Who Can  Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System

Alexander Heinrich; Milan Stute; Tim Kornhuber; Matthias Hollick

Journal & Issue Details

Journal Details

Format: Journal
eISSN: 2299-0984
First Published: 16 Apr 2015
Publication timeframe: 4 times per year
Languages: English

Overnight, Apple has turned its hundreds-of-million-device ecosystem into the world’s largest crowd-sourced location tracking network called o~ine finding (OF). OF leverages online finder devices to detect the presence of missing o~ine devices using Bluetooth and report an approximate location back to the owner via the Internet. While OF is not the first system of its kind, it is the first to commit to strong privacy goals. In particular, OF aims to ensure finder anonymity, prevent tracking of owner devices, and confidentiality of location reports. This paper presents the first comprehensive security and privacy analysis of OF. To this end, we recover the specifications of the closed-source OF protocols by means of reverse engineering. We experimentally show that unauthorized access to the location reports allows for accurate device tracking and retrieving a user’s top locations with an error in the order of 10 meters in urban areas. While we find that OF’s design achieves its privacy goals, we discover two distinct design and implementation flaws that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, which could deanonymize users. Apple has partially addressed the issues following our responsible disclosure. Finally, we make our research artifacts publicly available.

Keywords

Apple
Bluetooth
location privacy
reverse engineering
trackings tags
user identification

References

[1] Oleg Afonin. Extracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored. Elcomsoft Co. Ltd. 2020. url: https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/ (visited on 02/08/2021).Search in Google Scholar

[2] Oleg Afonin. iCloud Authentication Tokens Inside Out. Elcomsoft Co. Ltd. 2017. url: https://blog.elcomsoft.com/2017/11/icloud-authentication-tokens-inside-out (visited on 09/03/2020).Search in Google Scholar

[3] Apple Inc. App Review. url: https://developer.apple.com/app-store/review/ (visited on 02/09/2021).Search in Google Scholar

[4] Apple Inc. Apple Platform Security. 2020. url: https://support.apple.com/guide/security/ (visited on 10/10/2020).Search in Google Scholar

[5] Apple Inc. Core Location. url: https://developer.apple.com/documentation/corelocation/ (visited on 10/10/2020).Search in Google Scholar

[6] Apple Inc. Find My Network Accessory Specification. Version Release R1. 2020. url: https://developer.apple.com/find-my/.Search in Google Scholar

[7] Apple Inc. Maximizing Battery Life and Lifespan. 2020. url: https://www.apple.com/batteries/maximizing-performance/ (visited on 10/07/2020).Search in Google Scholar

[8] Apple Inc. Notarizing macOS Software Before Distribution. url: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution (visited on 11/24/2020).Search in Google Scholar

[9] Apple Inc. Security. url: https://developer.apple.com/security/ (visited on 09/16/2020).Search in Google Scholar

[10] Apple Inc. WWDC 2019 Keynote. 2019. url: https://developer.apple.com/videos/play/wwdc2019/101/ (visited on 08/17/2020).Search in Google Scholar

[11] Apple Inc. WWDC 2020 Keynote. 2020. url: https://developer.apple.com/videos/play/wwdc2020/101/ (visited on 08/17/2020).Search in Google Scholar

[12] Apple Inc. XPC. url: https://developer.apple.com/documentation/xpc (visited on 09/03/2020).Search in Google Scholar

[13] Diego F. Aranha, Paulo S. L. M. Barreto, Geovandro C. C. F. Pereira, and Jefferson E. Ricardini. “A Note on High-Security General-Purpose Elliptic Curves.” In: Cryptology ePrint Archive (2013). url: https://eprint.iacr.org/2013/647.Search in Google Scholar

[14] Ethan Arbuckle. Unredacting Private os_log Messages on iOS. 2018. url: https://github.com/EthanArbuckle/unredact-private-os_logs (visited on 02/10/2021).Search in Google Scholar

[15] Xiaolong Bai, Luyi Xing, Nan Zhang, Xiaofeng Wang, Xiaojing Liao, Tongxin Li, and Shi-Min Hu. “Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf.” In: IEEE Symposium on Security and Privacy (S&P). 2016. doi: 10.1109/SP.2016.45.10.1109/SP.2016.45Search in Google Scholar

[16] Elaine Barker, Lily Chen, and Richard Davis. Recommendation for Key-Derivation Methods in Key-Establishment Schemes. Special Publication 800-56C Rev. 1. 2018. doi: 10.6028/nist.sp.800-56cr1.10.6028/NIST.SP.800-56Cr1Search in Google Scholar

[17] Daniel J. Bernstein. “Curve25519: New Diffie-Hellman Speed Records.” In: Public Key Cryptography - PKC 2006. Springer Berlin Heidelberg, 2006. doi: 10.1007/11745853_14.10.1007/11745853_14Search in Google Scholar

[18] Daniel J. Bernstein and Tanja Lange. SafeCurves: Choosing Safe Curves for Elliptic-Curve Cryptography. 2020. url: https://safecurves.cr.yp.to (visited on 10/07/2020).Search in Google Scholar

[19] Bluetooth SIG. Bluetooth Core Specification Version 5.2. Tech. rep. 2019.Search in Google Scholar

[20] Daniel R. L. Brown. Standards for Efficient Cryptography 1 (SEC 1). 2009.Search in Google Scholar

[21] Guillaume Celosia and Mathieu Cunche. “Discontinued Privacy: Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocols.” In: Privacy Enhancing Technologies (2020). doi: 10.2478/popets-2020-0003.10.2478/popets-2020-0003Search in Google Scholar

[22] William S. Cleveland and Susan J. Devlin. “Locally Weighted Regression: An Approach to Regression Analysis by Local Fitting.” In: Journal of the American Statistical Association 83.403 (1988). doi: 10.1080/01621459.1988.10478639.10.1080/01621459.1988.10478639Search in Google Scholar

[23] Quang Do, Ben Martini, and Kim-Kwang Raymond Choo. “The Role of the Adversary Model in Applied Security Research.” In: Computers & Security 81 (2019). doi: 10.1016/j.cose.2018.12.002.10.1016/j.cose.2018.12.002Search in Google Scholar

[24] EPSG Geodetic Parameter Dataset. WGS 84 (EPSG:4326). url: https://epsg.org/crs_4326/WGS-84.html (visited on 10/13/2020).Search in Google Scholar

[25] EPSG Geodetic Parameter Dataset. WGS 84 / Pseudo-Mercator (EPSG:3857). url: https://epsg.org/crs_3857/WGS-84-Pseudo-Mercator.html (visited on 10/13/2020).Search in Google Scholar

[26] Martin Ester, Hans-Peter Kriegel, Jörg Sander, and Xiaowei Xu. “A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise.” In: International Conference on Knowledge Discovery and Data Mining. KDD-96. AAAI Press, 1996. url: http://www.aaai.org/Library/KDD/1996/kdd96-037.php.Search in Google Scholar

[27] George Garside. Show Private Log Messages in Catalina’s Console.app. 2020. url: https://georgegarside.com/blog/macos/sierra-console-private/ (visited on 09/15/2020).Search in Google Scholar

[28] Matthew Green. How does Apple (privately) find your o~ine devices? 2019. url: https://blog.cryptographyengineering.com/2019/06/05/how-does-apple-privately-find-your-o~ine-devices/ (visited on 09/17/2020).Search in Google Scholar

[29] Andy Greenberg. The Clever Cryptography Behind Apple’s ’Find My’ Feature. 2019. url: https://www.wired.com/story/apple-find-my-cryptography-bluetooth/ (visited on 09/17/2020).Search in Google Scholar

[30] Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute, and Christian Weinert. “PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop.” In: USENIX Security Symposium. To appear. USENIX Association, 2021.Search in Google Scholar

[31] Alexander Heinrich, Milan Stute, and Matthias Hollick. “BTLEmap: Nmap for Bluetooth Low Energy.” In: Conference on Security and Privacy in Wireless and Mobile Networks. ACM, 2020. doi: 10.1145/3395351.3401796.10.1145/3395351.3401796Search in Google Scholar

[32] Hessisches Landesprüfungs- und Untersuchungsamt im Gesundheitswesen. Bulletin Stand 29.07.2020, 14 Uhr. 2020. url: https://soziales.hessen.de/sites/default/files/media/2020_07_29_bulletin_coronavirus.pdf (visited on 11/24/2020).Search in Google Scholar

[33] American National Standards Institute. ANSI X.963 Public-Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography. Tech. rep. 2001.Search in Google Scholar

[34] Charles F. F. Karney. “Algorithms for Geodesics.” In: Journal of Geodesy 87 (2013). doi: 10.1007/s00190-012-0578-z.10.1007/s00190-012-0578-zSearch in Google Scholar

[35] Ivan Krsti¢. “Behind the Scenes of iOS and Mac Security.” In: Black Hat USA 2019. 2019. url: https://www.youtube.com/watch?v=3byNNUReyvE&t=2398s (visited on 09/09/2020).Search in Google Scholar

[36] Jeremy Martin, Douglas Alpuche, Kristina Bodeman, Lamont Brown, Ellis Fenske, Lucas Foppe, Travis Mayberry, Erik Rye, Brandon Sipes, and Sam Teplov. “Handoff All Your Privacy: A Review of Apple’s Bluetooth Low Energy Implementation.” In: (2019). doi: 10.2478/popets-2019-0057.10.2478/popets-2019-0057Search in Google Scholar

[37] David A. McGrew, Kevin M. Igoe, and Margaret Salter. Fundamental Elliptic Curve Cryptography Algorithms. RFC 6090. IETF, 2011. doi: 10.17487/RFC6090.10.17487/rfc6090Search in Google Scholar

[38] Yves-Alexandre de Montjoye, César A. Hidalgo, Michel Verleysen, and Vincent D. Blondel. “Unique in the Crowd: The Privacy Bounds of Human Mobility.” In: Scientific Reports 3.1 (2013). doi: 10.1038/srep01376.10.1038/srep01376Search in Google Scholar

[39] National Institute for Standards and Technology. Digital Signature Standard. 186-2. 2000. url: http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf.Search in Google Scholar

[40] Ole André V. Ravnås. Frida: A World-Class Dynamic Instrumentation Framework. 2020. url: https://frida.re (visited on 09/23/2020).Search in Google Scholar

[41] Julian F. Reschke. The ’Basic’ HTTP Authentication Scheme. RFC 7617. IETF, 2015. doi: 10.17487/RFC7617.10.17487/RFC7617Search in Google Scholar

[42] Jan Ruge, Jiska Classen, Francesco Gringoli, and Matthias Hollick. “Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets.” In: USENIX Security Symposium. USENIX Association, 2020. url: https://www.usenix.org/conference/usenixsecurity20/presentation/ruge.Search in Google Scholar

[43] Erich Schubert, Jörg Sander, Martin Ester, Hans Peter Kriegel, and Xiaowei Xu. “DBSCAN Revisited, Revisited: Why and How You Should (Still) Use DBSCAN.” In: ACM Transactions on Database Systems 42.3 (2017). doi: 10 . 1145/3068335.Search in Google Scholar

[44] Milan Stute. “Availability by Design: Practical Denial-of-Service-Resilient Distributed Wireless Networks.” PhD thesis. 2020. doi: 10.25534/tuprints-00011457.Search in Google Scholar

[45] Milan Stute, Alexander Heinrich, Jannik Lorenz, and Matthias Hollick. “Disrupting Continuity of Apple’s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL, and Wi-Fi.” In: USENIX Security Symposium. To appear. USENIX Association, 2021.Search in Google Scholar

[46] Milan Stute, David Kreitschmann, and Matthias Hollick. “One Billion Apples’ Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol.” In: International Conference on Mobile Computing and Networking. ACM, 2018. doi: 10.1145/3241539.3241566.10.1145/3241539.3241566Search in Google Scholar

[47] Milan Stute, David Kreitschmann, and Matthias Hollick. The Open Wireless Link Project. 2018. url: https://owlink.org.Search in Google Scholar

[48] Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. “A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link.” In: USENIX Security Symposium. USENIX Association, 2019. url: https://www.usenix.org/conference/usenixsecurity19/presentation/stute.Search in Google Scholar

[49] Bernd Thomas. SensorLog. 2020. url: https://apps.apple.com/us/app/sensorlog/id388014573 (visited on 09/04/2020).Search in Google Scholar

[50] Nghia Tran and Hang Nguyen. Proxyman. url: https://proxyman.io (visited on 09/15/2020).Search in Google Scholar

[51] Mira Weller, Jiska Classen, Fabian Ullrich, Denis Waßmann, and Erik Tews. “Lost and Found: Stopping Bluetooth Finders from Leaking Private Information.” In: Conference on Security and Privacy in Wireless and Mobile Networks. ACM, 2020. doi: 10.1145/3395351.3399422.10.1145/3395351.3399422Search in Google Scholar

[52] Hui Zang and Jean Bolot. “Anonymization of Location Data Does Not Work: A Large-Scale Measurement Study.” In: International Conference on Mobile Computing and Networking. ACM, 2011. doi: 10.1145/2030613.2030630.10.1145/2030613.2030630Search in Google Scholar

Proceedings on Privacy Enhancing Technologies

Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System

Alexander Heinrich,Alexander HeinrichMilan Stute,Milan StuteTim Kornhuber andTim KornhuberMatthias HollickMatthias Hollick

Published Online: 27 Apr 2021

Page range: 227 - 245

Received: 30 Nov 2020

Accepted: 16 Mar 2021

Keywords

Plan your remote conference with Sciendo

Alexander Heinrich,
Alexander Heinrich
Milan Stute,
Milan Stute
Tim Kornhuber and
Tim Kornhuber
Matthias Hollick
Matthias Hollick