The keynote of Apple’s WWDC 2019 conference left many novelties, and among them those that affected macOS Catalina, the new version of your desktop operating system.
Among these characteristics, one in a special way stood out: it is Find My, the option that allows us to find a lost (or stolen) MacBook thanks to the magic of Bluetooth LE. This is how a service works that makes other users of Apple devices become anonymous and transparent sneaks of the location of your lost MacBook.
This is how Find My works
As Craig Federighi highlighted during this feature presentation, Find My encryption is end-to-end and anonymous. That means that Apple does not have access to that information, which only the user who owns these devices will be able to consult.
In order to use this feature it is necessary that the user have at least two Apple devices to start it up. You constantly issue a changing key that is used for nearby Apple devices to send your location in encrypted form to Apple’s servers.
How does this striking feature work? The funny thing is that it does not use the GPS signal or a potential triangulation with WiFi networks or mobile networks, but is based on a Bluetooth Low Energy protocol option (BLE). As explained in Wired, the process is as follows:
Find My as a bulk version of Tile
The service presented by Apple is certainly striking, but it is far from novel. The ability of Bluetooth as a system to locate devices comes from far, and in fact it was already defined in the “Find Me” profile of the Bluetooth specification in 2011 (PDF).
This option has served for some companies to launch accessories that help locate all kinds of objects. The best known is probably Tile, which sells small accessories that we can attach to keys, laptop or telephone and that allow us to locate those objects easily if we lose them from another Tile or device or a computer.
Bluetooth trackers like Tile’s allow you to use a mobile app to monitor the location of whatever object they are connected to. Too can remotely trigger a sound on the tracker to locate it when it is close (for example, when we lose our house keys.
Tile has long implemented the “Community Find” feature that works on the same principle as Apple. If there is a Tile Bluetooth device in coverage area, it will update your device’s location in real time automatically and anonymously.
That location is not shared with the person who precisely shared it, it is an invisible process for them. That “community search” feature Let other people help you locate your item.
Many lights in Find my, but also some shadows
This feature It is surprising because it is not based or on the potential use of the GPS signal nor in the connection to data networks. Instead it makes use of Bluetooth technology and that community of users that serve as relays of the location of our devices without them knowing.
As Matthew Green, a cryptographer and professor at Johns Jopkins University, explained, Apple’s idea is to turn its iPhone network into a gigantic community location-tracking system. Every iPhone with iOS 13 will be constantly monitoring BLE beacon messages that could come from Apple devices that have been stolen or lost.
For Green this could become in a potential “privacy nightmare” that could join others that have not been unrelated to Apple devices. In the first place, because this system offers yet another way to follow us everywhere (in case there were already few). In addition, he explains, it not only exposes the user of the feature, but all the devices that are doing that monitoring. Potential attackers could execute attacks that spoof the location of your device, for example, trying to “corrupt” the system.
Among the problems that Green raises is the way in which identifiers are used to monitor our devices, which could be based on a list of pseudonyms Shared by the user who relays the location of your lost device and yourself, but which according to Green adds new dangers and threats to privacy.
Among others, that in the end a “gigantic database that shows all the GPS locations in which an Apple device has been detected. “The Johns Hopkins University professor adds that there are ways to minimize risks such as the use of random keys that generate versions of the public key that cannot be associated with the original but still meet their ultimate goal.
Thus, the protocol proposed by Apple and that its managers detailed (a little) in Wired certainly has many points in favor, but it is not safe from potential ways to take advantage of it for unwanted uses.
It does not seem easy for an attacker to find cracks despite the clues given by Green, but here we will have to see what the rest of the users of that gigantic network think about this function that in the end makes them invisible and automatic relays from locating the location of many other devices around you.
That not only raises questions about safety, but about something more palpable on a day-to-day basis such as battery consumption. Will this use of Find My pose a problem for autonomy? Doesn’t seem likely Since the Bluetooth Low Energy standard is used, but it will be interesting to see what happens to this service once it is deployed from autumn, when both iOS 13 and macOS Catalina appear.