Very interesting read. This seems to be implemented as a Bluetooth LE app running on the ultra-low power “always on processor” used for a variety of features, like “wake-up on motion.”
Much like an Tile or AirTag is implemented. No comment on what this is capable in the future.. but for now this shows power usage / signal strength / proximity of other “actually on” devices are a limitations of this feature.
What’s impressive is the mesh network effect of all these iPhones / iDevices to locate a “lost” device. I’ll be thankful if I manage to use this to retrieve a lost phone. I’ll be pretty shocked if I’m “spied on” with this style of device.
The chances of you being directly spied on are low. The chances of someone being spied on who could influence the world around you is much higher. So a journalist could be spied on right before they break a big story, potentially leading to a cover up. That’s the problem with stuff like this. Even if you have “nothing to hide” you might rely on someone who legitimately does.
Without disagreeing with anything you've said there, even if you /think/ you have nothing to hide now and happen to be correct in practice, it's a terrible assumption to think that you can count on that being true forever.
Imagine you witness a murder in a restaurant, cold blooded and it's dirty cops working for a three letter institution that did it. You want to give evidence like a law abiding, upstanding citizen with nothing to hide. Suddenly you have something to hide despite having done nothing wrong.
"Nothing to hide" means nothing to hide from all current and future humans who control some small aspect spying on you. Even just control access for 30 seconds. It's nuts. Even if you think every single last one of the current guys are honest and completely competent despite the head of them criminally lying, while under oath, in answer to a question with notice in legitimate oversight. Who is going to infiltrate that power in 10 years? Radical anti-fa is impossible? White supremacists impossible? Religious cultists? Organised crime? People flipped to work for hostile foreign nations?
"I have nothing to hide" is is gradeschool silliness to be treated with contempt every time it comes up. It needs to be ridiculed as anyone suggesting it is an idiot or just totally and knowingly dishonest. There are just so many ways it is completely wrong, the only debate is which of the ways it is false and a con is more important than the other.
Fully agree. This idea that "individuals arent spied on in America" is absurdly naive and ignorant of seemingly common knowledge of past events. Furthermore it's kind of implicitly supremacist - "only those foreigners do that sort of thing".
Police regularly bust young Chinese for marijuana possession by reading their chat messages. And we are just as human and no more special than the Chinese.
A friend of mine was taken into an unmarked van and questioned after some tweets he made while at an Occupy Wall Street protest. The motives absolutely exist in the US.
Especially with the still recent insurrection/coupe attempt by a fascist leaning politician on American soil. It's actually pretty scary. Democracy is not as assured as some people seem to think and shouldn't be taken for granted.
You don't even have to get that radical with "nothing to hide".
Next time someone says that ask if they use blinds in their house/apt, if you could setup a webcam in their living room, or if you could just read some texts between them and a significant other.
Or ask for their passwords, date of birth, SSN, credit card numbers, pets' names, and parents' names.
Simple things like this are why I talk to people via Signal and why I'll never get a Ring/Nest doorbell, or any other 3rd party owned internet connected camera.
People don't care when they are just a statistical datapoint, like sure they can see "now a million people are having sex", but nobody will act on that since it isn't interesting. Which is why people would be more fine with having a camera in every bedroom than having a camera in their bedroom specifically.
So arguing "what if I spy on YOU?" wont convince anyone. They see that as a completely different thing.
The point of Signal is supposed to be that to the best of our knowledge, even if all its packets are run through FSB and NSA, and even if they captured all Signal employees at once and somehow forced them all to cooperate, your messages should still be safe until they manage to push an app update that compromises the app.
Of course this only helps as long as your device isn't backdoored but that is true for any app.
(I say this as someone who regularly defend Telegram here, because in my opinion I don't have to pick one or another.)
many argue that silicon valley firms are de facto extension of the US government [1]. a swiss army knife (haha) in their toolkit that allows complete control over the flow of information. i mean seriously, just look at how fast the Crypto AG story was forgotten. only this Dutch article [1] and a handful of others properly dives into the profound impacts that the CIA backdoored Crypto AG devices likely had on world events in the past 50 years. [2]
so yeah if SV firms were not extensions of the US govt. (hardware firms too, not just software), they would have already been broken up years ago.
the senate hearings are just a charade used to stroke the ego's of the 'visionary' SV tech bro CEOs. they also show us how tech illiterate the working class has been made. [2]
Gee, thanks for contributing to the conversation and providing a useful alternative.
The only semi-popular better option I can think of is Matrix, but getting people on Signal is already hard enough and using Matrix on a mobile device is (last I checked) far from ideal.
Security is a gradient, not an all-or-nothing. Signal is vastly better than almost every other electronic communication method.
Once its compromised there is no gradient anymore and you never know when things are compromised because three letter agencies will anyway not tell you.
Given the risk of xyz agency, there seem to be only a couple options to me:
- side-load a peer reviewed apk so you can check the sigs and make sure all crypto is being done locally (and to make sure that the implementation is solid)
- manage your own keys like you would with traditional pgp emails. Give your public to your friend. Force them to send anything sensitive using it. Maybe change to symmetric keys from asym but rotate occasionally. But you still have to trust the app you use to do this unless you want to do it manually each time.
Signal has open sourced clients with reproducible builds (on Android) and their encryption library has been reviewed by multiple 3rd parties to great acclaim.
PGP lacks forward secrecy, meaning if a key does get compromised all of your past correspondence is now also compromised.
I'm curious about your concerns about a Nest/Ring doorbell. Since it would presumably face a public space, if there was a privacy concern, it would seem easier for a third party to set up their own camera for surveillance. If I was worried about being watched, I would think the best strategy would be to set up vulnerable cameras on my own network, monitor them for access, and hope that someone would try to use them instead of installing their own.
>Next time someone says that ask if they use blinds in their house/apt
I think this is the closest analogy I've heard yet, but not in windows on suburban, tree-lined street. People walk down those streets and the windows are at eye level. Someone could accidentally see into those windows. No, I think if we consider windows in hi-rise buildings in a major city, the analogy is getting much closer. Seeing into one of those windows requires a bare minimum of intent and possibly an inexpensive tool, say binoculars or a telescope. However I would be willing to bet that a large portion of hi-rise dwellers do NOT close their blinds on the theory of "No one is looking in MY window."
> "I have nothing to hide" is is gradeschool silliness to be treated with contempt every time it comes up. It needs to be ridiculed as anyone suggesting it is an idiot or just totally and knowingly dishonest.
That might be an aspirational sentiment, but given most competent adults are in the "I have nothing to hide" category, I don't think it's true at all. I don't think these people are idiots, or dishonest, just ignorant. And it's not even their fault.
Now I say most adults are in that category, but I don't have data on that. I'm going by observed behaviour. We don't see a massive push against tracking / spying and even when it's thrown in our faces (eg: Snowden, Manning) we respond with a collective shoulder shrug.
Except in that case you don't know you have to hide and 101 other things you do make you easier to track than this. And odds are you're not turning off your phone all the way every single time you change locations to start so...
I have nothing to hide is different than "I literally need to hide".
Yep "I have nothing to hide" is always completely false.
"I literally need to hide and I'm also aware of that change" might be true or might be false. You might "literally need to hide" and not know it while the so-called "nothing" you had to hide is used against you when you have done nothing morally or legally wrong.
The 'Dirty Cop is Gonna Get You' is the 'gradeschool silliness' here. It's 1000x more likely that the criminals who did the murder want you killed because you're a witness. Witness intimidation is widespread and 'default' in some communities ('snitches get stitches'), and while the 'Dirty Cop' thing does happen in reality, it happens mostly on Netflix, and there's a difference between overzealous prosecutors/cops and 'dirty cops'.
Also consider that tech will exonerate as much as otherwise: for such and such murder, the 'background use' of the tech would be to provide you with an alibi.
Forensics have generally improved Justice I think, not the other way around.
In the end I think Apple's issue should be one of transparency and privacy and we need to push them towards that.
I wish I could live in a world where I can sustain the fantasy that power will not be abused whenever the abuser can get away with it.
The power is asymmetric. The NSA, CIA, FBI, Apple, Google, Police have a lot of power so they need to be very, very transparent in its use and oversight. You do not have that power, privacy is the only thing you can have to protect yourself from abuse.
The other point about about not having to worry about it as an individual is equally wrong. The equivalent argument is that you aren't a doctor so you don't need to worry about a purge of all doctors if one were proposed. Whereas obviously you do need to worry if anyone you care about ever gets sick. So it goes with standing up to corruption. Even if _you_ never stand up to it, your life is greatly adversely affected the harder that is for genuine heroes who make the sacrifice to do it because its the right thing.
"If you have nothing to hide you have been conned."
Just consider the possibility that any large multi-national corporation or national government these days has datacenters that contain untold computational power. A hundred thousand CPU cores to a hundred million, with petabytes of RAM and perhaps exabytes of storage. It is now not only entirely feasible but it is but a flesh wound to surveil everyone, everywhere, all the time. In fact, it's far less suspicious to just constantly suck in as much data as possible all the time, and filter, index, and store it for later. In the event of a mass casualty event, like a Boston marathon bombing, 9/11, or something like what you mentioned, there will be no activation necessary, just a few SQL queries, maybe a mapreduce.
You are nothing. You are navel lint. But all the navel lint gets sucked up into the filter, too.
Welcome to the quiet all-seeing eye. Tremble and kneel to those who will wield it! Don't deviate from social norms. Don't be different. Don't stick out. Just pretend you don't know.
Can you be more specific with where you think the risk is?
As far as I can tell, in this scenario, the journalist has powered off their phone, ignored the message about "findable when power off," and then is somehow tracked through the BT beacon and Find My network.
Were their phone to be on, all the same tracking would work.
Were they to read the message and go change the settings, this tracking would presumably not work.
That assumes you trust that the "always on processor" only does what it says it does, of course. But in that case, any proprietary device is just as bad as any other. (Many supposedly less-proprietary devices could be sneakily subverted, too, no?)
How many risks here are new in iOS 15 or exclusive to Apple products?
Specifically, I believe the real risk seems to be that you have very few ways to know if your device is doing anything when it's on or off unless the manufacturer tells you.
If you don't believe that everyone, including your government is corrupt, the only solution is through government regulation. Clearly the private companies are otherwise going to do what they will.
You could be spied on if governments are allowed to deploy dragnets that spy on everyone. Like how if your phone is on, your broad location is tracked whether you are a suspect or not.
If you're not familiar with it, their platform security team releases a whitepaper about the technical details of their security. Regardless of how you feel about Apple, these documents are incredibly well done and interesting to read. The Find My section may have more information, as will their contract tracing docs (which use a riff of the same technology)
They do yearly updates, the 2022 doc will very likely have more information. Regardless, the 2021 doc has some key foundations of the technology that are worth knowing.
The contract tracing docs _should_ be almost the same technology, and knowing how that works _should_ be a good start. At least, from my eyeing the OP's article as a lay person.
I can't go too into details, but now that the AOP is doing cryptographical operations and key escrow, the internal bus is likely to show up in future documents. Maybe not the AOP but certainly the mechanisms it uses to interact with the find my network. It may also be a separate find my network whitepaper.
> Sure you document such stuff before releasing it?
Uuuhh so, bad news. Basically nobody ever does that. Since agile, everyone seems to just iterate like mad, release, then document after release if you have time.
>Sure you document such stuff before releasing it?
These are all likely documented internally - the process of cleaning it up is probably something they only care to do once a year. Very little of this affects most developers, and the stuff that does is available in the dev docs.
> I’ll be pretty shocked if I’m “spied on” with this style of device.
A few days ago I was trying to figure out what an AirTag is, so I read the Apple website. They claim that ordinary people don't need to worry about being tracked, because users who are travelling with an AirTag that is not theirs will have an alert sent their iPhone.
This raises three questions which were conveniently elided on Apple's website:
1. What prevents people from using AirTags to track Android users?
2. How does the notification balance false positives, true positives, and notification fatigue in the situations where "someone next to me on the bus leaves an AirTag behind." How is it distinguishable from "someone snuck one into my pocket on the bus"?
3. Under what circumstances will Apple be willing to suppress the notification that one is being tracked by an AirTag?
1. Apple announced that they will release an App for Android that detects when an AirTag travels with you. I don't think it has been released yet, so currently, nothing prevents you from tracking Android users.
2. The iPhone can detect the distance to the AirTag quite precisely. I think this type of false positive is going to be rare enough for notification fatigue not being a problem. In your bus example, reporting the false positive would be fine imo. (It would also allow you to return the air tag to the owner).
3. The notifications don't go through Apple's servers, so Apple would need a backdoor in the OS to disable the feature. They might have added something like this, but it might not matter much - if someone plants a tracking device on you, they'll use one without silly privacy features.
If an Android user is travelling with an AirTag other people (e.g. a colleague) with iPhones will "send the signal to the motherships" but they won't get the alert as they most likely won't be in proximity of the AirTag long enough to trigger it.
Why are you so worried about expensive AirTags being used to track people? There’s a market full of cheap tracking devices to slip in someone’s pocket and they come with no privacy protection at all.
> I’ll be pretty shocked if I’m “spied on” with this style of device.
Why? There's plenty of devices in the wild constantly looking for wifi connection attempts, BLE Scans. Even cellular provider track locations in real-time by logging what cell towers you're using and associated signal strength.
Just search for a place in google maps, and note the "Popular Times". How do you think they got that data :D
Apart from what my sibling already said, think about it. How would searching for a restaurant correlate with "popular times"? Not much really. Would be all over the place. I search for the restaurant 3 days in advance at 10 in the morning but I'll be there Saturday night at 8, just like many other people. And at 10 in the morning the restaurant was still closed.
> This seems to be implemented as a Bluetooth LE app running on the ultra-low power “always on processor” used for a variety of features, like “wake-up on motion.”
Which, presumably, mere mortal developers have no access to?
> Which, presumably, mere mortal developers have no access to?
I sure hope not, since "mortal developers" include countless bad actors. Apple has an imperfect record, but at least has a vested interest in avoiding abuse.
yea I remember years ago Qualcomm was working on an "always on" BLE chip. Use cases they promoted was a 24/7 tracking for ad placements. With privacy concerns back then I thought that would never get approval yet here we are now.
Just a simple question. Do you believe in freedom of speech? In freedom of the press? If yes, why do you think it would be shocking if you are spied on?
You are being spied on at this moment. So what are you going to do?
We’ve just got a different interpretation of what I wrote. Of course my data and location is tracked all the time - it’s an endless stream. I was referring the thought I’d have if I was to become aware that my Bluetooth signal of my “powered off” iphone was the data source used to spy on me. There are plenty of easier ways to do it… and my phone is usually powered on.
In some way this feature reminded me of Android's song detection functionality which is also on by default and is constantly listening in the background [1].
So now tech companies normalized that:
- the mic is always on.
- the phone is always on, even when it's off. (thanks to AOP)
- devices are always online even when they are offline.(thanks to company-operated p2p networks like Find My or Sidewalk)
Yes which supports all kinds of functionality that people like. Just because you have a processor on or mic listening for wake words doesn’t mean everything is always being transmitted or evil is being done.
State actors could do this selectively regardless even before these features. There have been attacks on Motorola razrs, etc for spying. Long before the smartphone, they just implanted microphones, shine lasers on windows, etc.
> Yes which supports all kinds of functionality that people like. Just because you have a processor on or mic listening for wake words doesn’t mean everything is always being transmitted or evil is being done.
No, but it means that I’m losing agency in whether or not those things can happen. That’s not ok and not benign.
Yes, I have a Pixel 3 and can confirm that the feature is off by default; I turned it on for a while to experiment and then turned it off again. Also, it appears that if you turn it on, it compares what it hears against a much smaller set of popular songs (probably comparing against a set of feature vectors that's already on the phone); the search for anything obscure tends to work only if the Google Assistant is used.
But.. What is the use case? That... The phone can give you statistics of what music you've been listening to?
Sort of like a "here is the locations you've been to, because we've been tracking you at every step", but instead "here is the music you've listened to, because we've been eavesdropping at all times"?
for me, its like a soundtrack recorder for my life - sometimes ill remember that there was a cool song playing at the bar and with this feature, its likely that my phone captured the song and tells me what it is - there are 3rd party apps that will give you location based info for when and where you heard the song as well, so it creates a music map and timeline for you. its a very niche feature.
I used a company called mobile spy over a decade ago back on the old iPhone 4s. I was able to see a lot of information and believe the premium features allowed you to silently make a call to the phone which it would automatically answer and leave no trace so you could call and listen in. You of course could see sent images and messages. Websites visited and all sorts of spying. It was very fun to play with at the time it made me realize that anyone could spy on me if they get my device for a bit. I also realized that if all my messages are being sent to this company and I can read it in plain text then so can they. I deleted it and never did try the premium mode.
I’m not sure how this will change in the future, but currently at least it’s probably not possible to transcribe and communicate speech this way (the power and bandwidth requirements would be too high).
But we’re damn close.
Edit: It seems like throughput isn’t even an issue in the case of Amazon’s Sidewalk. Now it’s just transcription in low power modes. Heck, you might even be able to send raw audio.
The article is wrong about AOP being on while the phone is off. AOP is on while the phone is in standby. It powers down when you shut down the phone. Its job is to save battery by doing things like the Hey Siri and sensors processing without powering up the main cores at all. It does not stay on when the system is shut down.
The part about the Bluetooth chipset staying on is correct. Think about it, why would they need the AOP when the Bluetooth chipset can run that applet autonomously and send the beacons?
Nothing is listening to your mics while the phone is off. The stuff that runs while the phone is off is rather limited. Mostly things related to the NFC chipset, to support payment and transport applications while the battery is dead (which is a requirement of some of those systems) and, as we just saw, Bluetooth LE features.
Upvoting you, as you are totally right. The AOP is a standby feature, not while powered off. And why would it, the BluetoothLE chips available for years already have this wake-up functionality drawing very little power.
I own a Bose BT Speaker and a FiiO BTR5 - both can be "off" (using their power-off buttons) but will still suddenly turn on when I explicitly connect to them through my laptop or phone. They are in this BT LE listening state 24/7. All Apple did, is basically enable this mode now on the existing chips which are BT-LE capable for several iPhone generations. Once woken up using BT-LE, the AOP takes over to reply to FindMy-like beacons (and enable other iPhones to trigger the wake-up beacons when locating other phones).
It's not even that; the AOP plays no role in this feature. The BT chipset can autonomously send the beacons. There is no mechanism for the AOP to wake up when the phone is off - it's dead and doesn't even have firmware loaded.
So according to the post iphones now have an AOP (Always on Processor) running a proprietary operating system with access to other phone components. Do we know if other manufacturers also include such a processor?
A quick google search showed a relevant apple patent [0] and a similar qualcomm processor product for wearables [1] which suggests to me this (always on processors on consumer electronics) "is out there ..."
“The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008.
[…]
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off.”
This seems different to those examples because it works when the phone is powered off. AFAIK neither pick up nor touching the screen have ever done anything when the phone is powered off, only when it’s asleep.
Yes, exactly. Many of the things I’ve seen mentioned in the comments, such as wake on motion or responding to “hey Siri” are waking from sleep. AFAIK, you can’t power on via motion or hey Siri.
You can wake from sleep via motion, and presumably from the perspective of the AOP, there isn't really a difference between "turn on" and "wake from sleep".
Non removable battery and minimum percentage of phones sold with gps were promoted by governments (from old HN posts if I recall correctly). Actually there is no technical need for most phones not to have non removable batteries.
That's been an argument for non-removable batteries, getting rid of the 3.5mm jack.
I find that argument strange: I've never needed my phone while showering or swimming. Some rain has never broken any of my devices. But I've had pain from non-standard audio cables (Sony Ericsson from the early 2000s and their expensive proprietary cables) and non-removable batteries (Huawei batteries losing like half the capacity after a little more than a year).
As long as the timeframe scales with the size of the battery. A phone battery should be swappable in a few minutes. A car battery should be swappable in a day or two. They have to be heavily shielded in case of an accident.
> A car battery should be swappable in a day or two
Nio currently swaps out their car batteries in about 3 minutes, much like you'd get an oil change at Jiffy Lube or something. It's completely automated except someone pulls the car in/out of the bay for you. I imagine that human step will be relatively short lived.
> they have to be heavily shielded in case of an accident.
Yes, it's just a simple matter of purposefully designing it to be removed easily.
And how many people drive more than 300km per day AND don't have the time to wait 50 minutes, but only got 5? The replaceable car batteries is technically possible (heck, everything is possible with engineering), but totally useless.
How many such stations will be built and how many different shapes, sizes, battery chemistry, and capacity batteries will each station have to have in stock?
It sounds like it isn't even possible except in the trivial sense that if one has a fully charged battery of exactly the right type on hand, then it can be swapped in five minutes. Sounds like each station would either have to have a large store of batteries or it would have to only serve one model of car. The first is a large capital cost, the second generates very little revenue.
To compete with, say Tesla, Nio would have to build hundreds of battery swap stations in Europe. Tesla has 601 sites in 27 countries. When I drive from Norway to the UK I am rarely more than 50 km from a supercharger.
Nonsense, a complete engine in an internal-combustion vehicle - which is vastly more complicated than a battery in an electric vehicle, and which often requires removing various structural members in the front of the vehicle - can be swapped in under two days. A battery should be a few electrical and coolant connectors and maybe a dozen bolts, rolling out from under the vehicle with little else to fuss with. Engineering it such that you have to replace and bleed the brake lines or remove suspension components is basically the same as designing for non-replacement, as if you were gluing in a battery.
You word it like you specifically want bigger batteries to take longer. Why is that?
All else equal I'd expect a laptop battery to be easier than a phone battery, and it's definitely possible to design a car battery to swap in minutes even with shielding.
This reminds me again how cool phones architecture is.
There’s a huge amount of patents around the idea that you don’t really need to have the power-hungry main AP on all the time. Instead, people get really creative around delegating behavior to cheaper chips to save power and sometimes reduce total BoM cost. For example, one that I worked on was around the idea that you could use a minimally featured yet cheap ble chip to detect when one of your paired devices was near the phone. It would then wake up the beefier chip with the full stack implemented, which saves a suprising amount of power.
Some of the things you can do when you break out of the software-only box are incredible!
This seems analogous to esp32 deep sleep. In this mode the co processor can monitor gpio pins on the device to wake up or even control some parts of the device… very useful for battery powered devices… makes total sense apple and probably all smart phones have a similar multi chip architecture to mange the device power and sensors… it does suck that the side effect of this could be used for evil and that even when we use the power off features it doesn’t turn completely off… I do miss real on off toggle switches that actually break the copper connection between the chips and the current…
It's also interesting that this low-power mode is sufficiently low power for Apple to be feel comfortable sipping battery power continually. Any guesses about how much power this mode actually uses?
Other Bluetooth LE devices like an AirTag can last beyond one year on a CR2032 battery, so consuming about 2 milli-watt-hours (mWh) per day.
An iPhone has at least 10 000 mWh battery capacity (depends on model), so in 1 month something like this consumes around 0.6 percentage points of battery.
the NFC chip probably uses a tab bit more power, but it also uses battery after your phone dies to allow you to continue to pay for transit. "power reserve is available for up to five hours when your iPhone needs to be charged".
Your phone isn't actually "dead" when it shows out of battery though, since the display can still power on for another hour+. There's a reserve before you hit the true 0%.
I mean, true 0 would mean the battery couldn't ever charge again. My iPhones have consistently always turned off when the indicator is on 1%, which of course is probably 5% of the actual battery.
Due to how battery designed. A actually fully discharged battery can't be charged normally.(the power control chip on the battery need a bit power to function normally) Typically this can't happen because your phone will shutdown before that.
But if you used up the battery and not charge for a long time (1 months or so). This can happen because batteries discharge themselves slightly even not being used.
It turns out my memory is incorrect. The lithium-ion batteries damage itself when the under certain voltage due to how it works. The control chip is there to stop the battery from having too low voltage. However they can't help with self discharging caused low voltage.
I think this is important research if only for the fact that it illuminates the states of CPU as they apply to threat models for users. It wasnt too long ago that many state sponsored Android hacks were revealed to work due to 2 separate unlock states in the system, and so long as an initial unlock had been performed, most of the phone could be hacked through services that were running in the background on the network.
I hope a flagship feature of the next iOS is an "emergency low power mode".
Shut down on the last 5% of battery and make that last for 24h or something in that range.
Use only dim white on one part of the OLED, show me the time, sound alarms, show important notes, give Wallet/Apple Pay access, allow one last battery draining SOS call and add a compass for good measure.
Maybe they could even afford to wake up the radio every 30 minutes and fetch some important info.
In a few years they could even open it up to third party developers.
If I put my phone in airplane+low power mode, max dim the screen and carefully wake it, 2% already goes for quite a few hours. Maybe they could do way better than 5%/24h even.
Android (and BlackBerry before that) have had something similar to this for a while.
On a BlackBerry, it would shut down the radio and give you a "Battery too low for radio use" message, but you could trick it into turning the radios back on by dialing 911 and then hanging up really quickly.
Various Android manufacturers do their own version of this, Sony had Ultra STAMINA mode and Samsung have an option to do a whole bunch of power optimizations as well as limit apps to those explicitly specified.
For me, the main critical purpose of my phone is to communicate with others in realtime which happens using things like WhatsApp, Slack or Email (maybe the odd call). If I can't use those, then it might as well be dead!
Maybe I missed it in the article but how does it work with Bluetooth exactly — how does that help my find my phone over a long distance? What’s the Bluetooth connecting to and how does the phone get the request?
The Find My Network is, basically, every Apple device out in the world. Using bluetooth in this fashion, all the other devices participating in the network and in the area of the phone (or AirTags, they work similarly) will receive the bluetooth broadcast. They'll then communicate that to Apple's system. So when you go to find your device, its most recent known location can be provided to you. They've got some cryptographic mechanisms in place (I haven't researched them) that ensure that the systems receiving the broadcast don't know anything other than that it is an "I'm an Apple Device and here's some cryptographic data" message.
Do you mean that every Apple device in the world acts as a proxy to forward Bluetooth requests from nearby (off) devices containing their location, automatically? E.g my laptop is pinging data to Apple about random nearby phones all the time that it sees with Bluetooth?
Unless they opt out of it, yes. Which is pretty easy to do, pretty sure it's an option during initial device configuration, but regardless it's in the system settings. Which is pretty easy to navigate. There's even a search option at the top to help you find it instead of navigating to the setting.
Maybe I missed declining a prompt in setup, but this latest feature was opt-out, automatically enabled after a software update, and only notified me once, the first time I powered off the phone after updating. To disable the feature, I had to go four levels deep in Settings, with the last two levels having seemingly unrelated names, disable a toggle, and accept a misleading confirmation prompt.
It jumps off of general Find My functionality, so pretty much anyone that has BT enabled, and doesn't want their phone to be sellable when stolen, will act as a proxy node.
Not only a proxy. The other random devices use their known location to add to the data to show where the device was found. It’s all encrypted with the key of the lost device owner so apple can not read it.
And all of the data is encrypted so that no one other than the actual device owner can get any of the location information for their device. No one else, including apple can locate a device using the find my network.
The comment is a bit incomplete in its description, but it looks like an accurate description of how Find My Phone has always worked. All that’s new is that a turned off device will be respond to queries.
There’s no actual Bluetooth connection that happens here. The AirTag or other FindMy-enabled device is purely transmitting. The packets being transmitted are Bluetooth Low Energy advertisements (sometimes referred to as “beacons”). Any Apple device can perform Bluetooth Low Energy scanning and can listen for these advertisements, and report what they’ve found to Apple’s servers.
Perhaps because the bluetooth tracking is a lot more accurate. But since not even Apple can access the data (or so they claim), this shouldn’t be useful for surveillance.
Not sure I agree here. Most Bluetooth Low Energy devices (aside from Apple Devices and Android phones) don't make use the privacy feature and therefore their device address can be linked to a specific product. Many Bluetooth products have user accounts attached to them (think fitness trackers and AirTag-like products) meaning that the device address can be tied to a specific user.
Now consider the vast number of “smart nodes” out there (eg street lights) that have multi-protocol connectivity built into them. Whoever controls these nodes can simply scan and log every BLE advertisement that is nearby.
I’m not saying that this is the only way that a person can tracked or that this kind of tracking is definitely happening right now, but it’s a very real possibility.
> So this is why the government will never force Apple to have easy to remove batteries.
The government did not force Apple to use non-user-replacable* batteries. Which is good, unless you're a fan of government-designed hardware and software.
Does this still work when the phone goes to 0%? Assuming the battery isn’t actually at 0 here; or that the AOP could have its own tiny backup source to last a few days/week.
Now that would be useful. I guess this use case is valid when someone naughty finds your phone and turns it off to try and hide it?
Hmm.
Feeling very good about dumping iPhone to simple flip.
My last iPhone was old SE with home button and touch ID.
Somehow I managed to remove smartphone habits of my life.
It is a bliss.
Highly recommend. It is a stellar investment in ones future, psychologically, technically and in general.
I redeveloped the habit to call.
It is more personal and surprisingly effective.
People actually respect a phone call, when done properly.
Texting is compromised, services never delete data.
If you don't mind my asking, what model flip phone did you settle on? I had one I really liked, but carriers are dropping support for the 3G network it uses, and it seems like all the 4G-compatible options either run Android or have issues with basic functionality like receiving calls. (Or both!)
Phones are insecure by design, in my country log-file metadata of calls and sms is kept by operators (and it is not optional), people don't read the small font agreement from long time ago.
So my approach is to use the device with this in mind. Some form of data will be transmitted and sold by operators or third party backdoor from manufacturers.
The goal is to minimize data exhaust so I bought this
As I sad before, the problem is not only in devices and dark patterns designs towards data gathering. The problem is that we have learned to adapt to the "new tech" and are excited to try "new things" without any form of critical thinking and with automatic trust.
I was a part of this "tech fetishism" crowd, I wanted "the best" and "most advanced" not only to socially validate myself but to be "on the verge of tech".
This was in 2015. Now I have a different mindset.
I know what tech companies and governments want. I know the people who live comfortably knowing that they create a spyware and UX dead traps, and when I ask the answer is : Shrug and take the money.
So I decided to move radically forward.
Imagine that we are living in 2030. There is no privacy, cars are scanning everything with Lidar, IR and thousand cameras, listening and collecting, the street-lamps are with integrated CCTVs, you get the picture.
So what will give some form of real advantage for the individual in this panopticon?
Low data exhaust. The little you give to surveillance system, the more power you will have when making deals with businesses and government organizations.
Working with Internet now, requires VPN, Firewall, Pihole, browser extensions for privacy, decentralized services, etc. Imagine in 2030. There will be no way to use it anonymously and legally.
Nobody will stop this. This is the new WEF approved business future.
For the children, for the environment, for safety and "peace of mind".
There is one exception and you can use your power now.
The power of consumer choice.
My is to invest in my idea of tech future by one factor: Consumer control. If I have to abandon the Internet so be it. If the only connections to Data Towers are the mandatory ones, I will be satisfied. Listening to my own collection of music (CD rips and Vinyl), reading physical books, browsing my vast data collection offline.
And I find this logical and absolutely normal. There is no tin-foil hat reaction. There is data and everyone is free to analyze and create his own version of "reality".
It's always fascinating to see how complex modern hardware actually is. Dozens of small processors with their own operating systems communicating with each other. I have a lot of respect for the engineers that they actually managed to build a decide so small yet so complex.
Apple devices all use a private resolvable Bluetooth address that changes every 15 minutes. That, along with a cryptographic payload, protect against this.
Aside from Apple products and Android phones, most other Bluetooth Products do not use private resolvable addresses, and many have the issue that you describe. The name isn’t always so obvious, but sometimes there is identifiable data that can be read.
I'd like to know if wrapping a phone in aluminum foil is enough to block Find My. iPhones are still valuable enough to steal for parts, so people will find workarounds.
For some reason I assumed from the popup that it would use the sim and gps to broadcast location, not turn the phone into an AirTag so this was interesting to read.
Would this work even with a drained battery? (assuming the battery would normally still have enough charge for this even if not enough to operate normally)
i'm guessing they probably added this around when they added keyphrase spotting (wake words) for siri although i think i remember reading about low power always on features being added for pedometry to both androids and iphones way back when.
android has similar functionality, as does any modern computer really (wake on lan, power management, remote management features, etc)
I remembered that some old functional phone has such compatibility. Their alarm will ring no matter your phone is off or on. Being totally independent to the phone function.
Yep, that's not going to spark conspiracy theories and damage the brand at all, just like the backdoor they've recently put in. /s
Again, why would $3T company damage its brand like that? It's not "for children" and certainly not to "find your phone". There's something going on there.
Apple has made it easier for users to locate lost (by being misplaced, forgotten, or stolen) devices with a feature that the user can opt out of on a temporary or permanent basis.
Many will misinterpret it. We have seen how much the public can fundamentally misunderstand technical information over the past year.
People will just see that:
1. You can never disconnect your iPhone from the grid and stop it from being tracked. Even if you turn it off.
2. Governments, companies, and other (from the conspiracy theorist's standpoint) will be able find you whenever they want.
I am sure there are some legitimate security concerns here, but Apple seems to have taken reasonable steps to provide a pretty awesome feature which has solved a lot of risky edge cases.
> 1. You can never disconnect your iPhone from the grid and stop it from being tracked. Even if you turn it off. 2. Governments, companies, and other (from the conspiracy theorist's standpoint) will be able find you whenever they want.
Ok, I'll bite and play the conspiracy theorist. What reasonable steps prevent some three letter agency (or Apple itself for commercial reasons) from abusing the Find My network to do exactly that?
I'll predict that almost no one opted out of this for the simple reason that they didn't know this feature even existed. This is the "Hitchhiker's guide to the galaxy" method of faking consent.
Ah, I'm sorry. Then I had a misconception about how the UI worked. I thought it was on by default and the only hint it even existed was buried in settings.
If you don't trust the software to do what it says, then none of this matters anyway since they could have added this in silently ages ago or they could push custom firmwares out to targeted individuals to do it.
Everything is based on the trust of the OS and hardware so it's not a useful point to make.
Software, sure, but up until this I could at least trust that if I turn my iPhone off it's not spying on me. Now I don't even have that. It's amazing the people _on this site_ in particular don't see a problem with this, and think it won't be abused by three letter agencies and their foreign counterparts.
If there is such a capability (a rather technically involved one, I might add, all the way down to the silicon), do you really believe Apple can't turn it on at CIA/NSA's request without popping that dialog? And you wouldn't even know due to gag orders. And before you say this can't happen in the US, I can give you a few publicized examples of illegal spying on US citizens just in the past few years.
People have been carrying around portable GPS devices in their pockets for over a decade now. This threat is not new, and if you fear it, don't carry around a GPS device or one that will connect to other devices to get its location reported to a central server.
The difference, which will be missed by many, is that previously you could be reasonably certain your device is actually not spying on you if you power it off. That option is gone now. You should just assume it's on and sending your data directly to whoever wants it.
Some of it. There is still the ultrasonic channel: beacons are emitted by various tv's, stores, etc. which can be used to capture location and other data and exfiltrate from the phone with the right software running. And of course the regular microphone can capture conversations and media.
If the bag is not opaque, there is still an optical channel.
Plus there are still accelerometers and magnetometers which can do rough inertial and geo location estimation.
The bag may help with some exfiltration routes, but it can store locations and other info and upload it when it gets a signal back.
It's what Apple doesn't announce or tell us in their updates that are the most interesting things to discover rather than the features they show us in their keynotes.
> Now, Find My combines Find My iPhone with Find My Friends... And it has a new twist because it can now even locate Apple devices that are offline... Let's say you have misplaced your MacBook. So, even when it's offline and sleeping, it sends out a secure Bluetooth beacon that can be detected by other people's Apple devices nearby. Now, they can relay your MacBook's location to the network and ultimately back to you so you can find it. Now, what's amazing is that this whole interaction is end to end encrypted and anonymous.
For the average user they are the same thing. "off" is not even a state the average user uses. It's either open and connected to the network or closed and in sleep mode.
I like a lot apple products and how they achieved popularizing many technologies, being the next one LIDAR but, for the first time ever I feel this is just going way too far. Sure I want to find my stolen phone even when it is off, but it is way too much loss of freedom having a permanent personal tracker even when the phone is off…
The ship has long since sailed on this point, powered on or not.
There's research that's talked about in the book, "Data and Goliath" that explains how the behavior of people specifically trying to avoid being tracked is sufficiently different from most other people that, even if you turn off your phone (sometimes ESPECIALLY if you turn off your phone) that act can be a behavioral marker used to correlate your activities with other people who do similarly, and your location can be largely deduced by process of elimination anyway.
It literally tells you about this right next to the slider to turn off. If you tap the message it lets you turn it off. I see absolutely no issues with this.
Is Matthew Green some industry security personality that people respect? I appreciate this write up, it's interesting. But it seems motivated by his little Twitter rant the other day. Who is he beyond some Twitizen in a Guy Fawkes mask who hates HN? I don't particularly like his demeanor, at least from his rather naively uninformed tantrum the other day. Didn't seem very professional or respectable so I just wrote him off.
Matthew Green wrote zerocash, the protocol behind zcash, and he teaches cryptography at John Hopkins.
When it comes to cryptography he knows enough to have opinions. It's hard to opine about black box systems, which is why open-source is so important. It's hard to trust what you can't verify.
Offline finding isn’t a black box system, though. It was presented at Black Hat, and there is a well-known 3rd party implementation. This feature brings offline finding to more cases.
In addition, if this person is a well-regarded professional, then indignant tweeting is even more concerning because the general public has no way of knowing that they’re just misinformed.
I don't disagree but like if you want an open system why are you using an iPhone? Maybe Green is a little guilty of slurping up Apple's privacy marketing?...
I'm not sure how concerned he is that it's closed source, I think in this case he was just surprised that the implementation details and security considerations weren't documented anywhere: https://twitter.com/matthew_d_green/status/14433822078386217...
Note that he was relatively positive about this feature when it came out two years ago: https://blog.cryptographyengineering.com/2019/06/05/how-does.... It seems like the motivation for this tweet was "wow I do a lot of iPhone security research and I didn't know this worked when the phone is off, I'm surprised Apple doesn't document the details of this anywhere." Remember that it's hard to interpret tone through the internet, and as someone that doesn't get a ton of engagement on Twitter, he probably doesn't feel like he's writing for a mass audience.
This is no surprise to me knowing Apple's history. Honestly I think I was just annoyed by his twitter personality, but I guess I shouldn't find "twitter personas found to be annoying" surprising either.
At this point, there's only two mobile OS players. All of these upstarts don't have enough market share to count (hopefully, just for now).
Nobody's family members use something other than iOS/Android. Maybe some of your friends do, but that's a small market.
With that established, just because one uses iOS/Android does not mean they are not about openess or security or privacy or whatever. It probably just means they are a human being that has only so much time in their life and they need a mobile device that works and operates with their friends and families. Just like why people continue to use FB/Twit/blah; that's where the people are.
Which is why his twitter thing felt so odd and uncharacteristic especially coming from a professor of cryptography nonetheless. AOP has been around for years. If he's made the concession to use an iPhone because that's where people are, why freak out about some new feature like you were born yesterday? This is Apple, you know they don't document shit. Go look at core crypto... it's doc-gen function signatures and structs. They don't even tell you how big their chacha20-poly1305 nonce is. The only reason they have a security handbook is so that the government would approve iPhone use. Why not look at the prior art out there surrounding the protocol published by people who are concerned like you are and weigh in as a security expert instead of having a twitter fit and then throwing HN under the bus when they point this shit out to you and say "hmm he's kinda overreacting this isn't news and actually the protocol is pretty good".
I totally agree this totally feels like someone making noise to get attention even though the subject is closer to a mole hill approaches mountain in stature.
I just think the attack "smart guy" for using iOS/Android meme is lame.
I mean I advocate for open systems that can be audited and verified and I still use an iPhone as a daily too although I've been exploring the pinephone on my other sim. I get it. That wasn't my intention to attack the smart guy for using an iPhone. More just like "what do you expect"?
Because he posted a bunch of admittedly pretty annoying Tweets based on angsty presumptions about stuff that someone who put in the effort to do their research and submit a real teardown and writeup rips apart. Being some crypto associate professor doesn't absolve you of the responsibility of doing your research before spewing off on Twitter. At least he's seemed to handle things with some amount of humility since then so I'll chalk this one up to having a bad day or something. I've actually read some of his stuff before I just didn't know him by name which is why I asked.
This site, and this community, is great in my opinion. But it's not without valid criticism, especially considering the impact it can and has made in the industry and tech society.
"naively uninformed tantrum"
I'm unable to find the posts you're talking about.
Sorry if my distaste for these "I'm so cool look at me go" Twitter rants is seeping out here. If you go to his profile and scroll back a few days of posts you'll find them. Anyway it looks like he's humbled and corrected himself after seeing this writeup. Maybe I'll give him another chance.
My iPhone doesn't turn off anymore when I power it off if I select the option that says "go into low power mode so that my phone can still send beacons". Can you BELIEVE this?
FURTHER, unlike Google who would never let you turn this feature off, Apple does, but I have to GO INTO SETTINGS to find it OMG. And what a jokeshow marketing team Apple has because the name is a little confusing.
Somehow those bumbling buffoons over on HN found my tweet and half of them LIKE this feature. WTF! They're even discussing this thread like they like to do.
I have net lost some karma. Probably should have put it all in one post but I don't think it would have had the same effect. It so clearly is silly and unwanted when you do something like that on this forum, and that was the point.
No, HN will rate limit you if you post too quickly. I've been hit with it when I was involved in a back-and-forth in the past (part of the reason I added a 2-minute delay to my posts becoming visible, plus it gives me a chance to reconsider if they're worth posting or make edits).
I know. I was just being deliberately annoying. Matthew Green's twitter thread includes an incorrect (but he has now walked it back since he's obviously now read the teardown we're supposed to be discussing here and which I've played my fair share in derailing) post about how "a little bird told him it works this way". Just more twitter bravado at the time.
Much like an Tile or AirTag is implemented. No comment on what this is capable in the future.. but for now this shows power usage / signal strength / proximity of other “actually on” devices are a limitations of this feature.
What’s impressive is the mesh network effect of all these iPhones / iDevices to locate a “lost” device. I’ll be thankful if I manage to use this to retrieve a lost phone. I’ll be pretty shocked if I’m “spied on” with this style of device.