Build your own 'AirTags' š· today! Framework for tracking personal Bluetooth devices via Apple's massive Find My network.
We submit the research artifacts of our paper Who Can Find My Devices? Security and Privacy of Appleās Crowd-Sourced Bluetooth Location Tracking System to the PoPETs Artifact Review process.
Our submission includes (1) the experimental evaluation of the offline finding system in Section 7 of our paper and (2) the PoC implementation of the attack presented in Section 10.
The OpenHaystack framework in this repository goes beyond the contributions made in our PoPETs paper and, therefore, is not part of our submission. However, we invite the reviewers to test this code as well.
We provide the raw data and evaluation scripts used for the experimental evaluation of the offline finding system in Section 7 of our paper.
The code should be self-explanatory and generates Figures 4, 5, 8, 9, 10, and 11 and Tables 5, 6, and 7 of our paper.
We implement all code in a single Jupyter notebook provided in an external repository. Please refer to the included README file for detailed instructions: https://github.com/seemoo-lab/offline-finding-evaluation.
We provide a proof-of-concept (PoC) implementation of the attack presented in Section 10 of our paper.
The PoC consists of two parts: (1) the application that reads the private keys from the victimās device and (2) the application that downloads and decrypts the corresponding location reports.
Since our PoC targets a fixed vulnerability in macOS 10.15.7, the reviewer requires a device that is vulnerable to the attack. A second Apple device is required to trigger the generation and synchronization of keys. In summary, the reviewer needs
Both devices need to be logged into the same iCloud account, and both participate in Appleās Find My network (see Appleās official documentation).
The PoC consists of two applications that are needed: OFReadKeys and OFFetchReports. OFReadKeys is the malicious application installed by a user. The user needs to install this application manually. OFFetchReports must run on the attackerās Mac. We provide the schematic overview from our paper below.
For testing, both applications can also be installed on the same machine, which we describe in the following.
The attacker machine needs to have system integrity protection (SIP) and AMFI disabled. This allows OFFetchReports to access Apple account tokens necessary to authenticate at iCloud to download location reports.
csrutil disable
in Terminal to disable SIP.nvram boot-args="amfi_get_out_of_my_way=0x1"
to disable AMFI.