Hacker News new | past | comments | ask | show | jobs | submit login
The clever cryptography behind Apple’s “Find My” feature (wired.com)
357 points by nnx on June 8, 2019 | hide | past | favorite | 117 comments

Short summary:

1. At setup, Find My generates private key shared to all your Apple devices.

2. The private key generates a perpetual sequence of public keys. These change (iterates to the next) "frequently".

3. The rotating public key is shared accross all (including other people's) Apple devices via Bluetooth and can even do this when it's off.

4. The shared scheme pings to Apple's central system and uploads A. hashes of the public keys in the area and B. the location.

5. When you try to find a device you send your hashed public key to Apples server and they return the last picked up location (encrypted). (You thus need at least 2 Apple devices, one to find the other. Also, they don't say how the previously iterated public keys are remembered.)

This seems very very impressive. But I have so many questions still. The most important one being, there has to be a way to reset these tracking keys for cases like

- Resell

- Loss of a companion device that was never found and it took the private keys with it

- Got a new companion device

How do I reset the keys and how do I make sure a theif can't reset these?

If it is the same as with the Existing Find My Phone

1. Resell - you turn off 'Find My' on your phone and sign out of iCloud then wipe the device

2. Loss - Go into iCloud and mark the device as lost. Not sure what this means for finding other devices

3. New companion device - sign it into iCloud.

I'm guessing that if you log into the device with your apple id you can reset the private keys, otherwise not?

It feels like that can be exploited in some ways. As a first thought it reduces the privacy of the reporting 3rd party phone. I.e. I can leave a fully charged phone in my wife’s car and track her for weeks while she will have the burden to recharge her phone for network/gps power.

A regular gps tracker would need much more energy.

Edit: another scenario, leave it in an isolated hut. If I get a signal, someone is close to the hut.

Edit 2: if I piggy back the protocol and can manipulate the key schedule (chose key A or B) then I can leak one bit of information through the third party phone. The third party phone may be allowed to communicate while my sender isn’t.

Another scenario, leave it in an isolated hut. If I get a signal, someone is close to the hut.

You could do that already with a device, just by making an app that listens for Bluetooth or WiFi traffic. You’d also be able to grab MAC addresses of the nearby phones. Your ‘exploit’ isn’t revealing any more than you can already discover today.

Except in the case of Find My you don't need any connectivity in the hut whatsoever.

If you build your own BT or WiFi sniffer, you won't be able to piggyback on someone else's internet connectivity.

If there’s internet connectivity, and you’re sophisticated enough to be planning Find My iPhone based booby traps, firing off a text message from a contained detector shouldn’t be a challenge

Anecdotally: a friend of mine left his iPad in his wife’s car. When looking for through Find My iPhone, he realized that she’s at her ex-boyfriend’s place. He is married happily to another wife now...

> I can leave a fully charged phone in my wife’s car and track her for weeks

You could do the same thing with a regular phone with an app that uses GPS. Just attach a powerbank if you're concerned about the power.

Places like shopping malls use just your devices hardware ids to track your movements.

To me just the fact that these things are on when you ask for them to be off is problematic.

iOS does shuffle the MAC address in order to prevent this, doesn't it?

Yes, on top of this, applications don’t have access to a devices MAC address through CoreBluetooth, so they can’t fingerprint a device.

You can shuffle your mac but not your gsm/3g ids broadcasted in the open as per spec.

I first saw this tech, I think, 9 years ago when I first encountered a "bluetooth spam" device

Yes, except if you connect to their WiFi.

You can already do this with a Tile. Leave a Tile in your wife's car and every phone with the Tile app in her vicinity will report her location to you.

> ... every phone with the Tile app ...

So effectively none. I've never even heard of Tile before this. Leveraging the whole Apple ecosystem for this sounds a lot more promising and will probably kill any competitor that depends on installing an app, even if that supports multiple platforms.

And more importantly: opt-in.

Time to make AmIAlone.com

This mechanism is very low power, and it allows making tiny devices that can be used for tracking suspects. Maybe this is actually why they made it (someone asked if they could make it).

Edit: Maybe Apple will introduce tiny key fobs that can be tracked so you can find your keys or other things.

There is already a reference to an Apple Tag in iOS 13.


I was wondering why they changed the name, I mean "Find My iPhone" could already find macbooks and ipads but now it sounds like they're going much broader than Apple devices.

Thanks, that's it for sure.

> Edit: Maybe Apple will introduce tiny key fobs that can be tracked so you can find your keys or other things.

This is strongly rumored.It may also fall into the bucket of technology they license out, such as Homekit.

If device A and B (both identified by their IP) both see device C (identified by hash of key) I can infer that A and B are close to each other.

That only works if the devices report WHO saw the missing device. If they both report up that the device is in the area ask but don’t say who is making the report then you can’t figure that out.

Apple sees the reporting device’s ip-address. Obviously Apple is in an excellent position to spy you anyway, but the claim that even Apple doesn’t know where the turned off device is doesn’t hold for the reporting devices: Apple can infer which reporting devices are in proximity. And they possibly even know who the reporting IP is because of iCloud.

I guess that's true, but mobile device IP addresses cover a pretty wide area so it's not terribly precise.

But reporting device A and B were in Bluetooth distance to lost device C. Therefore A and B were close together (like a few meters). It’s a huge improvement over A and B were in the same mobile cell.

You can then use the IPs to identify who are A and B.

If you have a subpoena to sniff data to Apple from device X then you can use that to some extent track the location of X by spreading your Tags T_1,...,T_n in interesting places. If X reports T_i you know the location of X, this could be more precise than the usual cell phone tracking because X reports its position with GPS precision.

Just attach a GPS tracker to the battery with a DC converter.

Far easier and more reliable than using a phone.

That doesn't have plausible deniability if detected, though.

How long can one plausibly leave a phone in someone's car, asking for location updates the entire time, while claiming not to remember leaving it there?

"I lost it under the seat"? And the point is it's not actively asking for location updates, which would drain battery. You just leave it with cellular off and it sends the standard Find My pulse over Bluetooth.

Sure it does if there's nothing to connect you to it.

Just the fact that the device is being extra promiscuous on multiple frequencies is annoying enough.

I wonder if you can turn off "Find My" just like "find my iphone" and it will prevent these sorts of things.

If you turn off Find My iPhone it will also disable the new Bluetooth beaconing feature.

How about the fact that Apple created an unregulated, opaque mesh network from its own devices?

No guarantees are provided that this network, under Apples's exclusive control, won't relay other type of information.

NSA seems to be pretty happy with regulated networks.

It's probably even happier with unregulated ones...

I am reminded of a section in Neal Stephenson's The Diamond Age where (some guy) takes a whole day to track the history of the young protagonist in an internet cafe - and an explanation of passing packets between passing devices as if handing parcels to random strangers as they walk down the street always stuck in my mind

This seems to be saying that Apple has a big mesh network play ready sometime soon.

Want to bet they have a good idea of coverage already and need some testing - they might not be able to see your location but they will see the location of every phone passing your public key encrypted bits back - they get to test their mesh network ? Or am I missing something?

That was my thought too, and God I hope so.

Someone needs to push mesh networking on a more consumer level, if it has to be Apple, so be it.

There is one consumer push for a mesh-networking phone that was in the news recently, Volk Fi. Their idea is to use 900MHz radios in smartphones to hop several miles to the nearest wired hub, alongside a cellular SIM, where a hub owner earns credit for data relayed through it. Some pessimism surrounds them though.

> see the location of every phone passing your public key encrypted bits back

My understanding is that (in this scheme) all location data is encrypted by keys unknown to apple, i.e. the reporter uses the lost device’s public key to encrypt its location and transmits it together with the hash of the key.

However, apple seems to be able to infer proximity of two reporters, as described here https://news.ycombinator.com/item?id=20135995

Edit: except if the Lost device is controlled by Apple, then they can decrypt the location of the reporting device.

While quoted in the article, Matthew Green’s writeup provides a lot of neat ideas on how it may actually work


This seems to be leading to the stealth reveal in the fall for a positioning system augmented by device-to-device positioning.

Is this scheme where the public key can somehow rotate on it's own, while still being decryptable by the unrotated private key a new thing?

I had not heard of it before.

Edit: This other comment in the thread points at an article with some guesses as to how it might work. It mentions a system called Elgamal that has a scheme somewhat like my description above: https://news.ycombinator.com/item?id=20134956

I'm sure it's an oversimplification of the description of the protocol. For example Apple could use a "base private key" that's just a seed fed to a CSPRNG to generate a series of EC private keys. The client can then rotate through this series of keys, while the "base private key" never changes.

Similar to mrb's answer, but this sounds like essentially how cryptocurrency wallets work. You can just remember the root key phrase, and that is used to generate tons of addresses (i.e. keypairs). Access to the root keyphrase allows you access to money sent to any of the addresses.

Cryptocurrency wallets use the BIP32 scheme which provides an even neater ability: from a root public key alone you can generate a series of children public keys, no private keys are involved in the calculation. (And whoever posses the root private key can generate the corresponding series of children private keys.) The technical aspects are described in https://github.com/bitcoin/bips/blob/master/bip-0032.mediawi... But that's overkill given the simpler requirements of Find My. Each device stores the private key so they don't need something with the feature set of BIP32.

Elliptic-curve Diffie–Hellman.

Used by some cetptocurrencies (like monero) to implement stealth addresses. Allows the sender to derive a new public key for each message sent and the receiver to derive the corresponding private key.

Sounds like a TOTP -> public key nonce of some kind to me.

Or quite possibly it's just using the current time as a nonce. I believe nonces are public info anyway and it doesn't matter if it's predictable (they're often incremental).


Re downvotes: it has absolutely nothing to do with the content of the article. That's usually sufficient.

I dunno, but you missed a question mark at the end there.

Yes? Maybe you're right. It was intended to be a desperate plea at wanting readable English from generic English comments, therefore I did not include a question mark, as it was a plea. You might be right though!

You know why the "it's" mistake is common.

Edit: Because people get used to adding 's to indicate possession. I don't always do it, but it happens.

I can guess that people use speech over text, for text, other than that I do not know how it is common when it is so jarring.

But nobody writes "he dropped he's ball" or "this is she's purse".

If the phone is broadcasting the public key couldn't some malicious actor simply send the wrong location? Also couldn't they simply put it in a faraday bag or wrap in some tin foil?

Correct, reverse engineering the Find My protocol or intercepting & modifying the location API should let any half-competent hacker send bogus encrypted locations to Apple's database. What's the point though? You are just hampering with someone's effort to locate their lost device. Maybe you could steal multiple devices and purposefully spoof the location of your enemy's house, and the police will show up at their door to recover the stolen devices. Seems too high-effort for too little gain to me.

Also, in my experience, the police will not do that for you. My wife had her phone stolen from her and we were able to pinpoint the exact location and provide it to the police, they said they would not act on this information.

Just one small anecdote, but I can't imagine many departments taking it upon themselves to do so.

My wife had her phone stolen from her and we were able to pinpoint the exact location and provide it to the police, they said they would not act on this information.

Be sure to bring this up the next time the city asks for a tax increase for police funding.

To fund them more, so that they have the capacity to handle this type of request?

> Also couldn't they simply put it in a faraday bag or wrap in some tin foil?

If you're a thief and you want the phone to stop broadcasting, AFAIK you can just turn it off (as opposed to leaving it in sleep mode). But you'll have to deal with Activation Lock, which has been around for years and makes the phone a brick without the original owner's Apple ID. The new feature, on the other hand, is more applicable to devices that are just lost, not stolen.

They said during WWDC that the key would be broadcast even when your iPhone or Mac are completely shut down.

> couldn't they simply put it in a faraday bag or wrap in some tin foil?

Yes, but (1) that increases the difficulty of stealing such devices and (2) doesn’t help opportunistic or stupid thieves. Nobody is claiming that Find My makes Apple products unstealable.

I doubt they’d have to bother - I doubt that the police will do anything even if you provided them a location.

I’ve never known the police to do anything about stolen property. Even stolen cars don’t seem to be investigated.

Location is encrypted with key, so just faking particular location is impossible. And I guess, they'll transmit some incrementing number or timestamp to fight re-transmission attacks.

The nearby phone is the one encrypting its own location with the public key broadcasted, so in theory fake location is possible if you had control over the protocol in all nearby devices.

The hard part is going to be the key rotation.

I’d suspect they’re using something similar to Moxie’s Double Ratchet algorithm since it’s got some years of real world usage.


Or maybe they just hash the time and a pre-shared key to generate ECC keypairs, since communication is one-way.

Could be - but time would be something easily guessable if you knew the public key.

Still not bad though since the public keys are being stored on the devices.

How would it be guessable if you're hashing it with a random string?

Public keys are essentially trackable metadata if they're shared. The proposed hash of time + public key would be guessable if you had access to a particular public key. Apple certainly could get the public key.

They wouldn't know specifically what data was in the encrypted message, but with enough attributes (IP, time, Apple ID, etc) they could obviously gather a high-confidence amount of tracking data still.

I said "time and pre-shared key". The public key doesn't enter into it.

Sure - that's a solution - Apple's iCloud Keychain might work there also.

I don't use it and have some reservations as Apple’s iCloud services still do not provide end-to-end encryption.

I'd be interested to see what Matt Green has seen.

"also to keep Apple itself from learning device locations, even as it allows you to pinpoint yours."

There is always the risk of rogue employees, but what they're probably talking about here is that they also can't be compelled to reveal the location by someone else. They probably don't want to actually say that since it might be misconstrued as trying to skirt the law or being uncooperative with law enforcement.

Isn't the explicit goal of a feature like that to be uncooperative with law enforcement? Who else is going to (attempt to) compel them to reveal user location data?

Not just that. Say they have a security breach... if there is no data, no data gets leaked.

It's not that they're trying to be uncooperative with law enforcement though -- the fact that it prevents law enforcement from getting location data is a side effect of protecting privacy from everyone (marketers, hackers, etc) rather than it being the explicit purpose of keeping it from law enforcement. Which is why they probably want to be very careful about how they word it -- because some people might see it as the purpose rather than the side effect.

They have already been halfway in a lawsuit about that, it’s great marketing.

The feature of rotating public keys to enhance privacy is already used in cryptocurrencies, especially in the underpinnings of Monero. Here's one thread discussing how to make a mechanism to generate new public keys on demand: https://crypto.stackexchange.com/questions/58022/a-method-to...

Instead of only finding the location of my stolen device, what I really would like is using this to remote wipe my device, before someone else can or will turn it on (if it has been turned off).

Because it is not like I will fly to some other country to catch the thief or new owner of my stolen device.

That's a feature of Find My, and has been for years on iOS. They're bringing it to macOS this year for devices with a T2 chip (the newer MacBooks, basically).

Are you sure about that? The impression I got from their summary is that the bluetooth locations are passive.

An aside: what would happen if you wipe macOS and install another base operating system.

You can’t. With Catalina the device is activation locked, meaning you need the original iCloud credentials to install a new OS.

To clarify: this applies to a Mac that has been locked.

That is, if the Mac is locked with Activation Lock, it wouldn't be possible to install another OS; the firmware itself will lock the user out of the computer entirely until the machine is unlocked. This dissuades thieves from stealing your MacBook as it will effectively be useless for anything other than parts, and most thieves aren't in the tiny-amounts-of-aluminium-relative-to-if-they-just-stole-cars recycling business.

I clarify because I don't want anybody thinking one is entirely unable to install another OS at all. That is possible, but of course you lose out on macOS features like Activation Lock.

I keep reading that Apple already randomises MAC addresses for privacy purposes, but then how do its devices stay logged in to 'captive' WiFi, or more problematically, paired with Bluetooth devices?

Are the addesses only randomised for broadcast / new pairs?

I only know about the WiFi, once you start the attempt to connect to the SSID it uses your real mac. So the probing uses random MAC address

Is the connectivity layer considered: Is the 3rd party "proxy" handler uploading the information using an Apple ID? Does Apple record, store IP information? It seems to me that by using this system you volunteer to send data to Apple constantly which may not reveal your GPS location but will reveal your network location.

I'm happy to see someone trying to innovate in this space. I still wonder if it is okay for journalists and risk affected users to use this or if they should be advised to avoid it.

>Matthew Green, a cryptographer at Johns Hopkins University. "Even if I tracked you walking around, I wouldn’t be able to recognize you were the same person from one hour to the next."

Thos sounds like a great way to track shoppers in, for example, a shopping mall.

If the BLE beacon is broadcasting at a predetermined rate this may also extend tracking past the rotation of keys right?

Most likely the device is already broadcasting a MAC address. But yes, with this it would work in flight mode.

The mac addresses are randomized to prevent tracking.

It's simply amazing how Apple could make P2P mesh networking viable for production use. This is highly inspiring!

I am not sure if it's the same technology, The Weather Channel App (Android) has an option for mesh network based alerts.


does this mean my device will be relaying datagrams even if I did not enable "Find My" feature?

Supposing apple can't infer the precise location, of every user, they still can infer the social graph

They aren’t using your social graph, they are using location proximity and transmitting the data inside existing packets sent to cell towers for connectivity purposes. There’s already a ton of information passing to cell towers to identify and negotiate connections with phones that could be used to infer your social graph. You’d have to correlate that with a geo location database that knows about what type of locations you visit as there would be tremendous amounts of false signals at public places like restaurants and malls.

Long story short, Apple, cell tower operators, and mobile providers already have all the data they’d need to make these graphs. If this functions as designed, it will contain much less information and wouldn’t be useful for this purpose (I.e. encrypt requests and don’t pass IP info with them to any systems that have the ability to decrypt them. If you make a few hops to the systems which have the ability to decrypt them and don’t share correlation IDs or the origin IP, there’s no way to correlate these requests back to which device sent them or what IP or cell tower it had).

This was to be expected, given that apple has been slowly taking away the ability to physically turn off your device. Isn't anyone else concerned about the fact that a shutdown laptop will continue to broadcast defying convention and expectations?

Opposite, I’m excited. Huge plus in a stolen/lost situation. Disable it if you don’t like it?

I'm pretty sure you can turn this feature off on your device if you want.


So you can only find your phone if it's close to another (compatible) apple appliance?

That’s not so bad considering that right now, if you don’t have a network connection (say a non-cellular iPad) you can’t find your device AT ALL unless it’s on Wi-Fi.

Sounds like you can at least find the last place it was when it was near one.

Sounds similar to P2PE.

The Wired article is not detailed enough to definitively poo-poo this scheme, but I am pretty skeptical about some of the claims, given a) how easy it is to map an IP to a coarse location, b) how easy it is to map many IPs to a small number of already-known humans/users.

That is to say: the asym crypto may strongly protect the precise (GPS or LTE triangulation) location from Apple and from others, but I do not see how a cloud-based system can ever hide coarse location from Apple and/or from governments as, given the short range of BT, they can reliably infer that a device (and hence its owner) is/was near whatever IP sends the encrypted precise location to their cloud. Then it's just a matter of mapping the device's "randomized" ID back to an actual user/phone. That seems easy enough as soon as a second device accesses it from an IP that's mappable to a specific residential address, Apple account, etc.


A and B both log into iTunes or some other Apple service using a@apple.com and b@apple.com from HOMEIP at some point in the past. HOMEIP is never used by any other Apple accounts.

A(lice) and B(ob) exchange a secret and otherwise begin participating in this "private" tracking scheme.

A goes out shopping and while there it pushes its encrypted precise location to the Apple cloud, using random ID 424242, from MALLIP. Perhaps A's device sends it directly, or perhaps it's relayed from BT to Mall wifi to Cloud by C's device if A has both LTE and wifi disabled.

A few minutes later S(omeone) requests encrypted location for random ID 424242, from HOMEIP.

Apple (and any government compelling it to share information) can reliably infer that "Someone" was A or B attempting to track either B or A, and that the tracked phone was at/near the business address of MALLIP - their coarse location - even if they can't decrypt the precise location without the secret key. If you know from public records that A and B are married, and assume that women are more likely to be at a mall on their own than men, you may further assume that A is at the Mall while B is at home.

Result: the "private"/"encrypted" precise location beaconing has an unfixable metadata side channel that will leak coarse location data to Apple and to any governments that compell it.

What you're saying is basically that this scheme will leak the IP address you're on, because that's just how the internet works.

There's... not much that can be done about that, and there's no need for the scare quotes on the words private or encrypted. Any encrypted communication still uses an IP address that can be mapped to a coarse location; this isn't an Apple related thing.

If you want to be able to find your device (it's opt-in), it needs to relay its location via the Internet. Doing so requires an IP address, which can indeed be mapped to a coarse location in some cases (my own home IP address is totally useless, it says I'm in London when I'm on the other side of the country). I'm not sure what the big deal is.

> that's just how the internet works

Well, the Internet does not strictly require all traffic between two parties to go through a MegaCo Cloud. Location privacy in this system would appear to be greatly enhanced (vs Apple-as-an-adversary) if A and B communicated directly, or through a server that they controlled, instead of through iCloud. In concise security terms, Apple man-in-the-middles the encrypted traffic in this system and thus may perform traffic analysis, deanonymization-via-inference, etc as I said above.

It's certainly true that NAT, firewalls, and a lot of other things make direct communication between two iDevices inconvienent and frequently impossible - that's fine and fair enough. But then the Company should not be making at least partially untrue privacy and anonymity claims that are essentially impossible to satisfy when by design all of the traffic flows through their cloud.

AFAICT Apple (and likely its host governments) will still need to be trusted parties in any scheme that flows through their infra, unless you care only about protecting your precise location, and are willing to expose your coarse location to them.

To be clear, they may already have that info from other services, and you'll have to trust Apple a lot anyway since they're making the phone and some custom silicon within it. And them having coarse location is certainly preferable to them having precise location data - so this system (as we are inferring it to work) is not worthless, and is still an improvement over a naive implementation.

But real internet anonymity and location privacy is hard to achieve; just ask any tor developer. So please don't let the marketing dept openly claim that, or even imply that, when the claim can't realistically survive a two minute security audit by HN infosec nerds. To be specific the WWDC claims that "this whole interaction is ... anonymous" and "there’s no need to worry about your ... privacy" are what I am taking some issue with here.

Any mobile device will ping central servers for notifications, update information, ntp, etc etc. Apple or google or at&t will of course always have your current IP address and be able to provide it to police if served a search warrant. In what way is the “find my” service expanding that?

If the gateway used to receive these requests cannot decrypt them and they pass through other connections before decryption, why wouldn’t this be possible? At the point of decryption you’d have the connecting IP of the last hop but if the origin IP isn’t forwarded, and there’s no request correlation ID or other identifying information, the machine processing the request wouldn’t know where the original request came from.

Of course any of the intermediate machines could be tracking this data for correlation purposes but it should be possible to strip it along the way.

If the request data containing the 424242 is encrypted and only the machine without origin info has access to that identifier, how would you know the request is for 424242?

You are making a lot of assumptions, basically your story summarise as:

- A and B connect from same home network with their apple IDs - B checks location of someone (you assume it is A) - so we have A’s coarse location

Depending on implementation details, this randomIDs you mentioned not needed to be same when submitting and querying (and probably not)

Clever ... ??!!!

Still miss the larger picture. Now the genie is out, a country will have technology to monitor all things and people all the time.

The world is not just Apple. Someone will use the sane idea to do evil behind this.

And even Apple has to work inside say china and follow their law. What if they ask ...

We have been here before. Internet !

The links to us all. The freedom to publish and share. Then someone turn it into a way to record and monitor everything you said. And e-wall the whole country and round up any people they do not like.

Good luck. Guess technology is neutral. It is not it’s fault. But beware of the gift from clever Greek. Or in that story the golden Apple.

> Now the genie is out, a country will have technology to monitor

The genie has been out for a long time. Apple is using existing technologies to achieve this

> Someone will use the sane idea to do evil behind this.

Where have you been the past few years? You are already being tracked everywhere.

Apple's Find My features are what turn iPhone theft into complete iCloud vulnerabilities. This was first seen with the social engineering attacks made possible in Find My iPhone. All an attacker needs to do is spoof an SMS and phish your account credentials. It's likely this feature too will lead to clever hacks used to further damage users.

How, exactly ?

First forensics to try and crack the pass code (takes about 2 days). Next turn on the phone just long enough to take down the phone number provided. Then wait another day or so and turn on the phone again. At the same time send the recovery number an SMS linked to a fake iCloud website and grab the credentials when they log-in. I have concrete examples of the processes, tools and servers used to pull this off. Apple Support is aware this is a common occurrence - they told me so over the phone.

If you'd like to know more specifics, please feel free to contact me.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact