OpenHaystack: Track Bluetooth Devices via Apple’s Find My Network

Overview of OpenHaystack

OpenHaystack is a pioneering framework that enables users to track personal Bluetooth devices through Apple’s expansive Find My network. This allows for the creation of personalized tracking tags for various physical objects or devices such as notebooks.

What is OpenHaystack?

This application facilitates the development of custom accessories for tracking through Apple’s network. Operating from a Mac and using Bluetooth-capable technology like the BBC micro:bit, users can monitor their devices worldwide without relying on cellular coverage.

Nearby iPhones identify these accessories, uploading their locations to Apple’s servers upon network connection.

History

OpenHaystack originated from the reverse-engineering and security analysis of Apple’s Find My network by TU Darmstadt’s Secure Mobile Networking Lab. Initiated after Apple’s announcement in June 2019, the research exposed vulnerabilities, including a critical one for unauthorized location access, now rectified by Apple (CVE-2020-9986).

Readers seeking detailed security analysis can consult the lab’s published paper. Despite its experimental nature, OpenHaystack has garnered significant media attention.

Disclaimer

OpenHaystack is an experimental, untested software project, independent of Apple Inc. It features certain limitations, such as broadcasting a fixed public key, making devices trackable by nearby entities.

How to Use OpenHaystack

OpenHaystack comprises a macOS application and a firmware image for Bluetooth beacon broadcasting.

System Requirements

OpenHaystack requires macOS 11 (Big Sur).

Installation

To install the application, users must deploy a custom Apple Mail plugin for retrieving location reports from Apple. This process involves temporarily disabling macOS’ Gatekeeper security feature.

  • Download the binary release from GitHub or build from source via Xcode.
  • Install the Mail plugin in ~/Library/Mail/Bundle.
  • Disable Gatekeeper using sudo spctl --master-disable in the terminal.
  • Enable the plugin under Apple Mail’s Preferences, manage plug-ins, and restart Mail.
  • Re-enable Gatekeeper with sudo spctl --master-enable.

Usage

To add a new accessory, assign a name, and optionally an icon and color. The application generates an encryption key pair, storing the private key securely. Deploy the accessory by connecting a device via USB and using the Deploy button.

Location updates may take up to 30 minutes to appear. Use the reload function for the latest data.

Apple’s Find My Network Mechanism

A brief overview of Apple’s Find My network and its integration with OpenHaystack:

Pairing

The network utilizes a generated public-private key pair for accessory pairing, with the public key sent via Bluetooth advertisements.

Losing

Accessories broadcast this public key, enabling iPhones to identify them without distinguishing them from Apple’s certified devices.

Finding

Upon receiving a Bluetooth signal, iPhones obtain GPS coordinates, encrypt them, and upload the data to Apple’s server.

Searching

Apple’s system stores encrypted location data, retrievable only by those possessing the corresponding private key. OpenHaystack downloads and decrypts these reports to present on a map interface.

Tracking Additional Bluetooth Devices

OpenHaystack facilitates the tracking of various Bluetooth devices through Apple’s network. While initially supporting certain embedded devices, extensions to other systems are encouraged via source code adaptation.

OpenHaystack Mobile

The mobile version extends the framework to smartphones using Flutter. Though requiring a Mac-hosted proxy server, it provides increased usability for accessory tracking on Android and iOS platforms.

Authors

Developed by Alexander Heinrich and Milan Stute, with contributions from Tim Kornhuber and Matthias Hollick.

License

OpenHaystack is distributed under the GNU Affero General Public License v3.0.