OpenHaystack lets you create DIY AirTags on Apple’s Find My network


Apple has promised to open its Find My app to third-party accessory makers. But before that, there is a new tool that will allow anyone to create their own Bluetooth tracking tag to use with the Find My network to track their location. OpenHaystack is a new open source tool developed by security researchers at the Secure Mobile Networks Laboratory, who have essentially reverse engineered the way Apple devices register on the Find My mesh network.

In short, it is a way to create your own DIY AirTags today.

OpenHaystack works through a custom Mac application that can be used to track the location of the custom labels you create. As of now, the tool has direct support for making a tracking tag using the BBC micro: bit mini computer, although other developers might add other Bluetooth Low Energy (BLE) device support in the future. Once registered on Apple’s Find My network, the OpenHaystack app will be able to report the tag location just like Apple’s Find My app works for iPhones and other Apple devices.

The whole system is a bit hacked, in the sense that it is complex, not in the sense that you are actually hacking something. It uses a plug-in for Apple Mail (which authenticates you as a genuine Apple user) to gain the necessary access to Apple’s Find My network to create and locate keys, so Mail must be running for OpenHaystack to work.

There also don’t appear to be serious security implications for the Find My network (although the team has sent other bug reports to Apple). However, that doesn’t mean you should go ahead and start using OpenHaystack. There is an important disclaimer about the project:

OpenHaystack is experimental software. The code is untested and incomplete. For example, the OpenHaystack tags used by our firmware transmit a fixed public key and are therefore traceable by other nearby devices (this could change in a future release). OpenHaystack is not affiliated with or endorsed by Apple Inc.

A high-level understanding of how the Find My security model works also helps to understand why OpenHaystack is possible.

Find my works using a combination of public and private keys. Any Apple user can access the public keys of the devices on the Find My network, but they need the private key in order to access the location information. This means that even Apple cannot access your location information without your private keys. Networking is possible because Apple devices communally track public keys, but only users can obtain private key location data.

How OpenHaystack enters the Find My network.
Image: OpenHaystack

What OpenHaystack does is create one of those public / private key pairs for its own Bluetooth tag and uses Apple Mail to register it on the Find My network. To Apple, it just looks like another iPhone. The Mac app then accesses the public key database, pairs it with the private key you created, and bam – secure location data.

From the way it’s designed, it seems like it might be difficult for Apple to hack OpenHaystack easily without cutting a bunch of older Apple devices as well. However, it is also true that Apple as a company will not like everything and may try to find a way to block it. A developer could use the system to create a way to add Android devices to the Find My network.

The team behind OpenHaystack has written a document detailing their methods and revealing a now fixed security flaw. It also released the source code for its firmware, which other developers could use to adapt OpenHaystack to other BLE devices.

From Apple official support for third-party accessories is still available. Belkin has already announced a set of headphones that will support Find My. Given how complex the OpenHaystack setup is, it probably won’t get mass adoption. It is similar in some respects to AirMessage and Beeper, two tools that use Mac utilities to redirect iMessages to Android devices. Apple’s ecosystem is blocked in many ways, but the Mac finds a way.

Source link