114 makezine.com
SKILL BUILDER: Find My Trackers
Adding Features: Arbitrary Data
Transmission
I was curious whether Find My’s offline finding
network could be (ab)used to upload arbitrary
data to the internet, from devices that are not
connected to Wi-Fi or mobile internet (Figure
F
).
Such a technique could be employed by small
sensors in uncontrolled environments to avoid the
cost and power consumption of mobile internet.
It could also be interesting for exfiltrating data
from Faraday-shielded sites that are occasionally
visited by iPhone users.
I found two options to accomplish this: The
first relies on a 1-byte “status” field that is part
of Find My broadcasts and forwarded as-is to the
Apple backend where it can be retrieved again.
This method has been implemented by Daniel
Dakhno in the FakeTag project (github.com/
dakhnod/FakeTag) to continuously transmit the
state of a 6-bit counter (and 2 bits of battery level
information).
The second option is more generic and would
still work if Apple were to restrict the usage of the
status byte (e.g. via an iOS update). The idea is
that we can treat the Apple backend as something
like a dead drop, or more precisely as a public
key-value store with public key hashes as key, and
encrypted location reports as value, with basic
operations:
• We can probe whether location reports for a
specific public key hash exist or not
• We can add location reports for a specific
public key hash by broadcasting the
corresponding public key
I guess you can already see where this is going:
We can set arbitrary bits in the shared key-value
store and query them again. If both the sender
and receiver agree on an encoding scheme, we
can transfer arbitrary data.
Because there’s no guarantee as to when or
whether specific broadcasts are uploaded to
the Apple backend as location reports, our data
encoding must be independent of the ordering in
which location reports are received, and able to
recover partial data streams.
To achieve this, I decided to encode a single bit
of data per broadcast together with an index value
indicating which bit of the message is being set.
Additional message and modem ID fields allow
the system to be reused for multiple messages
and by multiple users.
For sending a specific bit, we create a 28-byte
array of the form:
[4b bit index] [4b message ID] [4b
modem ID] [padding 0s...] [bit value]
and treat this as the public key in order to send
BLE advertisements to broadcast, for example,
F
Fabian Bräunlein
M83_110-17_SB_AirTags_F1.indd 114M83_110-17_SB_AirTags_F1.indd 114 10/11/22 12:07 PM10/11/22 12:07 PM