[HN Gopher] Emulating AirTags to upload arbitrary data via Apple...
___________________________________________________________________
Emulating AirTags to upload arbitrary data via Apple's FindMy
network
Author : kerm1t
Score : 409 points
Date : 2021-05-12 13:57 UTC (9 hours ago)
(HTM) web link (positive.security)
(TXT) w3m dump (positive.security)
| tyingq wrote:
| Sounds like you could drive someone a bit crazy with Apple's _"
| AirTag Found Moving With You"_ feature, since you could rotate
| serial numbers. Like gluing one of these to their car in
| someplace not obvious.
| jquery wrote:
| If there's abuse, you can count on a "report" button showing
| up. Or at least a "don't show me this" tied to a specific
| AirTag
| tyingq wrote:
| Right, but you can rotate arbitrary serial numbers and apple
| IDs on the device. Pre-create 1000 of them.
| dividuum wrote:
| An iPhone (or any other receiver except the tag owner) cannot
| really correlate tags over a long time except using
| heuristics.
| protoman3000 wrote:
| So if now somebody uses this to upload illegal material somewhere
| from my IP I am fucked?
| kingofclams wrote:
| Honestly, I could see someone doing this over the FindMy
| network. It doesn't even have to be illegal, just an
| interesting proof of concept.
| dangrie158 wrote:
| You only read the title, didn't you
| jazu wrote:
| The elephant in the room of all p2p networks.
|
| Even if they eventually find you innocent, you would have gone
| through all the headache of the court system anyway.
| cerved wrote:
| yes, at a staggering rate of 3 bytes a second
| tinus_hn wrote:
| It's DMCA proof, because once you're done uploading a movie
| the copyright will have expired!
| swiley wrote:
| That's interesting, so it's really an encrypted APRS replacement
| over bluetooth then?
| toomuchtodo wrote:
| Yes! and without the need to be FCC technical licensed.
| raviisoccupied wrote:
| I am fascinated by the amount of attention the AirTag has gotten
| from the HN community and elsewhere.
|
| Of course Apple is a massive company, but there is something
| extremely compelling about precise location tracking. Even if
| this product isn't successful, I think Apple have propelled a new
| category of products to the forefront.
| toomuchtodo wrote:
| https://web.archive.org/web/20210512140243/https://positive....
| amelius wrote:
| Would it be possible to relay communication between iPhone and
| the AirTag, making the iPhone think the tag is in a different
| location than it actually is?
| etskinner wrote:
| The communication is one-way, and the only thing transmitted
| from the lost device is the bluetooth public key, so no. The
| device that detected the AirTag encrypts the location with the
| public key and transmits it to Apple, not the AirTag itself.
| codeecan wrote:
| Would be cool if Apple released a iPod touch with pager
| functionality that works thru find my network. Where you can send
| / receive short messages (even with 15 min delays).
| londons_explore wrote:
| Every message uploaded to the "Find My" network very slightly
| degrades the user experience for all Apple users - since it is
| using up CPU cycles, battery and bandwidth of random strangers
| iPhones.
|
| I wonder what the capacity of the network is before the impact
| on battery life becomes significant...
| mediaman wrote:
| It uses BLE (I believe), and data upload can be combined with
| other requests on the iPhone's next cellular connection
| request. CPU use is going to be extremely minimal. BLE power
| usage for a low data rate transmission is very, very low.
|
| I don't really see any realistic density of AirTags that
| would have any measurable impact on energy use of nearby
| iPhones.
| londons_explore wrote:
| The power hungry bit is probably powering in the GPS to
| attach a location.
|
| On Android at least, getting a GPS fix takes many seconds,
| during which the CPU cannot sleep. For that reason, a
| default Android phone won't power up the GPS for hours on
| end sometimes. Yet this find-my feature might require a GPS
| position every few minutes whenever a new tag is seen.
| That's a lot of extra power.
| X-Istence wrote:
| Most users have Find My turned on for their devices so
| that if they are lost or stolen they can find them.
|
| Find My on your phone already has to get an approximate
| location, and it does so fairly frequently (since you can
| track somewhat realtime).
|
| So having an Air Tag piggy back on the same mechanism
| won't cost a whole lot in terms of having to power on the
| geolocation capabilities.
| myself248 wrote:
| If they were to officially support this use-case of
| arbitrary data transmission, you could also default to
| non-GPS-located transactions, which would save that power
| except in cases where the user has specified that they do
| need locations.
|
| Also, coarse location (cellular and wifi) uses basically
| no power, and might be good enough for an awful lot of
| applications.
| pbhjpbhj wrote:
| This is probably wrong:
|
| I guess they can just rate-limit the program that runs in
| the iPhone, but that still (to me, very naively) would
| allow a DoS that prevented genuine tags from access.
|
| As mentioned in the OP to know if the tag is genuine a
| device needs to go to the trouble of receiving the traffic
| in case it's real, then decrypting (search "ECIES
| encryption" in OP): so you'd be wasting quite a bit of
| processing before you reject a fake tag. If they rate limit
| the decryption - which you'd have to - then you can
| overwhelm a device on the network by sending out fake
| packets.
|
| It strikes me you can generate random BLE data that looks
| like airtag data cheaper than you can verify packets and so
| in theory one iPhone could overwhelm a minimum of one
| other; and presumably could overwhelm all others in range
| (with lower or equal processing power).
|
| They do mention their (the OP's) public keys being
| rejected.
|
| So, if my analysis is right you can either use all
| processing on all devices in range, or overwhelm all
| devices in range of they're rate-limited. The second case
| is preferable.
|
| I'm interested in why I'm wrong. Can the imaginary fake
| tags in my analysis be rejected using less power than it
| takes to make them?
| londons_explore wrote:
| DoS within Wifi transmission range is an unavoidable part
| of any wireless protocol.
|
| The attack you propose is no more powerful, so probably
| not worth protecting against.
| floatingatoll wrote:
| Or, in summary: "Using radio frequencies to intentionally
| disrupt or damage the functioning of devices you do not
| own". Make sure the FCC doesn't catch you!
| pbhjpbhj wrote:
| I'm not in USA, but I've always read FCC as an
| administrative arm of government, do they do active
| monitoring and enforcement? Like of you fire up a rogue
| transmitter the FCC send officers to apprehend you?
| Someone wrote:
| Cool, but I don't see it being viable, commercially.
|
| Suppose they make this, how many would they sell? How many of
| those customers would have bought an (more expensive, I
| presume) iPhone if they wouldn't make it?
|
| They stopped making iPod touch for similar reasons. I doubt
| adding this feature would attract enough extra buyers to change
| that.
| mensetmanusman wrote:
| That's a good idea, I bet Amazon would enable this with
| sidewalk and mesh networking through the Alexa app.
| stefan_ wrote:
| Next, hookup a speaker to the ESP32 so it can beep loudly when it
| detects one of these SpyTags.
| mvanaltvorst wrote:
| Does this fall within Apple's policy of fair use? Would be great
| if there were an officially supported (paid) API for this, the
| technology and potential use cases are great. I'm afraid hooking
| something like this up to my Apple ID will get me banned somehow.
| leodriesch wrote:
| On Wikipedia it says that Find My is enabled for certain third-
| party accessories [0], so you could probably join if you
| wanted.
|
| [0]: https://en.wikipedia.org/wiki/Find_My
| 2OEH8eoCRo0 wrote:
| Why would you be afraid? According to HN Apple is not a
| monopoly and plenty of viable alternatives exist. /s
| dkarras wrote:
| ...fearing losing access to your Apple ID has nothing to do
| with whether Apple is a monopoly or not (and of course, they
| are not).
| tgtweak wrote:
| You are using other users' (mobile) bandwidth to do the
| transmission, and apples server resources to brute force/ddos
| request the data on the other side. I can't see them condoning
| this at all and simple not responding negatively to it could
| encourage this misuse. I would expect that kind of response
| from Apple.
| minxomat wrote:
| 6G is going to be devices we carry around becoming TX/RX instead
| of building out mmWave APs every few meters.
| Scoundreller wrote:
| I hope so. Some telecoms deserve to be put out of business and
| solely exist/continue due to government corruption.
| idiotsecant wrote:
| That would be swimming upstream in terms of profit incentives,
| though. I hope it does happen but anyone who has the money and
| inclination to fund the development is also someone who has a
| vested interest in the client / server topology we have now. If
| there's no server to feed you wireless connectivity there's no
| way to make a profit from being that server.
| vanshg wrote:
| Apple should embrace this fully and create their own
| decentralized network
| paxys wrote:
| It is only decentralized if the entire world is covered in
| Apple devices every few meters. At the moment they are simply
| extensions to a nearby router or cell tower.
| jtbayly wrote:
| I don't think that universal coverage is a requirement for
| something to be decentralized. Am I missing something?
| hervature wrote:
| Yes, I think they meant to say useful.
| idiotsecant wrote:
| >It is only decentralized if the entire world is covered in
| Apple devices every few meters.
|
| Give it a few decades...
| Rebelgecko wrote:
| Like Amazon Sidewalk?
| ThatPlayer wrote:
| I think you'd still have issues mapping a mesh, especially with
| how often phones are moving. I remember looking at meshtastic
| for a mesh wireless network and they're still working on a
| solution for a large number of nodes covering a large area:
|
| https://meshtastic.org/docs/software/other/mesh-alg
| moshmosh wrote:
| I don't want traffic that doesn't provide some pretty serious
| benefit to me with very low resource use (as Find My does) to
| use my phone('s battery).
| madengr wrote:
| It'd be interesting to run the signal through a PA to get a good
| standoff, or illuminate every phone in the area. Though I don't
| know if the UWB is needed in conjunction to verify proximity.
| refulgentis wrote:
| This is starting to remind me of when Intelligent Tracker
| Prevention(tm) was released and instead was a super cookie
| leaking history. http://blog.lukaszolejnik.com/curious-case-of-
| privacy-vulner...
|
| I'd be much more comfortable with Apple being Privacy, Inc. if
| they kept their commitment to it, too often it looks like
| engineers got overrode by marketing. It's v unlikely a privacy
| engineer signed off on something, with so many side channels,
| with real world consequences, compromising a billion + iOS
| devices
| fastball wrote:
| You only read the title, didn't you?
| refulgentis wrote:
| Not constructive :( Getting downvoted through the floor on
| Apple comments for the first couple hours is a time-honored
| HN tradition at this point, but I'm hoping you can help us
| break that habit: a big contributor is aggressive comments
| like this that assume an agenda.
|
| I know you can come up with something more substantive than
| guessing I didn't read the article. To wit, easy quote that
| backs what I read, and I assume I'm mistaken, given your
| feedback:
|
| 'The details should come as a surprise to everyone because it
| turns out that ITP could effectively be used for: -
| information leaks - tracking the user - fingerprinting'
| conradev wrote:
| This blog post actually demonstrates the opposite of the point
| you are trying to make.
| whoknowswhat11 wrote:
| Um - I think you are totally missing the point - Apple is doing
| probably the only fully encrypted system - vs tile and friends
| where everything lives in a database. This is not compromising
| billions of iOS devices, which frankly remain FAR FAR more
| secure than 80% of the competitor handsets which in many cases
| seem to ship with backdoor built in by their mfgs.
| refulgentis wrote:
| Hmm, lots to unpack there, I'll stay focused on my
| iPhone,...I'm not so sure...the lead article on HN yesterday
| showed you can track people unrelated to tag's routes, live.
| https://www.intego.com/mac-security-blog/i-mailed-an-
| airtag-...
|
| I've gathered there's a beep if this is going on for 3 days,
| but...still not comfy with this. And this isn't a
| particularly fringe opinion, plenty of comments on the
| article wondering how to opt out:
| senbarryobama wrote:
| Hilarious. This is exactly what Amazon Sidewalk intends to be.
| Apple has fallen ass backwards into an IoT killer app, but just
| don't know it yet...
| chadlavi wrote:
| do they not know it or are they just not talking about how they
| plan to capitalize on it yet?
| jaywalk wrote:
| Sidewalk's bandwidth and latency is _a little_ better than
| this, though.
| thatguy0900 wrote:
| Sidewalk also has the advantage of mostly being home internet
| connection instead of metered wireless plans
| minitoar wrote:
| I'm probably on some sort of wifi on my phone like 90% of
| the time.
| nanidin wrote:
| Sidewalk is also connected to grid power, and the backbone
| consumer devices are in fixed locations. I don't see grid
| vs battery or fixed/mobile device locations as necessary
| advantages or disadvantages though.
|
| For example, the FindMy network would continue to work even
| in power outage scenarios like parts of the country
| experienced in Feb 2021.
| threepio wrote:
| Apple is creating a yawning double standard between its "privacy
| is a human right" [1] refrain and its own profit interests.
|
| If you're skeptical, the pricing says it all. Apple could've sold
| AirTags for $99 each with a $1/mo service fee to use the Find My
| network. That would've boosted their profit margin on the initial
| sale and created recurring revenue, while restricting network
| load.
|
| As it stands, AirTags are $25 each and free to operate, which
| means that Apple wants them to be ubiquitous -- buy 10 or 20 and
| put them everywhere.
|
| Apple has gotten a lot of mileage on their idea that "the
| customer is not the product" but this is a turn in the wrong
| direction. Despite months of claims that AirTags are impregnable,
| unhackable, etc. the news is just going to get worse.
|
| [1] https://www.apple.com/privacy/
| DocG wrote:
| So I think I can use this to track my car without the limitation
| of devices starting beeping in three days..
| Animats wrote:
| _The sending rate on the microcontroller is currently ~3 bytes
| /second. The latency is usually between 1 and 60 minutes._
|
| That's not much, but it has value for industrial machine-to-
| machine communications. (That's IoT without the hype.) Like
| commercial air conditioning units. They can send in minimal data
| ("compressor 1 running, compressor 2 stopped, system OK") to a
| maintenance service without needing a cellular account or
| connection to the Internet.
| PurpleFoxy wrote:
| For critical data like that, it would make more sense to just
| have a modem on board. 5G should make this more possible with
| increased device limits.
| Animats wrote:
| Minimum cellular cost for very low data volumes is about
| $1.75/month.
|
| 5G is only useful if you need bandwith in an area with very
| high contention, like a stadium, or you're in an area remote
| enough that the lower frequencies work but the higher ones
| don't.
| fiberoptick wrote:
| This could have been an immensely powerful covert communications
| channel for field operators of military and intelligence services
| imwillofficial wrote:
| No, they have other less detectable methods. Your idea shows an
| awesome train of thought though. Ever thought about switching
| careers?
|
| As far as this method, the IC has thought about this very
| method for a long time. I'd be surprised if it wasn't been used
| in the past.
| tyingq wrote:
| It feels like Apple's ability to fix this is somewhat limited,
| since they can't change anything about Airtags that have
| already been produced.
| thebean11 wrote:
| Couldn't a software change on the iPhone side prevent it?
| tyingq wrote:
| I can't find anything that shows OTA firmware updates of
| the tags themselves happening. Yes, you could tweak the
| iPhone, but if a "emulated tag" looks exactly like a "real
| tag that can't be updated", you're somewhat limited.
| thebean11 wrote:
| I was thinking something more along the lines of rate
| limiting, doesn't this exploit depend on lots of spammy
| requests?
| tyingq wrote:
| Rate limiting would help with the _" hijacking the
| network to send your own data"_ piece in the original
| article.
|
| It wouldn't do much for other uses, like tracking people
| without their knowledge. A "faked AirTag", could, for
| example, rotate it's serial number to avoid triggering
| Apple's _" AirTag Found Moving With You"_ feature. Or the
| opposite of that. You could stick a fake device on
| someone's car and trigger the _" AirTag Found Moving With
| You"_ warning over and over by periodically changing the
| serial number after the user suppressed the warning for a
| particular AirTag.
| tinus_hn wrote:
| AirTags run firmware that can be remotely upgraded.
| tyingq wrote:
| Any more info on _" can be"_? For existing AirTags, they
| would have to already have that functionality (polling for
| updates). I can't find anything that says they do.
| sgerenser wrote:
| I'd be surprise if Apple fielded AirTags without any way
| to update their firmware. I doubt it would be automatic
| though, you'd have to push an update to them from an
| iDevice.
| tinus_hn wrote:
| AirTags start beeping if they are removed from the
| associated device for more than a few days, so there is
| plenty of opportunity to update them.
| tyingq wrote:
| It would have to be automatic for it to be used to kill
| off _" fake AirTags"_. Unless Apple is willing to take
| the hit of all the complaining.
| floatingatoll wrote:
| When _doesn't_ Apple "take the hit" of complaints?
| meepmorp wrote:
| Why couldn't they update the firmware automatically? They
| already do that with AirPods, iirc.
| tyingq wrote:
| It's a much cheaper device than Airpods, harder to manage
| battery life, and there's not yet evidence that they can
| update them automatically. As far as I can tell,
| competitor products (Tile, for example) don't update
| firmware automatically...it's a user-initiated thing.
| varenc wrote:
| Their firmware can probably be updated in the same
| mysterious way AirPods firmware is updated.
|
| Roughly, be in the presence of an iDevice for a certain
| amount of time under unknown conditions. The advice on
| the internet is usually something like "leave your
| AirPods charging and have your phone connected to them
| when you go to sleep, and they'll probably be updated in
| the morning".
| tinus_hn wrote:
| They have functionality for reporting the version, it
| would be really surprising if they couldn't be upgraded.
|
| AirPods upgrade firmware automatically, chances are it
| works in the same way.
| airstrike wrote:
| I think it still can...
| mhandley wrote:
| As there's a limit of 16 AirTags per Apple ID, and each AirTag's
| keys rotate every 15 minutes, presumably Apple can detect if
| anyone is abusing the system by sending more than 16 different
| "messages" per 15 minutes. They can't detect this when the fake
| airtags are sending, but can detect it from stored message
| timestamps when you query. If they start to see this being abused
| a lot, they can then block Apple IDs. To avoid Apple being able
| to see this, you probably need to either use multiple Apple IDs,
| or send less than 16 bits per 15 minutes.
| tialaramex wrote:
| Suppose a real AirTag owner is wondering where their lost tag
| is. Although it would be ideal to learn where it is _right now_
| they 'd be somewhat happy to know where an iPhone "saw" it two
| hours ago, or indeed a week ago... and Apple's system
| deliberately stores up to a week of data.
|
| A week is about 700 keys to check. For one "lost" device, but
| as you note Apple are happy for you to buy more than a dozen,
| and of course you wouldn't be happy if Apple tells you that you
| must only track one of those.
|
| Apple has no way to know if your check for 7000 keys is, in
| fact, ten devices for a week, or 7000 unrelated queries, it
| deliberately doesn't know how to relate the keys to one or more
| tags.
|
| So while yes, that would mean if you have a long term sensor
| network Apple could block you using it to move more than a few
| bytes per hour per Apple ID (Apple IDs are free) if you have a
| more nefarious motive to move say a kilobyte in an hour or two,
| once every few weeks, that should work fine.
| mhandley wrote:
| It's not the number of keys you check - that can indeed be
| large. It's the number of responses for different keys you
| receive with recorded receipt timestamps in the same 15
| minute interval. If that is greater than 16 (or perhaps 32
| given a normal tag can send two different keys in the same 15
| min interval), Apple will know you're either querying more
| than 16 tags, or have tags using more than one key each.
| blantonl wrote:
| for nation states and interested parties, these seem like
| trivial restrictions considering the value of now having a
| deployed mobile mesh network of 1 billion + devices available
| for free.
| barbegal wrote:
| This is covered in the blog post. There doesn't currently
| appear to be any rate limiting. And the rate limit would be
| tricky to implement because there are times when you need to
| catch up on the location of a device over a longer period of
| time. But yes Apple could limit to say 16 * 4 * 24 * 7 = 10752
| requests per week.
| mhandley wrote:
| No, the comment in the blog post is not what I'm suggesting.
| All Apple needs is to do is record the timestamps that
| iPhones received the AirTag beacon. When an Apple ID queries
| for keys, if Apple finds more matching key reports received
| in any 15 minute period than is plausible, then either the
| Apple ID is associated with more than the 16 permitted
| AirTags, or some of them are using more than one key per 15
| minutes. So Apple can definitely detect this unless you
| either use multiple Apple IDs, or you limit to around 16 bits
| per 15 minutes.
| baby-yoda wrote:
| does apple provide a way to opt out of the FindMy network?
| barkerja wrote:
| Settings > iCloud > Find My > Find My iPhone > Find My network
| notdang wrote:
| Disabling it, won't you also lose the notification that someone
| is tracking you (like Android users) ?
|
| P.S. I know about the beeping, but the speaker can be easily
| removed.
| oflannabhra wrote:
| Yep
| thatcherc wrote:
| I was wondering if something like could be done to upload sensor
| data without a data connection and it looks like that's exactly
| what the authors here had in mind!:
|
| > Potential use cases
|
| > While I was mostly just curious about whether it would be
| possible, I wouldimagine the most common use case to be uploading
| sensor readings or any data from IoT devices without a broadband
| modem, SIM card, data plan or Wifi connectivity.
|
| The use case I had in mind is gathering sensor data from boat out
| in a harbor (away from wifi) that other boats with iPhone-bearing
| crew pass by frequently. This ESP32 AirTag emulator could send
| out battery level and bilge pump data any time someone sailed by,
| without the need for a dedicated modem. Might have to try this
| out!
| spoonjim wrote:
| I recall a mechanism like this used to deliver email in rural
| India. There were basically email "kiosks" which would let you
| receive and send mail for a fee and would store these messages
| locally until a truck with the company's transponder stopped at
| the village, at which point it would send the data to the truck
| which would upload the data to the Internet when it reached the
| city. Obviously obviated by mobile data.
| tppiotrowski wrote:
| In 2006, I did a summer internship at NASA implementing the
| Bundle protocol [1]. It assumes intermittent connectivity
| and/or large delays between transfers. For example, you have
| intermittent line-of-sight between Mars and a tracking
| station on earth or line-of-sight between a rover and an
| orbiter on the far side of Mars that will at some point in
| the future relay the data onto Earth. I can't find it in the
| RFC, but using it to provide internet to rural villages was
| definitely discussed.
|
| [1] https://datatracker.ietf.org/doc/html/rfc5050
| laurent92 wrote:
| The process of delivering the internet by trucks is quite
| laughable, yet SMTP is the perfect protocol for that: Mail
| can hop from server to server until it finds the right one,
| as opposed to now where SMTP hosts like Gmail only accepts
| mail sent from or to a Gmail account.
| chris37879 wrote:
| I had a professor that made us answer questions about the
| bandwidth, latency, and reliability of a stationwagon
| loaded with hard drives. I never imagined I'd see a
| practical example of that principal at work.
| hervature wrote:
| Physical transportation of storage has always been a
| thing. Of course, over time, internet speeds increasing
| means it only makes since for larger amounts of storage.
| https://aws.amazon.com/snowmobile/
| aidos wrote:
| Can you explain what you mean about gmail?
| xyzzy_plugh wrote:
| Classically SMTP let you "relay" mail that neither
| originated or is destined for the specific server. Gmail,
| and most modern SMTP servers, only permit mail from or to
| a Gmail address.
| labawi wrote:
| Is this sarcasm? As the gmail part is completely false.
|
| Relaying used to be a thing, before spammers and
| unwillingness to deal with it at the source (boot
| infected devices, originating AS / IX, .. ) resulted in a
| choice between a game of whack-a-mole or only accepting
| gmail1.
|
| These days, relaying has to be setup on the specific
| relay server, the originating address needs to permit it
| (DNS SPF/DKIM/DMARC/whatever), and the relay server will
| still have a reputational problem with deliverability to
| unrelated servers, which is problematic even for direct
| mail, unless you are gmail1.
|
| 1 usually gmail + varying number of big players
| hyperdimension wrote:
| Sneaker UUnet?
___________________________________________________________________
(page generated 2021-05-12 23:01 UTC)