• Stars
    star
    8,225
  • Rank 4,499 (Top 0.09 %)
  • Language
    Swift
  • License
    GNU Affero Genera...
  • Created almost 4 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Build your own 'AirTags' 🏷 today! Framework for tracking personal Bluetooth devices via Apple's massive Find My network.

OpenHaystack application icon OpenHaystack

OpenHaystack is a framework for tracking personal Bluetooth devices via Apple's massive Find My network. Use it to create your own tracking tags that you can append to physical objects (keyrings, backpacks, ...) or integrate it into other Bluetooth-capable devices such as notebooks.

Screenshot of the app

Table of contents

What is OpenHaystack?

OpenHaystack is an application that allows you to create your own accessories that are tracked by Apple's Find My network. All you need is a Mac and a BBC micro:bit or any other Bluetooth-capable device. By using the app, you can track your accessories anywhere on earth without cellular coverage. Nearby iPhones will discover your accessories and upload their location to Apple's servers when they have a network connection.

History

OpenHaystack is the result of reverse-engineering and security analysis work of Apple's Find My network (or offline finding). We at the Secure Mobile Networking Lab of TU Darmstadt started analyzing offline finding after its initial announcement in June 2019. We identified how Apple devices can be found by iPhones devices, even when they are offline through this work. The whole system is a clever combination of Bluetooth advertisements, public-key cryptography, and a central database of encrypted location reports. We disclosed a specification of the closed parts of offline finding and conducted a comprehensive security and privacy analysis. We found two distinct vulnerabilities. The most severe one, which allowed a malicious application to access location data, has meanwhile been fixed by Apple (CVE-2020-9986). For more information about the security analysis, please read our paper. Since its release, we received quite a bit of press and media coverage.

Disclaimer

OpenHaystack is experimental software. The code is untested and incomplete. For example, OpenHaystack accessories using our firmware broadcast a fixed public key and, therefore, are trackable by other devices in proximity (this might change in a future release). OpenHaystack is not affiliated with or endorsed by Apple Inc.

How to use OpenHaystack?

OpenHaystack consists of two components. First, we provide a macOS application that can display the last reported location of your personal Bluetooth devices. Second, the firmware image enables Bluetooth devices to broadcast beacons that make them discoverable by iPhones.

System requirements

OpenHaystack requires macOS 11 (Big Sur).

Installation

The OpenHaystack application requires a custom plugin for Apple Mail. It is used to download location reports from Apple's servers via a private API (technical explanation: the plugin inherits Apple Mail's entitlements required to use this API). Therefore, the installation procedure is slightly different and requires you to temporarily disable Gatekeeper. Our plugin does not access any other private data such as emails (see source code).

  1. Download a precompiled binary release from our GitHub page.
    Alternative: build the application from source via Xcode.
  2. Open OpenHaystack. This will ask you to install the Mail plugin in ~/Library/Mail/Bundle.
  3. Open a terminal and run sudo spctl --master-disable, which will disable Gatekeeper and allow our Apple Mail plugin to run.
  4. Open Apple Mail. Go to PreferencesGeneralManage Plug-Ins... and activate the checkbox next to OpenHaystackMail.mailbundle.
    • If the Manage Plug-Ins... button does not appear. Run this command in terminal sudo defaults write "/Library/Preferences/com.apple.mail" EnableBundles 1
  5. Allow access and restart Mail.
  6. Open a terminal and enter sudo spctl --master-enable, which will enable Gatekeeper again.

Usage

Adding a new accessory. To create a new accessory, you just need to enter a name for it and optionally select a suitable icon and a color. The app then generates a new key pair that is used to encrypt and decrypt the location reports. The private key is stored in your Mac's keychain.

Deploy to device. Connect a supported device via USB to your Mac and hit the Deploy button next to the accessory's name and choose the corresponding. Instead of using OpenHaystack's integrated deployment, you may also copy the public key used for advertising (right click on accessory) and deploy it manually.

Display devices' locations. It can take up to 30 minutes until you will see the first location report on the map on the right side. The map will always show all your items' most recent locations. You can click on every item to check when the last update was received. By clicking the reload button, you can update the location reports.

How does Apple's Find My network work?

We briefly explain Apple's offline finding system (aka Find My network). Please refer to our PETS paper and Apple's accessory specification for more details. We provide a schematic overview (from our paper) and explain how we integrate the different steps in OpenHaystack below.

Find My Overview

Pairing (1)

To use Apple's Find My network, we generate a public-private key pair on an elliptic curve (P-224). The private key remains on the Mac securely stored in the keychain, and the public key is deployed on the accessory, e.g., an attached micro:bit.

Losing (2)

In short, the accessories broadcast the public key as Bluetooth Low Energy (BLE) advertisements (see firmware). Nearby iPhones will not be able to distinguish our accessories from a genuine Apple device or certified accessory.

Finding (3)

When a nearby iPhone receives a BLE advertisement, the iPhone fetches its current location via GPS, encrypts it using public key from the advertisement, and uploads the encrypted report to Apple's server. All iPhones on iOS 13 or newer do this by default. OpenHaystack is not involved in this step.

Searching (4)

Apple does not know which encrypted locations belong to which Apple account or device. Therefore, every Apple user can download any location report as long as they know the corresponding public key. This is not a security issue: all reports are end-to-end encrypted and cannot be decrypted unless one knows the corresponding private key (stored in the keychain). We leverage this feature to download the reports from Apple that have been created for our OpenHaystack accessories. We use our private keys to decrypt the location reports and show the most recent one on the map.

Apple protects their database against arbitrary access by requiring an authenticated Apple user to download location reports. We use our Apple Mail plugin, which runs with elevated privileges, to access the required authentication information. The OpenHaystack app communicates with the plugin while downloading reports. This is why you need to keep Mail open while using OpenHaystack.

How to track other Bluetooth devices?

In principle, any Bluetooth device can be turned into an OpenHaystack accessory that is trackable via Apple's Find My network. Currently, we provide a convenient deployment method of our OpenHaystack firmwares for a small number of embedded devices (see table below). We also support Linux devices via our generic HCI script. Feel free to port OpenHaystack to other devices that support Bluetooth Low Energy based on the source code of our firmware and the specification in our paper. Please share your results with us!

Platform Tested on Deploy via app Comment
Nordic nRF51 BBC micro:bit v1 Only supports nRF51822 at this time (see issue #6).
Espressif ESP32 SP32-WROOM, ESP32-WROVER Deployment can take up to 3 minutes. Requires Python 3. Thanks @fhessel.
Linux HCI Raspberry Pi 4 w/ Raspbian Should support any Linux machine.

Setup

OpenHaystack Mobile

OpenHaystack Mobile is a complete reimplementation of the OpenHaystack macOS application for smartphones. The app provides the same functionality to create and track accessories and aims to increase the usability, especially for new users. In contrast to the macOS application, the location reports cannot be fetched directly on the smartphone, so the app requires a proxy server hosted on Mac hardware to access the Find My network. The proxy server can be accessed over a network by multiple users simultaneously.

To connect to your proxy server set the correct URL in: openhaystack-mobile/lib/findMy/reports_fetcher.dart

OpenHaystack Mobile is built with the cross-platform Flutter framework and currently runs on Android and iOS. More information about the app and usage instructions can be found in the openhaystack-mobile folder of this repository.

Authors

References

  • Alexander Heinrich, Milan Stute, Tim Kornhuber, Matthias Hollick. Who Can Find My Devices? Security and Privacy of Apple's Crowd-Sourced Bluetooth Location Tracking System. Proceedings on Privacy Enhancing Technologies (PoPETs), 2021. doi:10.2478/popets-2021-0045 📄 Paper 📄 Preprint.
  • Alexander Heinrich, Milan Stute, and Matthias Hollick. DEMO: OpenHaystack: A Framework for Tracking Personal Bluetooth Devices via Apple’s Massive Find My Network. 14th ACM Conference on Security and Privacy in Wireless and Mobile (WiSec ’21), 2021.
  • Tim Kornhuber. Analysis of Apple's Crowd-Sourced Location Tracking System. Technical University of Darmstadt, Master's thesis, 2020.
  • Apple Inc. Find My Network Accessory Specification – Developer Preview – Release R3. 2020. 📄 Download.

License

OpenHaystack is licensed under the GNU Affero General Public License v3.0.

More Repositories

1

opendrop

An open Apple AirDrop implementation written in Python
Python
8,572
star
2

nexmon

The C-based Firmware Patching Framework for Broadcom/Cypress WiFi Chips that enables Monitor Mode, Frame Injection and much more
C
2,406
star
3

AirGuard

Protect yourself from being tracked 🌍 by AirTags 🏷 and Find My accessories 📍
Kotlin
1,904
star
4

owl

An open Apple Wireless Direct Link (AWDL) implementation written in C
C
1,217
star
5

openwifipass

An open source implementation of Apple's Wi-Fi Password Sharing protocol in Python.
Python
802
star
6

mobisys2018_nexmon_software_defined_radio

Proof of concept project for operating Broadcom Wi-Fi chips as arbitrary signal transmitters similar to software-defined radios (SDRs)
Shell
763
star
7

internalblue

Bluetooth experimentation framework for Broadcom and Cypress chips.
Python
684
star
8

frankenstein

Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging
C
430
star
9

nexmon_csi

Channel State Information Extraction on Various Broadcom Wi-Fi Chips
C
302
star
10

toothpicker

Python
234
star
11

privatedrop

Practical Privacy-Preserving Authentication for Apple AirDrop
Swift
217
star
12

polypyus

Python
215
star
13

BTLEmap

Nmap for Bluetooth Low Energy
Swift
159
star
14

bcm-rpi3

DEPRECATED: Monitor Mode and Firmware patching framework for the Raspberry Pi 3, development moved to: https://github.com/seemoo-lab/nexmon
C
157
star
15

airtag

AirTag instrumentation including AirTechno and firmware downgrades.
JavaScript
138
star
16

wireshark-awdl

Wireshark Dissector for Apple Wireless Direct Link (AWDL) and Apple's CoreCapture logging framework. Note: the AWDL dissector is part of Wireshark 3.0!
134
star
17

VirtFuzz

VirtFuzz is a Linux Kernel Fuzzer that uses VirtIO to provide inputs into the kernels subsystem. It is built with LibAFL.
Rust
109
star
18

frida-scripts

JavaScript
101
star
19

mobisys2018_nexmon_channel_state_information_extractor

Example project for extracting channel state information of up to 80 MHz wide 802.11ac Wi-Fi transmissions using the BCM4339 Wi-Fi chip of Nexus 5 smartphones.
MATLAB
98
star
20

airdrop-keychain-extractor

Extracting Apple ID Validation Record, Certificate, and Key for AirDrop
Objective-C
96
star
21

bcm-public

DEPRECATED: Monitor Mode and Firmware patching framework for the Google Nexus 5, development moved to: https://github.com/seemoo-lab/nexmon
C
75
star
22

fitness-app

Java
70
star
23

apple-continuity-tools

Reverse engineering toolkit for Apple's wireless ecosystem
JavaScript
63
star
24

nexmon_debugger

Debugger with hardware breakpoints and memory watchpoints for BCM4339 Wi-Fi chips
C
54
star
25

satellite-messenger

A free satellite messenger for iPhone 14
Swift
50
star
26

wisec2017_nexmon_jammer

This project contains the nexmon-based source code required to repeat the experiments of our WiSec 2017 paper.
C
48
star
27

aristoteles

A Wireshark dissector for the Apple Remote Invocation (ARI) protocol, used between Intel base band chips and the iOS CommCenter for various management purposes, SMS, telephony and much more.
Lua
45
star
28

talon-tools

Talon Tools: The Framework for Practical IEEE 802.11ad Research
TeX
41
star
29

mmTrace

mmTrace: Millimeter Wave Propagation Simulation
MATLAB
40
star
30

fitness-firmware

HTML
40
star
31

AirGuard-iOS

Protect yourself from being tracked 📍by Samsung SmartTags and Tile Trackers
Swift
39
star
32

apple_u1

JavaScript
38
star
33

chirpotle

A LoRaWAN Security Evaluation Framework
Jupyter Notebook
35
star
34

dtrace-memaccess_cve-2020-27949

C++
35
star
35

proxawdl

Tunnels a regular TCP connection through an AWDL link by exploiting the NetService API
Objective-C
31
star
36

pyshimmer

pyshimmer provides a Python API to work with the wearable sensor devices produced by Shimmer.
Python
24
star
37

mobisys2018_nexmon_covert_channel

Wi-Fi based covert channel that hides information in hand crafted acknowledgement frames imitating additional channel effects that can be extracted from channel state information at the intended receiver.
C
23
star
38

uwb-sniffer

A UWB Sniffer with accurate timestamps
C
22
star
39

h4bcm_wireshark_dissector

Wireshark dissector for Broadcom specific H4 diagnostic commands
C
22
star
40

owlink.org

Opening up Apple's wireless ecosystem around the Apple Wireless Direct Link (AWDL) protocol
HTML
20
star
41

wisec2017_nexmon_jammer_demo_app

This project contains source code of our Nexmon-based jammer app presented as a demo at WiSec 2017.
Java
19
star
42

nexmon-arc

The nexmon C-based firmware patching framework adapted for the ARC architecture.
C
19
star
43

seemoo-mobile-sensing

Sensor data collector for Android devices
Java
19
star
44

plist17lib

Python
18
star
45

BTLEmap-Framework

BTLEmap's Bluetooth Low Energy framework that powers the app
Swift
17
star
46

csicloak

Python
15
star
47

seemoo-wearable-sensing

Sensor data collector for Samsung Gear S3
JavaScript
15
star
48

talon-sector-patterns

Antenna Sector Patterns as obtained by Measurements in the CoNEXT'17 paper
MATLAB
14
star
49

pairsonic

Helping groups securely exchange contact information.
Dart
13
star
50

fido2ext

Bring Your Own FIDO2 Extensions!
JavaScript
12
star
51

wifi-password-sharing

An open source implementation of Apple's Wi-Fi Password Sharing protocol in Swift.
Swift
12
star
52

privatefind

Lost and Found: Stopping Bluetooth Finders from Leaking Private Information
C
12
star
53

nexmon_tx_task

Scheduled frame transmission on Broadcom Wi-Fi Chips
C
11
star
54

pico-nexmon

Applications for the Raspberry Pi Pico W related to Nexmon the C-based firmware patching framework for Broadcom/Cypress WiFi chips.
CMake
11
star
55

wisec2017_nexmon_jammer_demo_firmware

This project contains the nexmon-based source code of the jammer used in our WiSec 2017 demo Android app.
C
10
star
56

bcm_misc

10
star
57

opennan

OpenNAN - An open source NAN stack for Linux
C
9
star
58

Hardwhere

snipeit-it based asset management app
Kotlin
8
star
59

ubicomp19_zero_interaction_security

Source code for experiments and evaluation of five zero-interaction security schemes, for our Ubicomp 2019 paper "Perils of Zero-Interaction Security in the Internet of Things"
Jupyter Notebook
8
star
60

offline-finding-evaluation

Quantitative analysis of location reports from Apple's offline finding (OF) location tracking system
Jupyter Notebook
7
star
61

myo-keylogging

Code for "My(o) Armband Leaks Passwords: An EMG and IMU Based Keylogging Side-Channel Attack" paper
Python
7
star
62

natural-disaster-mobility

Natural Disaster Mobility Model and Scenarios in the ONE
Java
6
star
63

wisec2017_nexmon_jammer_reproducibility

This project contains all measured data and scripts to recreate the plots used in our WiSec 2017 paper.
MATLAB
6
star
64

nexmon_energy_measurement

This repository contains patched Linux kernel sources to run energy measurements on the Wi-Fi chip of a Nexus 5 smartphone.
C
6
star
65

next2you

Source code for experiments and evaluation of Next2You copresence detection scheme, for our TIOT 2021 paper "Next2You: Robust Copresence Detection Based on Channel State Information".
C
6
star
66

d11-emu

D11emu: A BCM43 D11 Emulation Framework
Rust
6
star
67

aic-prototype

Proof of concept implementation of Acoustic Integrity Codes (AICs) for Android smartphones
Kotlin
6
star
68

CellGuard

CellGuard is a research project that analyzes how cellular networks are operated and possibly surveilled
5
star
69

powerpc-ose

C++
5
star
70

PrivateDrop-Base

The framework that powers PrivateDrop
C
4
star
71

fastzip

Source code for experiments and evaluation of FastZIP zero-interaction pairing scheme, for our Mobisys 2021 paper "FastZIP: Faster and More Secure Zero-Interaction Pairing".
Python
4
star
72

graphics

3
star
73

tpy

A Lightweight Framework for Agile Distributed Network Experiments
Python
3
star
74

wintech23_nexmon_d11debug

Pawn
3
star
75

woot24_cfi_coverage_tools

The artifacts for the 'On the Effectiveness of CFI in Practice' paper to be published at WOOT'24.
Python
2
star
76

click-castor

Click implementation of LIDOR/SEMUD (based on the Castor routing protocol)
C++
2
star
77

privatedrop-evaluation

Jupyter Notebook
2
star
78

wisec23-speaker-bootstrapping

Software repository for our WiSec '23 demo: Secure Bootstrapping of Smart Speakers Using Acoustic Communication
C
2
star
79

caret

CARET: The Crisis and Resilience Evaluation Tool
Python
2
star
80

hardzipa

Source code for experiments and evaluation of HardZiPA system for our EWSN 2023 paper "Hardening and Speeding UpZero-interaction Pairing and Authentication".
Python
2
star
81

kardia-demod

Python
1
star
82

talon-library-measurements

Large-Scale Talon Measurements at Library
1
star
83

handoff-authentication-swift

C++
1
star
84

wintech2017_nexmon_ping_offloading

This project contains the nexmon-based source code of the ping offloading application used in our WiNTECH 2017 paper.
C
1
star
85

python-msp430-tools

This is a fork of the original python-msp430-tools repository on Launchpad. It features a patchset that is required to use the tools with the Shimmer3 devices.
Python
1
star
86

Please-Unstalk-Me

User Data and Online Survey results
Jupyter Notebook
1
star