Apple has promised to open up its Find My app to third-party accessory makers. But ahead of that, there’s a new tool that will let anybody make their own Bluetooth tracking tag to use with the Find My network so they can track its location. OpenHaystack is a new open-source tool developed by security researchers at the Secure Mobile Networking Lab, who have essentially reverse-engineered the way Apple devices register themselves to the Find My mesh network.
It is, in short, a way to create your own DIY AirTags today.
OpenHaystack works via a custom Mac app that can be used to track the location of custom tags that you create. As of right now, the tool has direct support to make a tracking tag using the BBC micro:bit mini computer, though other Bluetooth Low Energy (BLE) device support could be added by other developers in the future. Once registered on Apple’s Find My network, the OpenHaystack app will be able to report the tag’s location just like Apple’s Find My app works for iPhones and other Apple devices.
The whole system is a bit of a hack — in the sense that it’s complex, not in the sense that it’s actually hacking anything. It uses a plugin for Apple Mail (which authenticates you as a genuine Apple user) to get the necessary access to Apple’s Find My network to create and locate the keys — so Mail needs to be running for OpenHaystack to work.
There don’t appear to be serious security implications for the Find My network itself, either (though the team has submitted other bug reports to Apple). That doesn’t mean you should just go ahead and start using OpenHaystack, however. There’s an important disclaimer on the project:
OpenHaystack is experimental software. The code is untested and incomplete. For example, OpenHaystack tags using our firmware broadcast a fixed public key and, therefore, are trackable by other devices in proximity (this might change in a future release). OpenHaystack is not affiliated with or endorsed by Apple Inc.
A high-level understanding of how the security model for Find My works also helps understand why OpenHaystack is possible.
Find My works by using a combination of public and private keys. Any Apple user can access the public keys for devices in the Find My network, but you need the private key in order to actually access location information. This means not even Apple can access your location information without your private keys. The network is possible because Apple devices communally track the public keys, but only users can get location data from private keys.
What OpenHaystack does is create one of those public / private key pairs for your own Bluetooth tag and uses Apple Mail to register it in the Find My network. To Apple, it just looks like another iPhone. The Mac app then accesses the public key database, pairs it with the private key you created, and bam: secure location data.
From the way it’s designed, it seems like it might be difficult for Apple to cut off OpenHaystack easily without also cutting off a bunch of older Apple devices. However, it’s also surely true that Apple as a company won’t like the whole thing and may try to find a way to block it. A developer could use the system to create a way to add Android devices to the Find My network.
The team behind OpenHaystack has written a paper detailing its methods and disclosing a now-fixed security flaw. It also released the source code for its firmware, which other developers could use to adapt OpenHaystack to other BLE devices.
Apple’s official support for third-party accessories is still coming. Belkin has already announced a set of earbuds that will support Find My. Given how complex the setup of OpenHaystack is, it probably won’t gain mass adoption. It’s similar in some ways to AirMessage and Beeper, two tools that use Mac utilities to redirect iMessages to Android devices. Apple’s ecosystem is locked down in any number of ways, but the Mac finds a way.