Apple has promised to open its Find My app to third-party accessory manufacturers. But before that, there’s a new tool that will allow anyone to make their own Bluetooth tracking tag to use with Find My network so they can track their location. OpenHaystack is a new open source tool developed by security researchers at Secure Mobile Networking Lab, who essentially reverse-engineered the way Apple devices register on the Find My mesh network.
In short, it is a way to create your own DIY AirTags today.
OpenHaystack works through a custom Mac application that can be used to track the location of custom tags that you create. As of now, the tool has direct support for making a tracking tag using the BBC’s micro: bit microcomputer, although other support for the Bluetooth Low Energy (BLE) device may be added by other developers in the future. Once registered on Apple’s Find My network, the OpenHaystack app will be able to report the location of the tag, just as Apple’s Find My app works for iPhones and other Apple devices.
The whole system is a bit of a hack – in the sense that it is complex, not in the sense that it is hacking something. It uses a plug-in for Apple Mail (which authenticates you as a genuine Apple user) to obtain the necessary access to Apple’s Find My network to create and locate keys – so Mail needs to be running in order for the OpenHaystack works.
There do not appear to be any serious security implications for the Find My network itself (although the team has sent other bug reports to Apple). This does not mean that you should simply start using OpenHaystack. There is an important caveat about the project:
OpenHaystack is experimental software. The code has not been tested and is incomplete. For example, OpenHaystack tags using our firmware transmit a fixed public key and are therefore traceable by other nearby devices (this may change in a future version). OpenHaystack is not affiliated with or endorsed by Apple Inc.
A high-level understanding of how the security model for Find My works also helps to understand why OpenHaystack is possible.
Find my works using a combination of public and private keys. Any Apple user can access public keys for devices on the Find My network, but you need the private key to actually access location information. This means that not even Apple can access your location information without your private keys. The network is possible because Apple devices track public keys in the community, but only users can obtain location data for private keys.
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/22345345/FindMyOverview.png)
What OpenHaystack does is it creates one of these public / private key pairs for its own Bluetooth tag and uses Apple Mail to register it on the Find My network. For Apple, it looks just like another iPhone. The Mac application then accesses the public key database, pairs it with the private key you created and bam: data from secure location.
From the way it was designed, it looks like it can be difficult for Apple to cut OpenHaystack easily without also cutting off a bunch of older Apple devices. However, it is also true that Apple, as a company, will not like everything and can try to find a way to block it. A developer can use the system to create a way to add Android devices to the Find My network.
The team behind OpenHaystack wrote an article detailing their methods and revealing a fixed security hole. It also released the source code for its firmware, which other developers could use to adapt OpenHaystack to other BLE devices.
From Apple official support for third-party accessories is still coming. Belkin has already announced a set of headphones compatible with Find My. Given the complexity of the OpenHaystack configuration, it is unlikely to be adopted en masse. It is similar in some ways to AirMessage and Beeper, two tools that use Mac utilities to redirect iMessages to Android devices. The Apple ecosystem is blocked in several ways, but the Mac finds a way.