
The clever cryptography behind Apple’s “Find My” feature - nnx
https://www.wired.com/story/apple-find-my-cryptography-bluetooth/
======
mikorym
Short summary:

1\. At setup, Find My generates private key shared to all your Apple devices.

2\. The private key generates a perpetual sequence of public keys. These
change (iterates to the next) "frequently".

3\. The rotating public key is shared accross all (including other people's)
Apple devices via Bluetooth and can even do this when it's off.

4\. The shared scheme pings to Apple's central system and uploads A. hashes of
the public keys in the area and B. the location.

5\. When you try to find a device you send your hashed public key to Apples
server and they return the last picked up location (encrypted). (You thus need
at least 2 Apple devices, one to find the other. Also, they don't say how the
previously iterated public keys are remembered.)

~~~
omk
This seems very very impressive. But I have so many questions still. The most
important one being, there has to be a way to reset these tracking keys for
cases like

\- Resell

\- Loss of a companion device that was never found and it took the private
keys with it

\- Got a new companion device

How do I reset the keys and how do I make sure a theif can't reset these?

~~~
Angostura
If it is the same as with the Existing Find My Phone

1\. Resell - you turn off 'Find My' on your phone and sign out of iCloud then
wipe the device

2\. Loss - Go into iCloud and mark the device as lost. Not sure what this
means for finding other devices

3\. New companion device - sign it into iCloud.

------
lixtra
It feels like that can be exploited in some ways. As a first thought it
reduces the privacy of the reporting 3rd party phone. I.e. I can leave a fully
charged phone in my wife’s car and track her for weeks while she will have the
burden to recharge her phone for network/gps power.

A regular gps tracker would need much more energy.

Edit: another scenario, leave it in an isolated hut. If I get a signal,
someone is close to the hut.

Edit 2: if I piggy back the protocol and can manipulate the key schedule
(chose key A or B) then I can leak one bit of information through the third
party phone. The third party phone may be allowed to communicate while my
sender isn’t.

~~~
Geee
This mechanism is very low power, and it allows making tiny devices that can
be used for tracking suspects. Maybe this is actually why they made it
(someone asked if they could make it).

Edit: Maybe Apple will introduce tiny key fobs that can be tracked so you can
find your keys or other things.

~~~
servercobra
There is already a reference to an Apple Tag in iOS 13.

[https://www.techradar.com/news/apple-tag-spotted-in-
ios-13-a...](https://www.techradar.com/news/apple-tag-spotted-in-ios-13-and-
it-may-be-a-personal-item-tracker-like-tile)

~~~
bonestamp2
I was wondering why they changed the name, I mean "Find My iPhone" could
already find macbooks and ipads but now it sounds like they're going much
broader than Apple devices.

------
lifeisstillgood
I am reminded of a section in Neal Stephenson's The Diamond Age where (some
guy) takes a whole day to track the history of the young protagonist in an
internet cafe - and an explanation of passing packets between passing devices
as if handing parcels to random strangers as they walk down the street always
stuck in my mind

This seems to be saying that Apple has a big mesh network play ready sometime
soon.

Want to bet they have a good idea of coverage already and need some testing -
they might not be able to see your location but they will see the location of
every phone passing your public key encrypted bits back - they get to test
their mesh network ? Or am I missing something?

~~~
parrellel
That was my thought too, and God I hope so.

Someone needs to push mesh networking on a more consumer level, if it has to
be Apple, so be it.

~~~
edgineer
There is one consumer push for a mesh-networking phone that was in the news
recently, Volk Fi. Their idea is to use 900MHz radios in smartphones to hop
several miles to the nearest wired hub, alongside a cellular SIM, where a hub
owner earns credit for data relayed through it. Some pessimism surrounds them
though.

------
RcouF1uZ4gsC
While quoted in the article, Matthew Green’s writeup provides a lot of neat
ideas on how it may actually work

[https://blog.cryptographyengineering.com/2019/06/05/how-
does...](https://blog.cryptographyengineering.com/2019/06/05/how-does-apple-
privately-find-your-offline-devices/)

------
xattt
This seems to be leading to the stealth reveal in the fall for a positioning
system augmented by device-to-device positioning.

------
tyingq
Is this scheme where the public key can somehow rotate on it's own, while
still being decryptable by the unrotated private key a new thing?

I had not heard of it before.

Edit: This other comment in the thread points at an article with some guesses
as to how it might work. It mentions a system called Elgamal that has a scheme
somewhat like my description above:
[https://news.ycombinator.com/item?id=20134956](https://news.ycombinator.com/item?id=20134956)

~~~
hn_throwaway_99
Similar to mrb's answer, but this sounds like essentially how cryptocurrency
wallets work. You can just remember the root key phrase, and that is used to
generate tons of addresses (i.e. keypairs). Access to the root keyphrase
allows you access to money sent to any of the addresses.

~~~
mrb
Cryptocurrency wallets use the BIP32 scheme which provides an even neater
ability: from a root public key alone you can generate a series of children
public keys, no private keys are involved in the calculation. (And whoever
posses the root private key can generate the corresponding series of children
private keys.) The technical aspects are described in
[https://github.com/bitcoin/bips/blob/master/bip-0032.mediawi...](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#Specification_Key_derivation)
But that's overkill given the simpler requirements of Find My. Each device
stores the private key so they don't need something with the feature set of
BIP32.

------
knolax
If the phone is broadcasting the public key couldn't some malicious actor
simply send the wrong location? Also couldn't they simply put it in a faraday
bag or wrap in some tin foil?

~~~
mrb
Correct, reverse engineering the Find My protocol or intercepting & modifying
the location API should let any half-competent hacker send bogus encrypted
locations to Apple's database. What's the point though? You are just hampering
with someone's effort to locate their lost device. Maybe you could steal
multiple devices and purposefully spoof the location of your enemy's house,
and the police will show up at their door to recover the stolen devices. Seems
too high-effort for too little gain to me.

~~~
mffnbs
Also, in my experience, the police will not do that for you. My wife had her
phone stolen from her and we were able to pinpoint the exact location and
provide it to the police, they said they would not act on this information.

Just one small anecdote, but I can't imagine many departments taking it upon
themselves to do so.

~~~
CamperBob2
_My wife had her phone stolen from her and we were able to pinpoint the exact
location and provide it to the police, they said they would not act on this
information._

Be sure to bring this up the next time the city asks for a tax increase for
police funding.

~~~
nfoz
To fund them more, so that they have the capacity to handle this type of
request?

------
convivialdingo
The hard part is going to be the key rotation.

I’d suspect they’re using something similar to Moxie’s Double Ratchet
algorithm since it’s got some years of real world usage.

[https://en.m.wikipedia.org/wiki/Double_Ratchet_Algorithm](https://en.m.wikipedia.org/wiki/Double_Ratchet_Algorithm)

~~~
StavrosK
Or maybe they just hash the time and a pre-shared key to generate ECC
keypairs, since communication is one-way.

~~~
convivialdingo
Could be - but time would be something easily guessable if you knew the public
key.

Still not bad though since the public keys are being stored on the devices.

~~~
StavrosK
How would it be guessable if you're hashing it with a random string?

~~~
convivialdingo
Public keys are essentially trackable metadata if they're shared. The proposed
hash of time + public key would be guessable _if_ you had access to a
particular public key. Apple certainly could get the public key.

They wouldn't know specifically what data was in the encrypted message, but
with enough attributes (IP, time, Apple ID, etc) they could obviously gather a
high-confidence amount of tracking data still.

~~~
StavrosK
I said "time and pre-shared key". The public key doesn't enter into it.

~~~
convivialdingo
Sure - that's a solution - Apple's iCloud Keychain might work there also.

I don't use it and have some reservations as Apple’s iCloud services still do
not provide end-to-end encryption.

I'd be interested to see what Matt Green has seen.

------
ape4
"also to keep Apple itself from learning device locations, even as it allows
you to pinpoint yours."

~~~
bonestamp2
There is always the risk of rogue employees, but what they're probably talking
about here is that they also can't be compelled to reveal the location by
someone else. They probably don't want to actually say that since it might be
misconstrued as trying to skirt the law or being uncooperative with law
enforcement.

~~~
0xffff2
Isn't the explicit goal of a feature like that to be uncooperative with law
enforcement? Who else is going to (attempt to) compel them to reveal user
location data?

~~~
angott
Not just that. Say they have a security breach... if there is no data, no data
gets leaked.

------
nayuki
The feature of rotating public keys to enhance privacy is already used in
cryptocurrencies, especially in the underpinnings of Monero. Here's one thread
discussing how to make a mechanism to generate new public keys on demand:
[https://crypto.stackexchange.com/questions/58022/a-method-
to...](https://crypto.stackexchange.com/questions/58022/a-method-to-receive-
payments-at-obscured-addresses)

------
tomputer
Instead of only finding the location of my stolen device, what I really would
like is using this to remote wipe my device, before someone else can or will
turn it on (if it has been turned off).

Because it is not like I will fly to some other country to catch the thief or
new owner of my stolen device.

~~~
zapzupnz
That's a feature of Find My, and has been for years on iOS. They're bringing
it to macOS this year for devices with a T2 chip (the newer MacBooks,
basically).

~~~
mikorym
Are you sure about that? The impression I got from their summary is that the
bluetooth locations are passive.

An aside: what would happen if you wipe macOS and install another base
operating system.

~~~
celeritascelery
You can’t. With Catalina the device is activation locked, meaning you need the
original iCloud credentials to install a new OS.

~~~
zapzupnz
To clarify: this applies to a Mac that has been locked.

That is, if the Mac is locked with Activation Lock, it wouldn't be possible to
install another OS; the firmware itself will lock the user out of the computer
entirely until the machine is unlocked. This dissuades thieves from stealing
your MacBook as it will effectively be useless for anything other than parts,
and most thieves aren't in the tiny-amounts-of-aluminium-relative-to-if-they-
just-stole-cars recycling business.

I clarify because I don't want anybody thinking one is entirely unable to
install another OS _at all_. That is possible, but of course you lose out on
macOS features like Activation Lock.

------
OJFord
I keep reading that Apple already randomises MAC addresses for privacy
purposes, but then how do its devices stay logged in to 'captive' WiFi, or
more problematically, paired with Bluetooth devices?

Are the addesses only randomised for broadcast / new pairs?

~~~
nerdbaggy
I only know about the WiFi, once you start the attempt to connect to the SSID
it uses your real mac. So the probing uses random MAC address

------
cyphunk
Is the connectivity layer considered: Is the 3rd party "proxy" handler
uploading the information using an Apple ID? Does Apple record, store IP
information? It seems to me that by using this system you volunteer to send
data to Apple constantly which may not reveal your GPS location but will
reveal your network location.

I'm happy to see someone trying to innovate in this space. I still wonder if
it is okay for journalists and risk affected users to use this or if they
should be advised to avoid it.

------
taxidump
>Matthew Green, a cryptographer at Johns Hopkins University. "Even if I
tracked you walking around, I wouldn’t be able to recognize you were the same
person from one hour to the next."

Thos sounds like a great way to track shoppers in, for example, a shopping
mall.

If the BLE beacon is broadcasting at a predetermined rate this may also extend
tracking past the rotation of keys right?

~~~
lixtra
Most likely the device is already broadcasting a MAC address. But yes, with
this it would work in flight mode.

~~~
tinus_hn
The mac addresses are randomized to prevent tracking.

------
sansnomme
It's simply amazing how Apple could make P2P mesh networking viable for
production use. This is highly inspiring!

~~~
nonamechicken
I am not sure if it's the same technology, The Weather Channel App (Android)
has an option for mesh network based alerts.

[https://weather.com/apps/ibm/meshnetworkalerts](https://weather.com/apps/ibm/meshnetworkalerts)

------
slim
does this mean my device will be relaying datagrams even if I did not enable
"Find My" feature?

Supposing apple can't infer the precise location, of every user, they still
can infer the social graph

~~~
dkoston
They aren’t using your social graph, they are using location proximity and
transmitting the data inside existing packets sent to cell towers for
connectivity purposes. There’s already a ton of information passing to cell
towers to identify and negotiate connections with phones that could be used to
infer your social graph. You’d have to correlate that with a geo location
database that knows about what type of locations you visit as there would be
tremendous amounts of false signals at public places like restaurants and
malls.

Long story short, Apple, cell tower operators, and mobile providers already
have all the data they’d need to make these graphs. If this functions as
designed, it will contain much less information and wouldn’t be useful for
this purpose (I.e. encrypt requests and don’t pass IP info with them to any
systems that have the ability to decrypt them. If you make a few hops to the
systems which have the ability to decrypt them and don’t share correlation IDs
or the origin IP, there’s no way to correlate these requests back to which
device sent them or what IP or cell tower it had).

------
callmeal
This was to be expected, given that apple has been slowly taking away the
ability to physically turn off your device. Isn't anyone else concerned about
the fact that a shutdown laptop will continue to broadcast defying convention
and expectations?

~~~
dalyons
Opposite, I’m excited. Huge plus in a stolen/lost situation. Disable it if you
don’t like it?

------
contravariant
So you can only find your phone if it's close to another (compatible) apple
appliance?

~~~
MBCook
That’s not so bad considering that right now, if you don’t have a network
connection (say a non-cellular iPad) you can’t find your device AT ALL unless
it’s on Wi-Fi.

------
mekazu
Sounds similar to P2PE.

------
rphlx
The Wired article is not detailed enough to definitively poo-poo this scheme,
but I am pretty skeptical about some of the claims, given a) how easy it is to
map an IP to a coarse location, b) how easy it is to map many IPs to a small
number of already-known humans/users.

That is to say: the asym crypto may strongly protect the precise (GPS or LTE
triangulation) location from Apple and from others, but I do not see how a
cloud-based system can ever hide coarse location _from Apple_ and/or from
_governments_ as, given the short range of BT, they can reliably infer that a
device (and hence its owner) is/was near whatever IP sends the encrypted
precise location to their cloud. Then it's just a matter of mapping the
device's "randomized" ID back to an actual user/phone. That seems easy enough
as soon as a second device accesses it from an IP that's mappable to a
specific residential address, Apple account, etc.

e.g.

A and B both log into iTunes or some other Apple service using a@apple.com and
b@apple.com from HOMEIP at some point in the past. HOMEIP is never used by any
other Apple accounts.

A(lice) and B(ob) exchange a secret and otherwise begin participating in this
"private" tracking scheme.

A goes out shopping and while there it pushes its encrypted precise location
to the Apple cloud, using random ID 424242, from MALLIP. Perhaps A's device
sends it directly, or perhaps it's relayed from BT to Mall wifi to Cloud by
C's device if A has both LTE and wifi disabled.

A few minutes later S(omeone) requests encrypted location for random ID
424242, from HOMEIP.

Apple (and any government compelling it to share information) can reliably
infer that "Someone" was A or B attempting to track either B or A, and that
the tracked phone was at/near the business address of MALLIP - their coarse
location - even if they can't decrypt the precise location without the secret
key. If you know from public records that A and B are married, and assume that
women are more likely to be at a mall on their own than men, you may further
assume that A is at the Mall while B is at home.

Result: the "private"/"encrypted" precise location beaconing has an unfixable
metadata side channel that will leak coarse location data to Apple and to any
governments that compell it.

~~~
moreira
What you're saying is basically that this scheme will leak the IP address
you're on, because that's just how the internet works.

There's... not much that can be done about that, and there's no need for the
scare quotes on the words private or encrypted. Any encrypted communication
still uses an IP address that can be mapped to a coarse location; this isn't
an Apple related thing.

If you want to be able to find your device (it's opt-in), it needs to relay
its location via the Internet. Doing so requires an IP address, which can
indeed be mapped to a coarse location in some cases (my own home IP address is
totally useless, it says I'm in London when I'm on the other side of the
country). I'm not sure what the big deal is.

~~~
rphlx
> that's just how the internet works

Well, the Internet does not strictly require all traffic between two parties
to go through a MegaCo Cloud. Location privacy in this system would appear to
be greatly enhanced (vs Apple-as-an-adversary) if A and B communicated
directly, or through a server that they controlled, instead of through iCloud.
In concise security terms, Apple man-in-the-middles the encrypted traffic in
this system and thus may perform traffic analysis, deanonymization-via-
inference, etc as I said above.

It's certainly true that NAT, firewalls, and a lot of other things make direct
communication between two iDevices inconvienent and frequently impossible -
that's fine and fair enough. But then the Company should not be making at
least partially untrue privacy and anonymity claims that are essentially
impossible to satisfy when by design all of the traffic flows through their
cloud.

AFAICT Apple (and likely its host governments) will still need to be trusted
parties in any scheme that flows through their infra, unless you care only
about protecting your precise location, and are willing to expose your coarse
location to them.

To be clear, they may already have that info from other services, and you'll
have to trust Apple a lot anyway since they're making the phone and some
custom silicon within it. And them having coarse location is certainly
preferable to them having precise location data - so this system (as we are
inferring it to work) is not worthless, and is still an improvement over a
naive implementation.

But real internet anonymity and location privacy is hard to achieve; just ask
any tor developer. So please don't let the marketing dept openly claim that,
or even imply that, when the claim can't realistically survive a two minute
security audit by HN infosec nerds. To be specific the WWDC claims that "this
whole interaction is ... anonymous" and "there’s no need to worry about your
... privacy" are what I am taking some issue with here.

~~~
brorfred
Any mobile device will ping central servers for notifications, update
information, ntp, etc etc. Apple or google or at&t will of course always have
your current IP address and be able to provide it to police if served a search
warrant. In what way is the “find my” service expanding that?

------
ngcc_hk
Clever ... ??!!!

Still miss the larger picture. Now the genie is out, a country will have
technology to monitor all things and people all the time.

The world is not just Apple. Someone will use the sane idea to do evil behind
this.

And even Apple has to work inside say china and follow their law. What if they
ask ...

We have been here before. Internet !

The links to us all. The freedom to publish and share. Then someone turn it
into a way to record and monitor everything you said. And e-wall the whole
country and round up any people they do not like.

Good luck. Guess technology is neutral. It is not it’s fault. But beware of
the gift from clever Greek. Or in that story the golden Apple.

~~~
dmitriid
> Now the genie is out, a country will have technology to monitor

The genie has been out for a long time. Apple is using _existing_ technologies
to achieve this

> Someone will use the sane idea to do evil behind this.

Where have you been the past few years? You are already being tracked
everywhere.

------
jhabdas
Apple's Find My features are what turn iPhone theft into complete iCloud
vulnerabilities. This was first seen with the social engineering attacks made
possible in Find My iPhone. All an attacker needs to do is spoof an SMS and
phish your account credentials. It's likely this feature too will lead to
clever hacks used to further damage users.

~~~
snorrah
How, exactly ?

~~~
jhabdas
First forensics to try and crack the pass code (takes about 2 days). Next turn
on the phone just long enough to take down the phone number provided. Then
wait another day or so and turn on the phone again. At the same time send the
recovery number an SMS linked to a fake iCloud website and grab the
credentials when they log-in. I have concrete examples of the processes, tools
and servers used to pull this off. Apple Support is aware this is a common
occurrence - they told me so over the phone.

If you'd like to know more specifics, please feel free to contact me.

