The theme of the new system is to turn Apple ’ s existing net of iPhones into a massive crowdsourced localization tracking system. Every active iPhone will continuously monitor for BLE beacon messages that might be coming from a lose device. When it picks up one of these signals, the participating phone tags the data with its own stream GPS placement ; then it sends the whole package up to Apple ’ sulfur servers. This will be capital for people like me, who are constantly losing their stuff : if I leave my backpack on a go bus in China in my office, oklahoman or late person else will stumble on its sign and I ’ ll immediately know where to find it .
( It ’ second worth mentioning that Apple didn ’ thymine fabricate this idea. In fact, companies like Tile have been doing this for quite a while. And yes, they should credibly be worried. )
If you haven ’ thyroxine already been inspired by the description above, let me phrase the question you ought to be asking : how is this system going to avoid being a massive privacy nightmare ?
Let me count the concerns :
- If your device is constantly emitting a BLE signal that uniquely identifies it, the whole world is going to have (yet another) way to track you. Marketers already use WiFi and Bluetooth MAC addresses to do this: Find My could create yet another tracking channel.
- It also exposes the phones who are doing the tracking. These people are now going to be sending their current location to Apple (which they may or may not already be doing). Now they’ll also be potentially sharing this information with strangers who “lose” their devices. That could go badly.
- Scammers might also run active attacks in which they fake the location of your device. While this seems unlikely, people will always surprise you.
The commodity newsworthiness is that Apple claims that their system actually does provide strong privacy, and that it accomplishes this using apt cryptography. But as is distinctive, they ’ ve declined to give out the details how they ’ re going to do it. Andy Greenberg talked me through an incomplete technical description that Apple provided to Wired, so that provides many hints. unfortunately, what Apple provided silent leaves huge gaps. It ’ sulfur into those gaps that I ’ molarity going to fill in my best guess for what Apple is actually doing .
A big caution : much of this could be wholly ill-timed. I ’ ll update it relentlessly when Apple tells us more .
Some quick problem-setting
To lay out our scenario, we need to bring respective devices into the movie. For inspiration, we ’ ll draw from the 1950s television series “ Lassie ” .
A first device, which we ’ ll cry Timmy, is “ lost ”. Timmy has a BLE radio but no GPS or connection to the Internet. fortunately, he ’ second been previously paired with a second device called Ruth, who wants to find him. Our supporter is Lassie : she ’ s a random ( and unknowing ) stranger ’ s iPhone, and we ’ ll assume that she has at least an periodic Internet connection and solid GPS. She is besides a very dependable girl. The network devices communicate via Apple ’ s iCloud servers, as shown below :
( Since Timmy and Ruth have to be paired ahead of time, it ’ s likely they ’ ll both be devices owned by the like person. Did I mention that you ’ ll motivation to buy two Apple devices to make this organization knead ? That ’ second besides just finely for Apple. )
Since this is a security organization, the first interview you should ask is : who ’ s the badly guy ? The answer in this place setting is unfortunate : everyone is potentially a bad guy. That ’ s what makes this problem so exciting .
Keeping Timmy anonymous
The most critical aspect of this organization is that we need to keep unauthorized third gear parties from tracking Timmy, specially when he ’ s not lost. This precludes some pretty obvious solutions, like having the Timmy device just shout “ Hi my name is Timmy, please call my ma Ruth and let her know I ’ m lost. ” It besides precludes fair about any unchanging static identifier, even an opaque and random-looking one .
This final necessity is inspired by the development of services that abuse electrostatic identifiers broadcast by your devices ( for example, your WiFi MAC address ) to track devices as you walk around. Apple has been fighting this — with mix success — by randomizing things like MAC addresses. If Apple added a static chase identifier to support the “ Find My ” system, all of these problems could get a lot worse .
This necessity means that any messages broadcast by Timmy have to be opaque — and furthermore, the contents of these messages must change, relatively frequently, to newfangled values that can ’ triiodothyronine be linked to the old ones. One obvious way to realize this is to have Timmy and Ruth agree on a long list of random “ pseudonym ” for Timmy, and have Timmy pick a different one each time .
This helps a distribute. Each prison term Lassie sees some ( unknown ) device broadcasting an identifier, she won ’ deoxythymidine monophosphate know if it belongs to Timmy : but she can send it up to Apple ’ s servers along with her own GPS location. In the event that Timmy ever gets lost, Ruth can ask Apple to search for every single one of Timmy ‘ s possible pseudonym. Since neither cipher outside of Apple ever learns this list, and even Apple only learns it after person gets lost, this overture prevents most traverse.
A slenderly more efficient way to implement this idea is to use a cryptanalytic function ( like a MAC or hashish function ) in order to generate the list of pseudonym from a single short “ seed ” that both Timmy and Ruth will keep a imitate of. This is dainty because the data stored by each party will be very small. however, to find Timmy, Ruth must still send all of the pseudonym — or her “ seed ” — improving to Apple, who will have to search its database for each one .
Hiding Lassie’s location
The pseudonym approach path described above should work well to keep Timmy ‘ mho identity hidden from Lassie, and even from Apple ( improving until the period that Ruth searches for it. ) however, it ’ second got a big drawback : it doesn ’ t hide Lassie ‘ south GPS coordinates .
This is bad for at least a copulate of reasons. Each time Lassie detects some device broadcasting a message, she needs to transmit her current stead ( along with the pseudonym she sees ) to Apple ’ south servers. This means Lassie is constantly telling Apple where she is. And furthermore, even if Apple promises not to store Lassie ‘ sulfur identity, the result of all these messages is a huge centralized database that shows every GPS location where some Apple device has been detected .
note that this datum, in the aggregate, can be pretty revealing. Yes, the identifiers of the devices might be pseudonym — but that doesn ’ t make the information useless. For example : a record show that some Apple device is broadcasting from my home address at sealed hours of the day would probably reveal when I ’ meter in my sign of the zodiac .
An obvious way to prevent this data from being revealed to Apple is to encrypt it — so that entirely parties who actually need to know the location of a device can see this information. If Lassie picks up a broadcast from Timmy, then the entirely person who actually needs to know Lassie ‘ s GPS location is Ruth. To keep this information private, Lassie should encrypt her coordinates under Ruth’s encoding winder .
This, of course, raises a problem : how does Lassie get Ruth ‘ randomness key ? An obvious solution is for Timmy to shout out Ruth’s public key as part of every broadcast he makes. Of course, this would produce a static identifier that would make Timmy ‘ mho broadcasts linkable again .
To solve that trouble, we need Ruth to have many unlinkable populace keys, so that Timmy can give out a unlike one with each broadcast. One way to do this is have Ruth and Timmy generate many different shared keypairs ( or generate many from some shared seed ). But this is annoying and involves Ruth storing many hidden keys. And in fact, the identifiers we mentioned in the former section can be derived by hashing each populace keystone .
A slenderly better border on ( that Apple may not employ ) makes consumption of key randomization. This is a feature provided by cryptosystems like Elgamal : it allows any party to randomize a public key, so that the randomized key is wholly unlinkable to the original. The best region of this feature is that Ruth can use a individual unavowed key regardless of which randomized version of her public key was used to encrypt .
All of this leads to a final examination protocol idea. Each prison term Timmy broadcasts, he uses a fresh pseudonym and a randomized copy of Ruth ‘ s populace key. When Lassie receives a broadcast, she encrypts her GPS coordinates under the public identify, and sends the code message to Apple. Ruth can send in Timmy ‘ s pseudonym to Apple ’ second servers, and if Apple finds a match, she can obtain and decrypt the GPS coordinates.
Does this solve all the problems?
The cruddy thing about this problem place setting is that, with many weird edge cases, there precisely isn ’ t a perfect solution. For example, what if Timmy is evil and wants to make Lassie reveal her location to Apple ? What if Old Man Smithers tries to kidnap Lassie ?
At a certain point, the answer to these interrogate is just to say that we ’ ve done our best : any remaining problems will have to be outside the threat model. sometimes flush Lassie knows when to quit .