[HN Gopher] Openhaystack: Build 'AirTags' - track Bluetooth devi...
___________________________________________________________________
Openhaystack: Build 'AirTags' - track Bluetooth devices via Apple's
network
Author : thunderbong
Score : 406 points
Date : 2025-01-27 00:11 UTC (22 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| uzyn wrote:
| Impressive. Would Apple be able to simply block non-Apple usage
| of Find My network usage simply by refusing to relay non-Apple
| BLE ID?
| malmeloo wrote:
| No, the BLE identities of these tags are currently practically
| indistinguishable from original tags, and could be made
| completely identical if necessary. In fact, changing the
| device's MAC address is part of the specification. What they
| _could_ block, is the method used by these projects to fetch
| encrypted location reports. However, the original OpenHaystack
| project (this one) needs to run on macOS and lets the system
| handle account authentication, so it 's unlikely to get blocked
| any time soon.
| oulipo wrote:
| There's also projects that don't need access to macOS (you
| still need an account) https://github.com/malmeloo/FindMy.py
|
| EDIT: just realized I'm replying to the author of the project
| lol
| Brajeshwar wrote:
| If I remember correctly, Apple was supposed to openly accept
| and encourage others to leverage their network and make more
| "AirTag" capable devices.
| heywire wrote:
| A quick search on Amazon shows a number of generic trackers
| compatible with "Find My". In fact, the one on my dog's
| collar is one of these.
| denysvitali wrote:
| Yes, because they get a commission for every device
| registered on the network.
|
| In the join process, there is a key that is shared only for
| developers who paid the fee - which is why it's not really
| trivial to create an AirTag clone without dumping the Apple
| AirTag flash
| dalemhurley wrote:
| This is amazing. I love Apple AirTags but they are so bulky and
| an odd shape.
|
| I would love a AirTag the shape of a credit card to go into my
| wallet.
|
| I would love a smaller AirTag to go on my cats collar.
| sodality2 wrote:
| They make super-thin AirTag compatible cards that fit in
| wallets.
| heywire wrote:
| I've even seen some wallets with built in "Find My" support.
| BuildTheRobots wrote:
| Kindle cover would be extremely useful.
| monocularvision wrote:
| A Kindle or cover with Find My support would make my wife
| overflow with happiness.
| denysvitali wrote:
| Take a cover, place inside a credit-card sized airtag
| namibj wrote:
| I wish me a budget 10000 mAh size "phone slab
| format/shape" power bank with like 18W output at 9~12V
| kind of "fast charge" style, and a built in Google air
| tag. They already have a button and a battery and a case;
| only need to add the BLE and the Google-mandated buzzer.
| I'd pay 5 bucks more than for the competition without the
| integrated tracker. That should easily cover the cost,
| right?
| layer8 wrote:
| The ones I've seen don't have precision finding, but yes.
| Some even have wireless charging.
| omnimus wrote:
| Only Apple Airtags have precision finding. I assume because
| its something not allowed to third parties.
| latchkey wrote:
| Use this for my dog, it is super minimal...
|
| https://www.amazon.com/gp/product/B09DCVFNFF/
|
| Only thing is that I found that I needed to wrap the airtag
| itself with some clear tape to keep it from twisting itself out
| of the holder.
| bookofjoe wrote:
| for my cat: https://imgur.com/a/r9EGSOc
| rahimnathwani wrote:
| You can buy third party "Find My" compatible tags for about $5
| from Temu or Aliexpress. Although they're about the same size
| as regular Airtags, they're:
|
| - easier to take apart (if you want discard the casing), and
|
| - cheaper
|
| I took one of the ones I have out of its casing to see what
| could be made thinner, and I found that most of the thickness
| was due to:
|
| - The batter holder (CR2032)
|
| - The speaker
|
| - The button
|
| The speaker and button could probably be dispensed with after
| initial setup. The battery holder could be removed, and the
| power supplied from the side instead of the top (if you want a
| thin card-like form factor).
| Havoc wrote:
| Guessing those are missing ultra wide band?
|
| Seems doubtful to me that someone implemented all three
| frequencies at 5 bucks
| ceejayoz wrote:
| How much do you think a $20 AirTag costs to actually
| manufacture?
| stavros wrote:
| I don't know how much it costs to manufacture, but nobody
| is selling a UWB tag for $5. For $5, you only get BLE.
| ceejayoz wrote:
| I certainly can't claim to have ordered and received one,
| but there are absolutely $5 UWB devices for sale on
| AliExpress, and that's before any bulk discount.
|
| If Apple sells them for $20 it's highly likely some
| random Chinese seller can make money at $5.
| stavros wrote:
| Can you link me to one? I haven't found any of those.
| namibj wrote:
| I'm looking for a source of like ~100 UWB-only ones
| aiming for about 2~3 weeks of battery runtime on a pack
| of 2~3 AA batteries. Mostly depends on what voltage end
| the chips handle better: 2V low end, or 4.5V high end.
|
| The aim is to keep track of where shared equipment is
| during the logistics phases of 39c3.
|
| And, also, using the quite possibly wall-wart-piwered
| base station network to provide what's essentially rather
| precise indoor-GPS to users with sufficiently open FiRa
| hardware.
| stonegray wrote:
| The problem is they don't have accurate positioning via UWB,
| so you only get a map pin and a beep, not an arrow and an
| exact distance.
|
| The $5 tags are comparable to tile or google tags, but miss
| the key feature of airtags.
| rahimnathwani wrote:
| I was wondering what you were talking about, as I have
| never seen the arrow when trying to locate a genuine AirTag
| that's misplaced within our house.
|
| But that's because neither of the devices I've used to
| locate things (a recent iPad and an iPhone X) have the UWB
| hardware.
| bookofjoe wrote:
| Here's my 8.5 lb calico cat with the AirTag* she's had on her
| collar since she was a 3-month old kitten:
|
| https://imgur.com/a/r9EGSOc
|
| *Photo taken a moment ago with Meta Stories glasses
| Alive-in-2025 wrote:
| Kind of a weird flex by mentioning the meta glasses. Nice
| looking cat
|
| * Wrote this on my cell phone. ;-)
| haliskerbas wrote:
| Haven't done the research but I wonder if you can use this to
| piggyback with tiny arbitrary data data payloads.
| nik282000 wrote:
| Yup, there was a project recently that used the airtag network
| to transmit data from a hardware keylogger. The computer could
| be totally gapped and the data still gets home via the typist's
| iPhone.
| 3eb7988a1663 wrote:
| I am guessing this is the story: Keylogger leaks data via
| Apple AirTag network
| https://news.ycombinator.com/item?id=38126302
| xuki wrote:
| It's not airgapped if it has bluetooth access.
| roywiggins wrote:
| Presumably you stick the bluetooth antenna in the physical
| keylogger.
| nissarup wrote:
| Sounds like a line from a conversation between a couple
| of pre-teen AIs.
| LelouBil wrote:
| I saw someone use this to track his mail state. They have a
| contact sensor inside their mailbox that rotates the
| broadcasted key based on the trigger count.
|
| If the key changed, aka a new different device is visible, you
| know mail has been dropped in, very clever !
| teruakohatu wrote:
| That is a fascinating project. Here is the link if anyone
| else is interested:
|
| https://hackaday.com/2022/05/30/check-your-mailbox-using-
| the...
|
| I wonder if the creator had neighbourhood style mailboxes
| down the road? If not this seems quite complicated solution
| for an object that is probably with range even BLE.
|
| I tried building a mail sensor a couple of years ago where
| the mailbox was a fair distance from where I was living. I
| was not able to create a solution that didn't either have
| false positives or false negatives. For an outdoor object
| jostled by wind and rain it is harder than it seems.
| miki123211 wrote:
| I wish we had more / more easily accessible networks that let
| you do this.
|
| Something that would let you send extremely tiny (<1kB)
| packets, using a wireless protocol that could be implemented
| extremely cheaply, piggybacking on the bandwidth of nearby
| internet-connected devices in a privacy-preserving way.
|
| Amazon has a network like this called Sidewalk, using Alexa
| devices as gateways, but I don't think it's very open to
| third-party experimentation, and it's definitely not an
| interoperable standard on the gateway side.
| amenghra wrote:
| Too bad Fon didn't work out, it could have been a global
| mesh network useful for this kind of thing.
| bhelkey wrote:
| I don't particularly want my devices transmitting arbitrary
| packets from unknown parties.
| darknavi wrote:
| Starlink's Swarm (or what ever they are calling it now)
| might be nice if they ever release the hardware and
| pricing.
| Tijdreiziger wrote:
| How about LoRaWAN?
| gtirloni wrote:
| Previous: https://news.ycombinator.com/item?id=26342504
| pyronik19 wrote:
| Would there be a way for the bluetooth device to rotate its
| broadcast keys in a predictable way to avoid the iphone
| notification of "unknown airtag close by" messages? Seems like
| this could be exploited for surveillance.
| mrshadowgoose wrote:
| Sure, that works.
|
| One can also just cycle through a sufficiently large bank of
| pre-allocated keys, such that a findmy receiver doesn't see the
| same key too frequently.
| denysvitali wrote:
| You just need to derive a new key, this process is already
| part of the protocol to avoid being tracked while you wear
| your airtag
| denysvitali wrote:
| Technically it would need to rotate every 15 minutes or so -
| the notification you're talking about happens when the device
| is in "lost mode" (away from its owner): in that case the key
| is rotate every 24 hours
| alphan0n wrote:
| Yes, the FindYou project [0] has shown this to be possible.
|
| [0] https://github.com/positive-security/find-you
| abalaji wrote:
| Looking through the code, it looks like this uses your personal
| Apple Mail entitlements to pull the locations that get collected
| by devices on the FindMy network:
|
| https://github.com/seemoo-lab/openhaystack/blob/8d214aa5eb68...
|
| I wonder if this were also possible by making an Apple developer
| account.
| denysvitali wrote:
| There are versions that do not require the interaction with
| Apple Mail.
|
| All you need is an Apple account - the code doesn't have to run
| on Apple HW: https://github.com/biemster/FindMy
| amluto wrote:
| Can these be paired with the actual Apple Find My app and found
| in the app?
| 2Gkashmiri wrote:
| https://robu.in/product/nrf51822-cfac-r-bluetooth-3-1edr-ble...
|
| Will this chip work ?
| denysvitali wrote:
| Yes. I did it with that too. Basically all nrf51 / nrf52 are
| compatible with the protocol. In my case I've written the code
| in Rust - but it's pretty much the same thing as the example
| bhaney wrote:
| This is a technically interesting project, but is there any
| situation at all where it's worth using? It seems like it just
| allows you to build airtag-like devices that sorta work on the
| Find-My network with some rough edges, but I can buy proper
| AirTag clones in various form factors for a couple bucks - far
| cheaper than I could ever make a custom bluetooth device using
| this project. Am I missing a use-case?
| crummy wrote:
| If you had a laptop with Bluetooth, you could install this on
| it and find it if it were lost, I think.
| bhaney wrote:
| Okay yeah, that appears to be true. Looks like the broadcast
| part currently only runs on Linux (or microcontroller
| firmware), while the client only works on macOS, so you'd
| need to lose your Linux laptop and then find it with your
| Apple computer, but it does seem like that setup would work
| if you had it. Maybe it'll be ported to other OSs at some
| point, if that's even possible.
| jjallen wrote:
| Would your computer have to be open and running I'm guessing?
| bpbp-mango wrote:
| Are the clones any good though? Where do you even get them?
| bhaney wrote:
| They've been perfect for me. I buy them on Temu for around
| $2.50 each and they work exactly like normal AirTags minus
| the ultra wideband precision finding. I pair and track them
| in the normal iOS FindMy app. Haven't been using them long
| enough to know how long the batteries last, but they
| advertise >1 year and they still all report pretty full
| batteries after a few months of usage, so I'm hopeful.
|
| The credit card form factor ones for wallets are more
| expensive ($10) but can be wirelessly recharged on Qi
| chargers.
| cjrp wrote:
| Any recommendation for brand etc for credit card sized
| ones? I've an old Tile that needs replacing.
| bhaney wrote:
| "Brand" is a somewhat nebulous concept for chinese
| knockoffs, but the particular ones I got are each branded
| as "RSH Smart Tag." Though I'm pretty sure all the
| different listings are the same device coming out of the
| same factory with different random brand names printed on
| them. I'd just compare all the ones that say they work
| with iOS Find My and have wireless recharging, then get
| the cheapest one, specific branding be damned.
|
| Edit: I just checked, and actually only two of my cards
| (which came in a two-pack) are branded with RSH, and the
| other one has no branding on it at all. It's definitely
| an identical device though - the only difference is the
| lack of branding.
| solarkraft wrote:
| They are quite good. I get mine on AliExpress and the
| batteries have been lasting for at least a couple of months
| now.
| solarkraft wrote:
| I've been meaning to toy with smaller form factors. In theory a
| lot of gadgets with a battery could be made trackable.
| oulipo wrote:
| It allows you to locate a fleet of object without having to
| rely on wifi / GPS etc
| solarkraft wrote:
| I wish it had a way to integrate with the Find My app instead of
| having to go through their own (wonky) process to retrieve
| locations. The chinese clones can do it (even with their own
| branding), so it must be possible somehow.
| alibarber wrote:
| I think that's the wall in Apple's walled garden here. From
| reading the official Apple spec. for partners a while back, as
| part of the pairing process, something is signed by the device
| with a cert/key that apple issued to that developer (after
| coming to an agreement i.e - $$) - and, crucially, is different
| from the keypair that the device will use to actually
| broadcast. This is then validated by apple and thus allowed to
| be added to that apple-id's account and hence on to the app.
|
| The keys broadcasted by the devices themselves in 'lost' mode
| (i.e. not in 2 way contact with the owner's device) are
| arbitrary and completely opaque, Apple doesn't have any way of
| tying them to an ID or device or developer. This is how the
| proposed project here works - these keys will always find their
| way to the apple server.
|
| It seems like the knockoff ones have just hijacked a legit key
| for the pairing process. This means if Apple desires and finds
| out the key, it can probably remove all devices from all
| accounts - although the devices themselves will keep on
| broadcasting and their locations could be accessed in the above
| janky way. I wonder too if the original key owner might get a
| large bill for per-device royalties if/when Apple searches it's
| DB for a count of 'devices-added-to-an-apple-id-signed-by-this-
| key'...
| oulipo wrote:
| The Chinese clones use the Apple FindMy program, so they are
| official tags which can be displayed in the app. The
| OpenHaystack is a hack which uses different keys, and can't be
| shown on the app for cryptographic reasons
| emsixteen wrote:
| The clones are limited though, are they not? Like, they don't
| have the directional stuff and all that do they? I may be
| misremembering what I've read elsewhere.
| nguyenkien wrote:
| The "chinese clone" are official supported, here is how:
| https://developer.apple.com/find-my/
| raffraffraff wrote:
| Hmmm, but can you use it to set up an _actual_ AirTag without
| having another apple device like iPhone or Mac?
| oulipo wrote:
| I think you can (haven't tried), check this repo
| https://github.com/malmeloo/FindMy.py/blob/main/examples/rea...
| raffraffraff wrote:
| Would love to know who downvoted this and why. Is this not a
| valid question?
| phcreery wrote:
| Possible with https://github.com/dchristl/macless-haystack
| letters90 wrote:
| > All you need to use is a mac.
|
| Might as well require you to pay 1000$ up front to use.
| xyst wrote:
| I wonder what's the upper limit of transmissions a single device
| can upload to Apple servers? If the Apple device has no cell
| service or WiFi, how long will the history of that location ping
| reside on device?
|
| Also, is there a DoS vector here?
|
| - attacker manages to simulate 1M+ Bluetooth devices
|
| - victim randomly passes by and it crashes their phone due to a
| massive number of devices in single location and constantly
| uploading to Apple servers
| sorenjan wrote:
| I wish there was a good option for non Apple users. From what
| I've heard Google made their version pretty bad, as expected.
| They rate limit how often you can search for your own tags, they
| won't show the location until a tag has been seen by multiple
| phones, there's poor coverage. One test I saw showed that
| Samsung's network was better, which makes no sense since Samsung
| phones should be a subset of all Android phones in Google's
| network, but that's Google products for you. Sounds good in
| theory but poorly executed, even years after Apple showed how to
| do it.
|
| https://security.googleblog.com/2024/04/find-my-device-netwo...
|
| https://9to5google.com/2024/08/01/find-my-device-stress-test...
|
| https://9to5google.com/2024/08/03/google-android-find-my-dev...
|
| https://www.androidcentral.com/accessories/testing-new-googl...
| garbagewoman wrote:
| I dunno, a less than perfectly all-seeing omnipresent tracking
| network actually is a little comforting
| sorenjan wrote:
| It's not very useful for tracking your things though, which
| arguably is why you would use it. I wouldn't trust Google's
| network to find a stolen bike or lost luggage for instance,
| but air tags are used for that all the time[0]. Finding my
| lost keys at home is a perfectly valid use case for tags, but
| you don't need a network for that, just some Bluetooth and
| maybe UWB.
|
| [0]
| https://www.forbes.com/sites/barrycollins/2024/12/17/lost-
| lu...
|
| https://help.vanmoof.com/hc/en-
| us/articles/16053155393181-Ho...
| wasmitnetzen wrote:
| Google is still seeing everything, of course, just not the
| plebs.
| _ink_ wrote:
| There is a setting, where you can disable that it needs to be
| seen by multiple phones.
| Tajnymag wrote:
| No, that's the whole point of the fiasco. That setting is not
| for the tracker but for the tracking devices. For Google Find
| My trackers to behave similarly to AirTags, every single
| android user would have to go to their Find My settings and
| explicitly change, how sensitive their phone is.
| WinstonSmith84 wrote:
| It's hard to believe how Google could mess up their network so
| badly. Apple network shall be totally dwarfed.
|
| As a nomad-traveler, the Apple network is not particularly
| relevant to me, I don't travel to the wealthiest cities with a
| lot of Apple phones, but to the "rest of the world" where
| Android market share is close to 90% dominance. But even there,
| it still seems that Apple is doing better than Google (...)
| suddenexample wrote:
| It's actually hilarious that whoever was in charge of Google's
| finder network decided to cripple the product's one and only
| function by prioritizing privacy.
|
| In this tradeoff, Google gained a handful of articles
| mentioning the "innovative" privacy improvements (before the
| writers had a chance to test how terribly the network actually
| performs). For that, they sacrificed the chance to compete with
| Apple in this category, which outside of device revenue also
| weakens Android/Pixel ecosystem and market share. You really
| can't make up this level of incompetence.
| izacus wrote:
| > It's actually hilarious that whoever was in charge of
| Google's finder network decided to cripple the product's one
| and only function by prioritizing privacy.
|
| That sounds like that "whoever" was the corporate legal team.
| Every time I tracked down these kind of idiocities in large
| corpos, it's usually legal or security team that overrode
| common sense and sabotaged their own product.
| KennyBlanken wrote:
| Google's interest in user privacy extends as far as keeping
| competitors or customers of google from getting data about an
| Android user other than through Google.
| talldayo wrote:
| Well sure, you could accuse Apple and Huawei of the exact
| same thing and still be right. Hardware OEMs are extremely
| desperate to force their customers through first-party
| services to extend the value of their sale. News at 11.
|
| Because America lacks any form of conscious consumer
| protection, this is apparently fine to our regulators. Our
| market is entirely comfortable with OEMs fighting over who
| gets the right to exploit a customer with their defacto
| monopoly.
| ferfumarma wrote:
| > It's actually hilarious that whoever was in charge of
| Google's finder network decided to cripple the product's one
| and only function by prioritizing privacy.
|
| That is a hilariously apt and depressing point. Wow.
| ASalazarMX wrote:
| Google is a timid shell of its former self, it won't dip a
| foot in a pool without making sure the water is warm.
| tommoor wrote:
| Seems like they should just piggyback on FindMy also
| RobotToaster wrote:
| > From what I've heard Google made their version pretty bad
|
| I have one on my keys. The one time I tried to use it, despite
| refreshing multiple times, it gave me a bubble with a quarter
| mile radius. It turned out to be in my bag right next to me.
| groby_b wrote:
| So, you're saying it was correct? ;)
| BiteCode_dev wrote:
| _Red arrow pointing at Earth on solar system_
|
| Nailed it.
| bartvk wrote:
| It was _technically_ correct.
| exabrial wrote:
| Can someone point me to something I saw earlier? Apple alerts
| users to "tags that might be following you". Someone made an
| implementation that used a KDF to rotate the mac address or
| private key or something, but it was predictable in a way you
| could track each derivation of the of the mac/private key.
|
| There is a really obnoxious petty theft problem where I live, and
| the time it takes to constantly get my windows fixed or forced
| entry crap removed is worth a significant amount of my personal
| time. I have zero desire to confront anyone, but I'd like to be
| able to create a track for a PI or Law enforcement some day.
| stavros wrote:
| Hm, AFAIK AirTags rotate their private key anyway, so I don't
| know if that will help your problem. Maybe they rotate it
| slowly, though, I'm not very familiar with the exact algorithm.
| hattmall wrote:
| You can buy GPS cellular trackers. Then just get a really cheap
| or even free IOT sim.
|
| Alternatively you could probably just walk to your nearest drug
| addict hangout with case of bottled water and ask them to stop
| breaking into your stuff.
| IshKebab wrote:
| Can you though? Every time airtags come up here someone is
| like "you can get GPS trackers already! they're cheap!" but I
| actually looked and actual GPS trackers that don't require a
| subscription or have various other flaws seem to be very
| difficult to find.
|
| If there's a GPS tracker that uses an eSIM and isn't sketchy
| af and has decent battery life and isn't PS100 let me know! I
| would love that for my bikes.
| 1024core wrote:
| QQ: Why would one build your own? Is the cost of building one's
| own lower than just buying an Airtag off the shelf? I recently
| bought some for about $15. Would building my own be cheaper?
| culi wrote:
| I used to put one on my indoor/outdoor cat. She was a small cat
| so I always felt bad by how large the airtag was.
|
| If we were still doing this, I would consider building an
| optimized one that's smaller and a better shape for her
|
| Another use-case could be to build a tag that is able to
| leverage multiple different networks (Tile, Chipolo, etc)
| mannyv wrote:
| So would this allow you to track a fleet in mostly realtime?
| pishpash wrote:
| So, how exactly do you "build your own tags"? You need Bluetooth-
| enabled devices that can run this software?
___________________________________________________________________
(page generated 2025-01-27 23:01 UTC)