Demystifying Apple's BLE Magic: A Journey into FindMy - Part 1
The Basics
Hey there, fellow techies! Get ready to savor the first installment of our deep dive into Apple’s Bluetooth Low Energy (BLE) protocol powering the FindMy service. We’ll also see some ways in which a mischievous actor could exploit these protocols to gain access to private information or render devices inoperable. But first we have to take a closer look at BLE in general.
What’s the Deal with Bluetooth Low Energy?
Alright, let’s start with the basics. Bluetooth Low Energy (BLE) is the tech that allows many devices to talk to each other in a power-efficient and seamless way. BLE is actually an addition to the regular Bluetooth standard developed by the Bluetooth Special interest Group, or SIG, and was introduced as an optional part of the specification in version 4.0 from 2010. The current version from February 2023 is version 5.4, while current Apple devices, like the iPhone 15, support up to version 5.3. Compared to regular Bluetooth, which is good for audio streaming or file transfers but uses a lot of energy, BLE has a low datarate in favor of less power usage. Think of devices like the Apple Watch that need to have a long battery life and only get small data transfers like notifications. BLE is perfect for those quick, periodic data exchanges between devices. This is precisely why Apple relies on BLE for a wide range of functions, whether it’s monitoring your AirPods’ battery life through your iPhone or pinpointing the location of a misplaced backpack with the help of an AirTag.
The BLE Puzzle Pieces
Before we start dissecting Apple’s BLE protocols one by one, you should get familiar with some essential BLE terms:
-
Central: This is one of two essential roles in the specification. The central device is the one that connects to the peripheral and requests information or services. Think of your iPhone or iPad.
-
Peripheral: This is the device that offers up information or services. For instance, your Apple Watch is a peripheral that can send heart rate data and receive notifications.
-
Characteristic: BLE organizes data in chunks called characteristics that can be read or written.
-
Service: Multiple related characteristics are combined into a service.
-
Advertisement: BLE peripherals regularly broadcast information to all other BLE devices nearby. Central devices can use those Advertisements to discover peripherals to connect to.
Physical layer
I don’t want to do a deep dive into the complexities of the actual data transmission over the physical layer. However a few basics are useful to better understand BLE in general.
Bluetooth uses the frequency spectrum between 2.4 GHz and 2.4835 GHz for data transmission. The spectrum is divided into 40 symmetrical channels (see the figure below), 37 of which can be used for data transmission, while the remaining three channels are reserved for advertising (discovering devices and establishing connections). The advertising channels are chosen in a way to reduce interference with WiFi radio which uses an overlapping frequency spectrum.
![BLE frequency channels. It can be noticed that channels from 0-36 are assigned to data transmission in connections (blue), while the three remaining channels, from 37-39, are used as advertising channels, shown in orange. How channels are positioned in the frequency band is shown in the x-axis: the first channel, 37, is centered at frequency 2402 MHz, while the last one, the 39th, is centered at 2480 MHz. Adapted from [48].](images/BLE-frequency-channels-It-can-be-noticed-that-channels-from-0-36-are-assigned-to-data.png)
BLE Channels, Source: Performance Evaluation of Bluetooth Low Energy: A Systematic Review
BLE Advertising - How to establish a connection?
To establish a connection for data exchange, the peripheral has to send advertising packets regularly, so that it can be discovered by the central device. Advertising packets are sent at specific times, called Advertising Events that are spaced a so called Advertising Interval apart from each other. Additionally every event is delayed randomly to reduce the chance for collisions. At every Advertising Event, the advertising device sends the same packet in each advertising channel to improve the discoverability. On the other hand, the observing device switches channels after one Scan Interval that starts with a Scan Window where it actively listens for advertising packets, followed by a pause where the device is inactive to preserve battery. I won’t go into more detail here, but if you’re interested, feel free to explore the linked article just below the image. In that article, the authors provide a detailed breakdown of how different parameter settings change the probabilities and latencies associated with discovering peripheral devices.
BLE Advertising process, Source: Analysis of Latency Performance of Bluetooth Low Energy (BLE) Networks
I chose not to go into more detail with regard to the actual BLE communication flow, because Apple does rely heaviliy on BLE Advertising to implement FindMy, Continuity, and AirDrop.
What’s Up Next?
In our next article, we’re going to take a deep dive into the inner workings of Apple’s FindMy protocol. Ever wondered how you can track down your lost iPhone or AirPods or how Apple protects your privacy while doing so? Also stay tuned to learn about a few ways attackers could potentially misuse the protocol.