Data

Tools

Indexes

Applications

Experiments

Open Source Science

openhaystack

Build your own 'AirTags' 🏷 today! Framework for tracking personal Bluetooth devices via Apple's massive Find My network.

https://github.com/seemoo-lab/openhaystack

Science Score: 54.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • βœ“
    CITATION.cff file
    Found CITATION.cff file
  • βœ“
    codemeta.json file
    Found codemeta.json file
  • βœ“
    .zenodo.json file
    Found .zenodo.json file
  • β—‹
    DOI references
  • β—‹
    Academic publication links
  • βœ“
    Committers with academic emails
    3 of 15 committers (20.0%) from academic institutions
  • β—‹
    Institutional organization owner
  • β—‹
    JOSS paper metadata
  • β—‹
    Scientific vocabulary similarity
    Low similarity (14.4%) to scientific vocabulary

Keywords

airtag apple bluetooth find-my location-tracker macos microbit offline-finding reverse-engineering
Last synced: 6 months ago · JSON representation ·

Repository

Build your own 'AirTags' 🏷 today! Framework for tracking personal Bluetooth devices via Apple's massive Find My network.

Basic Info
  • Host: GitHub
  • Owner: seemoo-lab
  • License: agpl-3.0
  • Language: Swift
  • Default Branch: main
  • Homepage: https://owlink.org
  • Size: 8.98 MB
Statistics
  • Stars: 11,491
  • Watchers: 136
  • Forks: 548
  • Open Issues: 138
  • Releases: 15
Topics
airtag apple bluetooth find-my location-tracker macos microbit offline-finding reverse-engineering
Created almost 5 years ago · Last pushed over 1 year ago
Metadata Files
Readme License Citation

README.Reproducibility.md

PoPETs Artifact Review

We submit the research artifacts of our paper Who Can Find My Devices? Security and Privacy of Apple's Crowd-Sourced Bluetooth Location Tracking System to the PoPETs Artifact Review process. Our submission includes (1) the experimental evaluation of the offline finding system in Section 7 of our paper and (2) the PoC implementation of the attack presented in Section 10. The OpenHaystack framework in this repository goes beyond the contributions made in our PoPETs paper and, therefore, is not part of our submission. However, we invite the reviewers to test this code as well.

Location Report Accuracy (Section 7)

We provide the raw data and evaluation scripts used for the experimental evaluation of the offline finding system in Section 7 of our paper. The code should be self-explanatory and generates Figures 4, 5, 8, 9, 10, and 11 and Tables 5, 6, and 7 of our paper.

Requirements

  • Web browser to run the code via the online Binder service
    Alternative: Python environment to run the code locally

Instructions

We implement all code in a single Jupyter notebook provided in an external repository. Please refer to the included README file for detailed instructions: https://github.com/seemoo-lab/offline-finding-evaluation.

Unauthorized Access of Location History (Section 10)

We provide a proof-of-concept (PoC) implementation of the attack presented in Section 10 of our paper. The PoC consists of two parts: (1) the application that reads the private keys from the victim's device and (2) the application that downloads and decrypts the corresponding location reports.

Requirements

Since our PoC targets a fixed vulnerability in macOS 10.15.7, the reviewer requires a device that is vulnerable to the attack. A second Apple device is required to trigger the generation and synchronization of keys. In summary, the reviewer needs

  • a macOS device running macOS 10.15.6 or earlier (provided as a VM) and
  • a second iOS (>=13.0) or macOS (>=10.15.0) device.

Both devices need to be logged into the same iCloud account, and both participate in Apple's Find My network (see Apple's official documentation).

Instructions

The PoC consists of two applications that are needed: OFReadKeys and OFFetchReports. OFReadKeys is the malicious application installed by a user. The user needs to install this application manually. OFFetchReports must run on the attacker's Mac. We provide the schematic overview from our paper below. For testing, both applications can also be installed on the same machine, which we describe in the following.

Attack flow

Preparation: disable SIP and AMFI

The attacker machine needs to have system integrity protection (SIP) and AMFI disabled. This allows OFFetchReports to access Apple account tokens necessary to authenticate at iCloud to download location reports.

  1. Boot macOS into recovery mode (hold ⌘+R during boot).
  2. Open Terminal (from the Utilities drop-down menu).
  3. Execute csrutil disable in Terminal to disable SIP.
  4. Execute nvram boot-args="amfi_get_out_of_my_way=0x1" to disable AMFI.
  5. Reboot macOS normally.

Reading keys

  1. Open the Xcode project in CVE-2020-9986/OFReadKeys.
  2. Run the OFReadKeys target.
  3. Export the advertisement keys using the single button to a file.

Fetching reports

  1. Run the Run OFFetchReports target.
  2. Import the exported key file via drag and drop.
  3. Watch OFFetchReports downloading and decrypting the location reports.

Owner

  • Name: Secure Mobile Networking Lab
  • Login: seemoo-lab
  • Kind: organization
  • Location: Darmstadt, Germany

Citation (CITATION.cff) 

# This CITATION.cff file was generated with cffinit.
# Visit https://bit.ly/cffinit to generate yours today!

cff-version: 1.2.0
title: OpenHaystack
message: 'If you use this software, please cite it as below.'
type: software
authors:
  - given-names: Alexander
    family-names: Heinrich
    affiliation: 'SEEMOO, TU Darmstadt'
    orcid: 'https://orcid.org/0000-0002-1150-1922'
  - given-names: Milan
    family-names: Stute
    affiliation: 'SEEMOO, TU Darmstadt'
    orcid: 'https://orcid.org/0000-0003-4921-8476'
  - given-names: Matthias
    family-names: Hollick
    affiliation: 'SEEMOO, TU Darmstadt'
    orcid: 'https://orcid.org/0000-0002-9163-5989'
repository-code: 'https://github.com/seemoo-lab/openhaystack'
abstract: >-
  OpenHaystack is a framework for tracking personal
  Bluetooth devices via Apple's massive Find My network. Use
  it to create your own tracking tags that you can append to
  physical objects (keyrings, backpacks, ...) or integrate
  it into other Bluetooth-capable devices such as notebooks.
license: AGPL-3.0
commit: 7d72fa1ac19d2a9f6dec43011be07df8976a8b02
version: 0.5.3
date-released: '2023-10-09'

Committers

Last synced: 9 months ago

All Time
  • Total Commits: 121
  • Total Committers: 15
  • Avg Commits per committer: 8.067
  • Development Distribution Score (DDS): 0.562
Past Year
  • Commits: 7
  • Committers: 2
  • Avg Commits per committer: 3.5
  • Development Distribution Score (DDS): 0.143
Top Committers
Name Email Commits
Milan Stute m****e@s****e 53
Alexander Heinrich a****h@s****e 45
Sebastian m****l@s****v 6
MaxGranzow 2****w 4
Tomas Harkema t****s@h****o 2
Sascha Mowtschan m****n@g****m 2
yoution y****n 1
Shai Mishali f****c@g****m 1
Noah n****h@h****e 1
Knut HΓΌhne k****t@k****u 1
Howard g****o@g****m 1
Morten Harter m****r@g****m 1
Frank Hessel f****l@s****e 1
VladutLP v****p@l****m 1
Alexander Heinrich a****r@s****e 1
Committer Domains (Top 20 + Academic)
seemoo.tu-darmstadt.de: 3 sn0wfreeze.de: 1 loanpal.com: 1 k-nut.eu: 1 hack.se: 1 harkema.io: 1 sebastians.dev: 1

Issues and Pull Requests

Last synced: 6 months ago

All Time
  • Total issues: 131
  • Total pull requests: 27
  • Average time to close issues: 2 months
  • Average time to close pull requests: 7 months
  • Total issue authors: 115
  • Total pull request authors: 20
  • Average comments per issue: 6.34
  • Average comments per pull request: 1.67
  • Merged pull requests: 5
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 9
  • Pull requests: 0
  • Average time to close issues: about 21 hours
  • Average time to close pull requests: N/A
  • Issue authors: 8
  • Pull request authors: 0
  • Average comments per issue: 0.44
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
  • acalatrava (3)
  • thirstyone (3)
  • luke-jr (3)
  • jaekim24 (3)
  • jrusi (3)
  • Stach-0 (2)
  • mowtschan (2)
  • ghost (2)
  • Furtivo360 (2)
  • Millo-max (2)
  • moritztim (2)
  • jsmith79 (1)
  • ErfanDL (1)
  • tnorm32 (1)
  • das800 (1)
Pull Request Authors
  • sebinbash (4)
  • rkreutz (4)
  • pawisoon (3)
  • FauconSpartiate (3)
  • davidbaumann (2)
  • kaoz3000 (1)
  • kerta1n (1)
  • kholia (1)
  • holygrolli (1)
  • samaleksov (1)
  • kauzu (1)
  • vekexasia (1)
  • Chapoly1305 (1)
  • fureigh (1)
  • MaxGranzow (1)
Top Labels
Issue Labels
question (64) bug (31) enhancement (23) wontfix (3)
Pull Request Labels

Packages

  • Total packages: 1
  • Total downloads: unknown
  • Total dependent packages: 0
  • Total dependent repositories: 1
  • Total versions: 16
proxy.golang.org: github.com/seemoo-lab/openhaystack
  • Versions: 16
  • Dependent Packages: 0
  • Dependent Repositories: 1
Rankings
Stargazers count: 0.8%
Forks count: 1.6%
Average: 4.2%
Dependent repos count: 4.7%
Dependent packages count: 9.6%
Last synced: 6 months ago

Dependencies

.github/actions/build-esp-idf/action.yaml actions
.github/workflows/build-app.yml actions
  • actions/checkout v2 composite
  • devbotsxyz/xcode-select v1 composite
.github/workflows/build-cve-2020-9986.yaml actions
  • actions/checkout v2 composite
  • devbotsxyz/xcode-select v1 composite
.github/workflows/build-firmware-esp32.yaml actions
  • ./.github/actions/build-esp-idf * composite
  • actions/checkout v2 composite
.github/workflows/build-firmware.yaml actions
  • actions/checkout v2 composite
.github/workflows/release.yml actions
  • ./.github/actions/build-esp-idf * composite
  • actions/checkout v2 composite
  • actions/create-release v1 composite
  • actions/download-artifact v2 composite
  • actions/upload-artifact v2 composite
  • actions/upload-release-asset v1 composite
  • devbotsxyz/xcode-select v1 composite
openhaystack-mobile/ios/Podfile cocoapods
openhaystack-mobile/ios/Podfile.lock cocoapods
  • DKImagePickerController 4.3.2
  • DKPhotoGallery 0.0.17
  • Flutter 1.0.0
  • SDWebImage 5.12.3
  • SwiftyGif 5.4.3
  • file_picker 0.0.1
  • flutter_secure_storage 3.3.1
  • geocoding 1.0.5
  • location 0.0.1
  • maps_launcher 0.0.1
  • path_provider_ios 0.0.1
  • receive_sharing_intent 0.0.1
  • share_plus 0.0.1
  • shared_preferences_ios 0.0.1
  • url_launcher_ios 0.0.1
openhaystack-mobile/macos/Podfile cocoapods
openhaystack-mobile/android/app/build.gradle maven
  • org.jetbrains.kotlin:kotlin-stdlib-jdk7 $kotlin_version implementation
openhaystack-mobile/android/build.gradle maven
openhaystack-mobile/pubspec.lock pub
  • 106 dependencies
openhaystack-mobile/pubspec.yaml pub
  • flutter_lints ^1.0.0 development
  • flutter_test --- !ruby/hash:ActiveSupport::HashWithIndifferentAccess sdk: flutter development
  • file_picker ^4.4.0
  • flutter --- !ruby/hash:ActiveSupport::HashWithIndifferentAccess sdk: flutter
  • flutter_colorpicker ^1.0.3
  • flutter_launcher_icons ^0.9.2
  • flutter_map ^0.14.0
  • flutter_secure_storage ^5.0.2
  • flutter_slidable ^1.2.0
  • geocoding ^2.0.1
  • http ^0.13.4
  • location ^4.2.0
  • maps_launcher ^2.0.1
  • path_provider ^2.0.8
  • pointycastle ^3.4.0
  • provider ^6.0.1
  • receive_sharing_intent ^1.4.5
  • share_plus ^3.0.4
  • shared_preferences ^2.0.9
  • url_launcher ^6.0.17
CVE-2020-9986/OFReadKeys/OFReadKeys.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved swiftpm
  • github.com/apple/swift-crypto 1.1.4
  • github.com/apple/swift-nio 2.26.0
  • github.com/apple/swift-nio-ssl 2.10.4
OpenHaystack/OpenHaystack.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved swiftpm
  • github.com/apple/swift-crypto 1.1.7
  • github.com/apple/swift-nio 2.40.0
  • github.com/apple/swift-nio-ssl 2.20.2