Security News > 2021 > March > Security Analysis of Apple’s “Find My…” Protocol

Abstract: Overnight, Apple has turned its hundreds-of-million-device ecosystem into the world's largest crowd-sourced location tracking network called offline finding.

OF leverages online finder devices to detect the presence of missing offline devices using Bluetooth and report an approximate location back to the owner via the Internet.

In particular, OF aims to ensure finder anonymity, untrackability of owner devices, and confidentiality of location reports.

We experimentally show that unauthorized access to the location reports allows for accurate device tracking and retrieving a user's top locations with an error in the order of 10 meters in urban areas.

While we find that OF's design achieves its privacy goals, we discover two distinct design and implementation flaws that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, which could deanonymize users.

There is also code available on GitHub, which allows arbitrary Bluetooth devices to be tracked via Apple's Find My network.

News URL

https://www.schneier.com/blog/archives/2021/03/security-analysis-of-apples-find-my-protocol.html