track your stuff without alerting potential thieves?
This article will explain how the protocol works and explore how this ubiquitous network can be layered - and even extended - with self-built AirTag clones.
How do people find my work?When AirTags are not near their paired device, they constantly emit Bluetooth Low Energy Beacon messages. Nearby Apple devices that receive these beacon signals recognize them as Find My broadcasts and upload their own location to Apple. Location reports are associated with the received broadcast and encrypted in such a way that only the owner of the AirTag can decipher the location, not even Apple.
In more detail, the AirTag pairing and search process works like this:
1. When associating an AirTag with an Apple device, a key pair and a shared secret are generated. Both the shared secret and the public key are stored on the AirTag, but only the Apple device knows the corresponding private key.
2. Every 2 seconds the AirTag sends a Bluetooth Low Energy broadcast with a public key as content, which periodically changes and is generated using the previously shared secret.
3. Nearby Apple devices recognize the Find My broadcast, retrieve their current location, encrypt the location with the broadcast public key, and then download the encrypted location report.
4. When searching for the AirTag, the paired Apple device generates a list of live public keys that the AirTag has used over the past few days and queries an Apple service for their hashes. The Apple backend returns encrypted location reports for the requested public key hashes.
5. The owner's device decrypts location reports and displays an approximate location.
< /p>
Fortunately for hackers and manufacturers, this design does not differentiate broadcasts of legitimate Apple (or licensed third-party) devices from those of homemade clones. Also, Apple's location retrieval backend does not (and cannot) verify if the user actually owns the AirTag they are requesting location reports for...
What's Your Reaction?
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
