FindMy: BLE-Powered Location Tracking

We already touched on the very basics of Bluetooth Low Energy (BLE) in the last post. In this post we’ll look deeper into Apple’s FindMy - a service which you very likely get into contact every single day without even realizing. Ever wondered how the FindMy App can show you where your other devices or even AirTags are? Get ready to learn how Apple uses hundreds of devices to help track and find lost devices.

A Quick Recap: BLE Advertising

Before we dive into the captivating world of Find My, let’s revisit a crucial BLE concept: advertising. Devices can use periodically sent advertisement packets to share information with any nearby device that happens to listen for those packets. This can be used for all kinds of things: from your new headphones telling every device around that they are ready for pairing, to small temperature sensors. Advertisements are great for information you want to share with everyone around. In a nutshell, lost devices can use advertisements to tell everyone nearby that they are here and those around can inform Apple which can in turn forward this information to the owner. Apple’s FindMy service is a little more complex than that, involving end-to-end encryption and specific features to protect the privacy of it’s users. So lets dive in!

FindMy: just another Crowdsorced Location Tracking System?

Apple were actually not the first ones to come up with BLE based location tracking system that uses other people’s phones to determine the location of lost devices (aka crowdsourcing). It is not clearly known whose idea it was originally, but it is clear that Tile made the concept popular and raised $2.6M in 2013.

The basic concept of how such a system works is shown below. Devices that are lost (c) (in the FindMy service aptly named LostDevices) periodically send BLE advertisement packets (1) to all devices nearby. Those advertisements have to contain some information that allows the service to determine who the owner of the device is, this could be a simple ID. The nearby devices (b) (in Apple’s system called FinderDevices) use GPS to get their location and upload it to a server (2). The owner (a) can retrieve this information (3). In Apple’s system even turned off iPhones (starting from iOS 15) act as LostDevice, so you can track lost or stolen devices even when they run out of battery or are turned off.

General concept of BLE based crowdsourced tracking

This concept is not very complex, and seems to be straightforward to implement. It only becomes hard when you think about the privacy implications. Devices periodically advertising information that allows the owner to recognize its devices, means that everyone near the device - regardless their intentionns - receives this information. If the advertisement just uses a simple persistent ID, an attacker could use that information to track the device, and the owner with it. So it is obvious that a privacy-focused system, like FindMy, has to come up with different ways to match owners to devices. Additionally, you probably don’t want Apple to always know where your devices are, so more measures have to be put in place to make sure only you can track your devices.

Apple has done a lot of things right when designing the FindMy system as a privacy-friendly and secure system. But there are still some issues that allow third-parties to misuse the service for non-intended purposes. This will be a topic for a later blog post, though.

Introduction to FindMy’s Cryptography

Apple promises a lot regarding privacy and security. Let’s look on how they are able to actually acomplish most of those promises.

To make sure only the owner of the lost device is able to get it’s position data, Apple utilizes Elliptic-Curve-Cryptography (ECC) to implement a secure end-to-end encryption. Each device generates an ECC Keypair and a secret value (the combination is called Master Beacon Key or MBK) during setup. The MBK is synchronized via iCloud to all other devices with the same AppleID. With the MBK alone it would already be possible to provide end-to-end encrypted location data by utilizing the public part of the keypair for advertisement and encryption. This however would require a device to constantly broadcast it’s public key, which would allow everyone nearby to follow the device around indefinitely.

Instead, Apple uses temporary Advertising Keys that limit the trackability to a few minutes or a few hours (for iPhones, iPads etc. 15 minutes, for AirTags and other accessories 24 hours). The Advertising Keys are generated from the MBK and a counter, which makes it impossible (or at least very hard) for an attacker to construct the Advertising Key for the next interval, as long as the MBK stays private to the owner. The public part of the Advertising Key is sent in the advertisement packets. The 24 hour interval for AirTags seems counterintuitive at first, because this makes it easier to track a stranger’s AirTag. However, this is intentional to enable Apple’s unwanted tracking detection feature.

Apple’s unwanted tracking detection, Image from: https://support.apple.com/en-us/HT212227

Encryption of the location data is done on the FinderDevices (the nearby Apple devices) using an additional temporary keypair to do a [Elliptic-Curve-Diffie-Hellman (ECDH)](https://medium.com/swlh/understanding-ec-diffie-hellman-9c07be338d4a) keyexchange to derive a key used for symmetric encryption. Together with the location data, a hash of the received Advertising Key is uploaded to allow the owner device to identify the key used for encryption. Because each MBK is synchronized and all Advertising Keys are generated using a deterministic key derivation function, the owner can generate all Advertising Keys independently. The nature of the ECDH keyexchange further makes it possible to derive the same symmetric key so that the owner, and only the owner, to decrypt the location data.

Wrapping Up

This post just barely scratches the surface of all the tech that enables Apple’s FindMy service. I believe that this is a great introduction to understand the general concept and some of the numerous security features of the service. If you want to dive deeper here are the papers this article is based on:

The next post will give a quick introduction on various ways to abuse the FindMy service and what users or Apple can do to prevent them.