Sciendo Logo
  1. bookVolume 2021 (2021): Issue 3 (July 2021)
Proceedings on Privacy Enhancing Technologies's Cover Image
Proceedings on Privacy Enhancing Technologies
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System

Alexander Heinrich,Alexander Heinrich
Milan Stute,Milan Stute
Tim Kornhuber andTim Kornhuber
Matthias HollickMatthias Hollick
Published Online: 27 Apr 2021
Page range: 227 - 245
Received: 30 Nov 2020
Accepted: 16 Mar 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

Overnight, Apple has turned its hundreds-of-million-device ecosystem into the world’s largest crowd-sourced location tracking network called o~ine finding (OF). OF leverages online finder devices to detect the presence of missing o~ine devices using Bluetooth and report an approximate location back to the owner via the Internet. While OF is not the first system of its kind, it is the first to commit to strong privacy goals. In particular, OF aims to ensure finder anonymity, prevent tracking of owner devices, and confidentiality of location reports. This paper presents the first comprehensive security and privacy analysis of OF. To this end, we recover the specifications of the closed-source OF protocols by means of reverse engineering. We experimentally show that unauthorized access to the location reports allows for accurate device tracking and retrieving a user’s top locations with an error in the order of 10 meters in urban areas. While we find that OF’s design achieves its privacy goals, we discover two distinct design and implementation flaws that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, which could deanonymize users. Apple has partially addressed the issues following our responsible disclosure. Finally, we make our research artifacts publicly available.

Keywords

  • Apple
  • Bluetooth
  • location privacy
  • reverse engineering
  • trackings tags
  • user identification

[1] Oleg Afonin. Extracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored. Elcomsoft Co. Ltd. 2020. url: https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/ (visited on 02/08/2021).Search in Google Scholar

[2] Oleg Afonin. iCloud Authentication Tokens Inside Out. Elcomsoft Co. Ltd. 2017. url: https://blog.elcomsoft.com/2017/11/icloud-authentication-tokens-inside-out (visited on 09/03/2020).Search in Google Scholar

[3] Apple Inc. App Review. url: https://developer.apple.com/app-store/review/ (visited on 02/09/2021).Search in Google Scholar

[4] Apple Inc. Apple Platform Security. 2020. url: https://support.apple.com/guide/security/ (visited on 10/10/2020).Search in Google Scholar

[5] Apple Inc. Core Location. url: https://developer.apple.com/documentation/corelocation/ (visited on 10/10/2020).Search in Google Scholar

[6] Apple Inc. Find My Network Accessory Specification. Version Release R1. 2020. url: https://developer.apple.com/find-my/.Search in Google Scholar

[7] Apple Inc. Maximizing Battery Life and Lifespan. 2020. url: https://www.apple.com/batteries/maximizing-performance/ (visited on 10/07/2020).Search in Google Scholar

[8] Apple Inc. Notarizing macOS Software Before Distribution. url: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution (visited on 11/24/2020).Search in Google Scholar

[9] Apple Inc. Security. url: https://developer.apple.com/security/ (visited on 09/16/2020).Search in Google Scholar

[10] Apple Inc. WWDC 2019 Keynote. 2019. url: https://developer.apple.com/videos/play/wwdc2019/101/ (visited on 08/17/2020).Search in Google Scholar

[11] Apple Inc. WWDC 2020 Keynote. 2020. url: https://developer.apple.com/videos/play/wwdc2020/101/ (visited on 08/17/2020).Search in Google Scholar

[12] Apple Inc. XPC. url: https://developer.apple.com/documentation/xpc (visited on 09/03/2020).Search in Google Scholar

[13] Diego F. Aranha, Paulo S. L. M. Barreto, Geovandro C. C. F. Pereira, and Jefferson E. Ricardini. “A Note on High-Security General-Purpose Elliptic Curves.” In: Cryptology ePrint Archive (2013). url: https://eprint.iacr.org/2013/647.Search in Google Scholar

[14] Ethan Arbuckle. Unredacting Private os_log Messages on iOS. 2018. url: https://github.com/EthanArbuckle/unredact-private-os_logs (visited on 02/10/2021).Search in Google Scholar

[15] Xiaolong Bai, Luyi Xing, Nan Zhang, Xiaofeng Wang, Xiaojing Liao, Tongxin Li, and Shi-Min Hu. “Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf.” In: IEEE Symposium on Security and Privacy (S&P). 2016. doi: 10.1109/SP.2016.45.Search in Google Scholar

[16] Elaine Barker, Lily Chen, and Richard Davis. Recommendation for Key-Derivation Methods in Key-Establishment Schemes. Special Publication 800-56C Rev. 1. 2018. doi: 10.6028/nist.sp.800-56cr1.Search in Google Scholar

[17] Daniel J. Bernstein. “Curve25519: New Diffie-Hellman Speed Records.” In: Public Key Cryptography - PKC 2006. Springer Berlin Heidelberg, 2006. doi: 10.1007/11745853_14.Search in Google Scholar

[18] Daniel J. Bernstein and Tanja Lange. SafeCurves: Choosing Safe Curves for Elliptic-Curve Cryptography. 2020. url: https://safecurves.cr.yp.to (visited on 10/07/2020).Search in Google Scholar

[19] Bluetooth SIG. Bluetooth Core Specification Version 5.2. Tech. rep. 2019.Search in Google Scholar

[20] Daniel R. L. Brown. Standards for Efficient Cryptography 1 (SEC 1). 2009.Search in Google Scholar

[21] Guillaume Celosia and Mathieu Cunche. “Discontinued Privacy: Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocols.” In: Privacy Enhancing Technologies (2020). doi: 10.2478/popets-2020-0003.Search in Google Scholar

[22] William S. Cleveland and Susan J. Devlin. “Locally Weighted Regression: An Approach to Regression Analysis by Local Fitting.” In: Journal of the American Statistical Association 83.403 (1988). doi: 10.1080/01621459.1988.10478639.Search in Google Scholar

[23] Quang Do, Ben Martini, and Kim-Kwang Raymond Choo. “The Role of the Adversary Model in Applied Security Research.” In: Computers & Security 81 (2019). doi: 10.1016/j.cose.2018.12.002.Search in Google Scholar

[24] EPSG Geodetic Parameter Dataset. WGS 84 (EPSG:4326). url: https://epsg.org/crs_4326/WGS-84.html (visited on 10/13/2020).Search in Google Scholar

[25] EPSG Geodetic Parameter Dataset. WGS 84 / Pseudo-Mercator (EPSG:3857). url: https://epsg.org/crs_3857/WGS-84-Pseudo-Mercator.html (visited on 10/13/2020).Search in Google Scholar

[26] Martin Ester, Hans-Peter Kriegel, Jörg Sander, and Xiaowei Xu. “A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise.” In: International Conference on Knowledge Discovery and Data Mining. KDD-96. AAAI Press, 1996. url: http://www.aaai.org/Library/KDD/1996/kdd96-037.php.Search in Google Scholar

[27] George Garside. Show Private Log Messages in Catalina’s Console.app. 2020. url: https://georgegarside.com/blog/macos/sierra-console-private/ (visited on 09/15/2020).Search in Google Scholar

[28] Matthew Green. How does Apple (privately) find your o~ine devices? 2019. url: https://blog.cryptographyengineering.com/2019/06/05/how-does-apple-privately-find-your-o~ine-devices/ (visited on 09/17/2020).Search in Google Scholar

[29] Andy Greenberg. The Clever Cryptography Behind Apple’s ’Find My’ Feature. 2019. url: https://www.wired.com/story/apple-find-my-cryptography-bluetooth/ (visited on 09/17/2020).Search in Google Scholar

[30] Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute, and Christian Weinert. “PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop.” In: USENIX Security Symposium. To appear. USENIX Association, 2021.Search in Google Scholar

[31] Alexander Heinrich, Milan Stute, and Matthias Hollick. “BTLEmap: Nmap for Bluetooth Low Energy.” In: Conference on Security and Privacy in Wireless and Mobile Networks. ACM, 2020. doi: 10.1145/3395351.3401796.Search in Google Scholar

[32] Hessisches Landesprüfungs- und Untersuchungsamt im Gesundheitswesen. Bulletin Stand 29.07.2020, 14 Uhr. 2020. url: https://soziales.hessen.de/sites/default/files/media/2020_07_29_bulletin_coronavirus.pdf (visited on 11/24/2020).Search in Google Scholar

[33] American National Standards Institute. ANSI X.963 Public-Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography. Tech. rep. 2001.Search in Google Scholar

[34] Charles F. F. Karney. “Algorithms for Geodesics.” In: Journal of Geodesy 87 (2013). doi: 10.1007/s00190-012-0578-z.Search in Google Scholar

[35] Ivan Krsti¢. “Behind the Scenes of iOS and Mac Security.” In: Black Hat USA 2019. 2019. url: https://www.youtube.com/watch?v=3byNNUReyvE&t=2398s (visited on 09/09/2020).Search in Google Scholar

[36] Jeremy Martin, Douglas Alpuche, Kristina Bodeman, Lamont Brown, Ellis Fenske, Lucas Foppe, Travis Mayberry, Erik Rye, Brandon Sipes, and Sam Teplov. “Handoff All Your Privacy: A Review of Apple’s Bluetooth Low Energy Implementation.” In: (2019). doi: 10.2478/popets-2019-0057.Search in Google Scholar

[37] David A. McGrew, Kevin M. Igoe, and Margaret Salter. Fundamental Elliptic Curve Cryptography Algorithms. RFC 6090. IETF, 2011. doi: 10.17487/RFC6090.Search in Google Scholar

[38] Yves-Alexandre de Montjoye, César A. Hidalgo, Michel Verleysen, and Vincent D. Blondel. “Unique in the Crowd: The Privacy Bounds of Human Mobility.” In: Scientific Reports 3.1 (2013). doi: 10.1038/srep01376.Search in Google Scholar

[39] National Institute for Standards and Technology. Digital Signature Standard. 186-2. 2000. url: http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf.Search in Google Scholar

[40] Ole André V. Ravnås. Frida: A World-Class Dynamic Instrumentation Framework. 2020. url: https://frida.re (visited on 09/23/2020).Search in Google Scholar

[41] Julian F. Reschke. The ’Basic’ HTTP Authentication Scheme. RFC 7617. IETF, 2015. doi: 10.17487/RFC7617.Search in Google Scholar

[42] Jan Ruge, Jiska Classen, Francesco Gringoli, and Matthias Hollick. “Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets.” In: USENIX Security Symposium. USENIX Association, 2020. url: https://www.usenix.org/conference/usenixsecurity20/presentation/ruge.Search in Google Scholar

[43] Erich Schubert, Jörg Sander, Martin Ester, Hans Peter Kriegel, and Xiaowei Xu. “DBSCAN Revisited, Revisited: Why and How You Should (Still) Use DBSCAN.” In: ACM Transactions on Database Systems 42.3 (2017). doi: 10 . 1145/3068335.Search in Google Scholar

[44] Milan Stute. “Availability by Design: Practical Denial-of-Service-Resilient Distributed Wireless Networks.” PhD thesis. 2020. doi: 10.25534/tuprints-00011457.Search in Google Scholar

[45] Milan Stute, Alexander Heinrich, Jannik Lorenz, and Matthias Hollick. “Disrupting Continuity of Apple’s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL, and Wi-Fi.” In: USENIX Security Symposium. To appear. USENIX Association, 2021.Search in Google Scholar

[46] Milan Stute, David Kreitschmann, and Matthias Hollick. “One Billion Apples’ Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol.” In: International Conference on Mobile Computing and Networking. ACM, 2018. doi: 10.1145/3241539.3241566.Search in Google Scholar

[47] Milan Stute, David Kreitschmann, and Matthias Hollick. The Open Wireless Link Project. 2018. url: https://owlink.org.Search in Google Scholar

[48] Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. “A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link.” In: USENIX Security Symposium. USENIX Association, 2019. url: https://www.usenix.org/conference/usenixsecurity19/presentation/stute.Search in Google Scholar

[49] Bernd Thomas. SensorLog. 2020. url: https://apps.apple.com/us/app/sensorlog/id388014573 (visited on 09/04/2020).Search in Google Scholar

[50] Nghia Tran and Hang Nguyen. Proxyman. url: https://proxyman.io (visited on 09/15/2020).Search in Google Scholar

[51] Mira Weller, Jiska Classen, Fabian Ullrich, Denis Waßmann, and Erik Tews. “Lost and Found: Stopping Bluetooth Finders from Leaking Private Information.” In: Conference on Security and Privacy in Wireless and Mobile Networks. ACM, 2020. doi: 10.1145/3395351.3399422.Search in Google Scholar

[52] Hui Zang and Jean Bolot. “Anonymization of Location Data Does Not Work: A Large-Scale Measurement Study.” In: International Conference on Mobile Computing and Networking. ACM, 2011. doi: 10.1145/2030613.2030630.Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo