Query Apple's FindMy network with Python

What are the chance that this keeps working long term?

Sounds awesome & makes airtags more appealing, but if apple is just going to shut it down next week then less so

Changing the underlying find my network to break this would be challenging if not impossible while keeping the privacy protections in place. Apple can’t identify devices sending data to find my, and doesn’t log requests. Short of changes that would break compatibility with older devices it should be relatively stable.

OpenHaystack has been doing this for a few years now and Apple has made no efforts to restrict it.

> Apple can’t identify devices sending data to find my, and doesn’t log requests.

So what you're saying is that a decent firewall could still inspect the traffic, or the patterns thereof.

Also, this doesn't make any sense, as if Apple doesn't know which AirTag belongs to who, Find My would be very useless; and law enforcement would be furious.

Airtags are associated with your apple ID for safety, but when you make a request for the location from Find My it doesn’t include any information about which airtag you’re asking about; just a CSPRNG-incremented public key that changes every 15 minutes. The location data itself is not available to Apple.

Here is Apple’s docs on how they prevent themselves from inspecting traffic on Fmi: https://support.apple.com/guide/security/find-my-security-se...

So Apple has no way to see anything even when developing the platform itself?

They must have a way to decrypt payloads or otherwise get into the system they built and control. The fact that they let law enforcement know when someone is stalking someone with an AirTag shows that the data is available to them. It’s silly to think otherwise, paper or not.

I’ve been using FakeTag[0] and OpenHaystack[1] coupled with a vibration sensor to notify me when various things happen around my house. Inspired by this [2] article. It’s worked flawlessly for ~2 years.

[0] https://github.com/dakhnod/FakeTag

[1] https://github.com/seemoo-lab/openhaystack

[2] https://hackaday.com/2022/05/30/check-your-mailbox-using-the...

> The fact that they let law enforcement know when someone is stalking someone with an AirTag shows that the data is available to them.

Not technically correct. Apple devices (and Android phones with the appropriate app) detect if an unknown AirTag is moving with them and makes it home, possibly signalling a stalking attempt.

The heuristics for this happen locally; Apple isn't "aware" of this happening. That said, when you first set-up an AirTag, the serial is tied to your account. Therefore, when you physically find an unknown AirTag and report it to law enforcement, they can then subpoena (or get a warrant?) Apple for information on the AirTag owner's identity.

The serial itself, and any personal identifiers, are not used in the locating process, however.

This is well documented in the paper above, in articles, as well as in reverse engineering efforts.

From Apple’s perspective, if someone uses the FindMy APIs to provide a commercial service that diminishes the privacy offered by Apple’s official apps, they would likely send a C&D letter. But for hobby projects, it’s not worth clamping down hard.

So how does Find My work on icloud.com then?

It’s explained pretty well in link provided in comment your replying to.

The tl;dr is: The information is publicly available in an encrypted form that is only readable by the party with the key.

Think of it like this, when you mark an item as lost you publish a hashed public identification key, if another device detects that key it creates a location report encrypted with your public key and posts it to a public list of encrypted reports, you decrypt the report with your private key.

The short answer is that it doesn't. The iCloud website only shows devices that are actively uploading their location to Apple, such as iPhones and iPads. AirTags are not shown there, as they use the FindMy network instead (the whole other-devices-find-your-airtags mechanism). This library focuses on the latter.

Apple devices can query your AirTag's location because they sync its shared secrets through the iCloud keychain, which is used to generate temporary keys that can be use to download and decrypt the tag's location.

>you decrypt the report with your private key

Where would this private key be coming from when opening Find My on icloud.com (a website)?

>Apple devices can query your AirTag's location because they sync its shared secrets through the iCloud keychain

I see. But can't Apple simply read this data from my iCloud keychain? Or is this kind of data sharing through iCloud keychain e2e encrypted?

So far they don't really seem to care, however we've seen the lengths Apple is willing to go to when it comes to protecting their sweet revenue stream during their fight with Beeper. OpenHaystack has been functional for a long time, but they obtain locations from a running Mac, while this project directly accesses their API. This is also the most attention this project has received in a long time, so we'll see how that goes.

Over the past year only of my accounts has been banned by Apple, and I was using that one to request locations every 5-10 minutes 24/7 in Home Assistant, with no other usage of the account other than one registered hackintosh. I'm currently using another account that is querying data every 15-30 minutes, which has been working fine so far. You just need an account to anonymously download location reports, so if your throwaway gets banned just create a new one and things should work again. Just make sure to attach it to a real device or hackintosh at least once to "activate" the account's iCloud API.

I do just want to make it clear that I have no intentions on keeping this working "at all costs" - at least not without other people willing to help me out. The library is currently not even trying to be stealthy, and it can be easily detected using heuristics if they really wanted to.

You're correct in saying that it would be challenging for them to overhaul the entire network, but this library directly makes API calls to Apple's servers to request location reports. So while the tags would likely keep working, they could totally block the library or your account if they really wanted to.

From your keychain. Decrypted locally.

If you mean from another device other than one that your keychain is on, ie, a browser on a device you haven’t logged into before, you can’t.

You can get an active location through iCloud if the device is powered on or its last location before power off if the setting is enabled. But you can’t decrypt find my location reports without the private key, which is only available in devices you’ve logged into.

> they let law enforcement know when someone is stalking someone

Source? That's not a thing

+1