Track your devices via Apple FindMy network in Go/TinyGo
github.com361 points by deadprogram 3 months ago
361 points by deadprogram 3 months ago
Incredibly cool. I am constantly amazed by these efforts and the find my network is a really impressive thing. What’s stopped me from using anything like this ever is the fact that I’m confident that at some point Apple will either embrace this sort of piggybacking on the network and open it up more officially, or it will ban any Apple ID that has ever been associated with such things. Right now they know about this and are not commenting either way.
Hope in the future either Apple supports this more officially, or there is a way to use it with no direct link to my Apple ID or account. Until then, I am a spectator in these things.
The process of requesting locations for a certain tag is not tied to any Apple Account. In the instructions in the README, when logging into macless haystack, you can just use a burner account.
Where does it say about burner account?
“You will be asked for your Apple-ID, password and your 2FA”
You mean get another apple device and setup another account?
It doesn't mention a burner account anywhere, but as the author of FindMy.py, I happen to know how this stuff works :-). But yes, create a new account (either through an Apple device or the website or w/e), attach it to an Apple device or hackintosh at least once, then log out again.
Doesn't Apple force SMS 2FA on accounts? I remember trying to use Apple Music some years back and it needed me to give a phone number.
Yes, but phone numbers can be used across multiple Apple accounts.
How is privacy protected? I wouldn't want everyone tracking my airtags.
It is a cryptography heavy, privacy-oriented protocol somewhat specific to the behavior apple wants, which is tied to social behavior. E.g. it is meant to track lost items, not stolen items and not people.
My understanding of how it is all supposed to work:
You get a key-generating-key at provisioning time. The tag itself has three modes depending on whether it is in contact with one of your devices, and further whether it has been out of contact more than a certain period of time.
When not in contact, it will advertise itself with a rotating public key based partially on a rotating Mac address. An Apple device which sees it will encrypt location data based on that key and send it to apple to store under that public key as a mailbox. A device which continues to see it while moving will start to alert the person holding that device that there may be an AirTag tracking them.
The tag itself has NFC functionality which provides information for helping find the owner, and on Apple's side this is meant to be tied to a real identity to aid LE if there's an abuse scenario.
After a certain amount of time not seeing another device, an AirTag will start to make sounds to alert people where it is when an Apple device comes into range.
When you want to find your item, you anonymously query it under its rotating key information, and use your knowledge of the private key generation to get location information. Since there's nothing Apple uses to correlate these entries, there may be multiple records over time although Apple's UI only shows the newest entry found.
So yes, there's anonymity in being near devices but limited so that someone can know they are being tracked. There's anonymity in querying location. However, there's not meant to be anonymity with physical access.
The data passes through any devices in the vicinity -- but they can't read the data unless they've got the private key to that tag.
>I wouldn't want everyone tracking my airtags.
That’s kind of how the whole system works.
I thought it was designed to prevent unwanted people from tracking you. If I bought an airtag, you could track it? Without authentication or authorization?
Only if you have the private key belonging to the AirTag at the time of location capture. Anyone can download encrypted location reports for any AirTag found in the wild, but only the owner can decrypt them with the private key.
So how does one get the private key for an airtag without associating it to their account?
By dumping it from a Mac. But that's not what this project does, it uses diy AirTags without rotating keys so you don't need to do all that.
What about the Apple account of the tag itself?
These custom tags are not tied to any account; Apple can't tell whether a tag found in the wild is "legit" or not, so registering it is not necessary. You can use your main account if you want, but if you request too many location reports too often, they will ban your account.
I think there is some positive effect potential for Apple to let this slide. The broader this network is, the more adoption it receives. P2P as a super-structure has always been a bigger than vendor problem; adoption by any means is likely an allowable tradeoff, especially since Apple doesn't have to do the work here.
Eventually they will capitalize more on the mesh density, rather than crushing the adoption now.
Except that custom tags like these do not require an Apple device in order to use them, so the size of the network is not increased. They only increase the load on the network. FindMy is not a P2P/mesh network; all these tags do is broadcast keys which are picked up by iDevices, which then upload those reports to Apple.
Are the keys not tied to known apple products? Or do you make them up when you first register a device?
Trying to understand why apple doesn’t (or can’t?) already reject broadcast data from keys that are not apple products.
Two master secrets are randomly generated when pairing the AirTag for the first time, which are then saved to the iCloud keychain. Those secrets are then used to generate a new keypair every 15 minutes (at most), and the public key is broadcasted by the tag. Not only does Apple not know what the master secrets are in the first place (because they're stored in the keychain), but that's also an insane number of keys to compare against, with no real possibility to precompute them. And that's a big win in terms of privacy.
I would guess because they don’t care. The marginal cost is zero and I think they would only bother if someone ddoses or it becomes an issue.
Until then, more devices are probably positive for reducing potential pitchforking.
Story time. My wife and I were vacationing in Portugal last summer. She left her purse in a uber car on the way to the airport. The driver found the purse and dumped it after taking 20$ and some costume jewellery. We tracked it to an abandoned parking lot later that day using an AirTag and we ended up finding it using the Location app. We have AirTags in every bag now and we change the batteries on a schedule.
All my bags also now have airtags. I was at Sydney airport lost baggage area a few years ago waiting for a bag I'd found was there after hours of speaking to the airline and airport. Another gentlemen there told them that his item was there. They'd been evacuated from a plane in New Zealand a month before and left his iPad in the seat pocket, and had tracked it back using Find My to Sydney. He travels internationally multiple times per month and said airtags were the best thing he owned.
I've since added them into all my cars, bags and a few honeypots embedded into high value items that might be stolen.
Trying to parse this and can't tell. Can you use this with Apple's AirTags or do you have to create your own tracking devices?
You do need to create your own tracking beacon using one of of the devices supported by the TinyGo Bluetooth package:
https://github.com/hybridgroup/go-haystack?tab=readme-ov-fil...
I hope in the future we can determine the position of beacons to within a cubic metre or less.
My wife has ADD and she loses items often. Tiles aren't very loud and are flaky, we don't have an iPhone to use Airtags. I'm too exhausted to try to master the math needed to locate Bluetooth beacons, but I wish I could. I'd love for there to be a "just add 4 small Bluetooth boards" kind of software project, but it doesn't seem to scratch that itch for most open source devs.
AirTags and an iPhone 11 or newer should exactly solve this for you. Lets you locate AirTags to within a foot.
Rather than using Bluetooth connection strength, it uses Ultra Wideband for precision location. This works on time-flight using the speed of light delay like GPS. When you open the Find My app it very quickly knows the exact distance to the AirTag, and then as you walk around it uses your observed change in position to determine the exact direction the AirTag is from you.
It's really cool tech! You need to use the "Find" feature in the Find My app and not the "Play Sound" feature. And it requires an iPhone 11+ with an H1 Ultra Wideband chip in it. Cost is probably on-par with setting up various bluetooth boards around the house, and way more accurate. Though not as much hackery fun.
https://en.wikipedia.org/wiki/Ultra-wideband#Real-time_locat...
My partner and I are also Android only and honestly, I'm thinking about simply picking up a smashed up iPhone 11 or 12 mini and exclusively relegating it for precision finding needs with AirTags.
I don't think there will be equivalent alternatives, at least not ones with ultra wideband precision location functionality, availability, acceptable price, and robustness.
On the other hand there does seem to be some UWB support in some Android that might work with Tile's UWB: https://www.zdnet.com/article/how-to-enable-uwb-on-android-a...
My understanding is that the Motorola trackers have UWB but phone support isn't widespread yet. I haven't looked deep enough to see if that satisfied your other criteria though.
> I don't think there will be equivalent alternatives, at least not ones with ultra wideband precision location functionality, availability, acceptable price, and robustness.
Why are you so confidently spreading misinformation? Samsung SmartTag+ exists for years now with this precision and capability for Samsung Android phones.
Sometimes people are just incorrect and no ill intent.
I just don't get why I see so many of people on this very site (surprisingly usually Apple or Tesla fans) that so confidently spread misinformation about things they don't have knowledge of and didn't even attempt to check.
Where does this wish to spread baseless misinformation come from?
How come the first thing you assume is ill intent?
How come you are so certain what the person was trying to say without asking a clarification question first?
[flagged]
Again you make unsubstantiated assumption about someone else’s intentions/feelings.
I am not angry at all. I was just wondering why you reacted like that. Nevermind
It’s been normal that people are wrong, yes. “Calling out” vs correcting is unnecessarily hostile.
Sometimes people are just wrong. There doesn’t have to be an ill intent behind it. Educate and move on. What else can you do?
Which is exactly what I did. And it made people here angry.
You made an assumption of intent.
You could have just pointed out the Samsung product.
> You made an assumption of intent.
Where?
"confidently" doesn't assume intent. "misinformation" doesn't assume intent.