Apple's 'Find My' Feature Uses Some Very Clever Cryptography - WIRED

Posted: 05 Jun 2019 12:00 AM PDT

When Apple executive Craig Federighi described a new location-tracking feature for Apple devices at the company's Worldwide Developer Conference keynote on Monday, it sounded—to the sufficiently paranoid, at least—like both a physical security innovation and a potential privacy disaster. But while security experts immediately wondered whether Find My would also offer a new opportunity to track unwitting users, Apple says it built the feature on a unique encryption system carefully designed to prevent exactly that sort of tracking—even by Apple itself.

In upcoming versions of iOS and macOS, the new Find My feature will broadcast Bluetooth signals from Apple devices even when they're offline, allowing nearby Apple devices to relay their location to the cloud. That should help you locate your stolen laptop even when it's sleeping in a thief's bag. And it turns out that Apple's elaborate encryption scheme is also designed not only to prevent interlopers from identifying or tracking an iDevice from its Bluetooth signal, but also to keep Apple itself from learning device locations, even as it allows you to pinpoint yours.

"Now what's amazing is that this whole interaction is end-to-end encrypted and anonymous," Federighi said at the WWDC keynote. "It uses just tiny bits of data that piggyback on existing network traffic so there's no need to worry about your battery life, your data usage, or your privacy."

"I have not seen anyone actually deploy anything like this to a billion people."

Matthew Green, Johns Hopkins University

In a background phone call with WIRED following its keynote, Apple broke down that privacy element, explaining how its "encrypted and anonymous" system avoids leaking your location data willy nilly, even as your devices broadcast a Bluetooth signal explicitly designed to let you track your device. The solution to that paradox, it turns out, is a trick that requires you to own at least two Apple devices. Each one emits a constantly changing key that nearby Apple devices use to encrypt and upload your geolocation data, such that only the other Apple device you own possesses the key to decrypt those locations.

That system would obviate the threat of marketers or other snoops tracking Apple device Bluetooth signals, allowing them to build their own histories of every user's location. "If Apple did things right, and there are a lot of ifs here, it sounds like this could be done in a private way," says Matthew Green, a cryptographer at Johns Hopkins University. "Even if I tracked you walking around, I wouldn't be able to recognize you were the same person from one hour to the next."

In fact, Find My's cryptography goes one step further than that, denying even Apple itself the ability to learn a user's locations based on their Bluetooth beacons. That would represent a privacy improvement over Apple's older tools like Find My iPhone and Find Friends, which don't offer such safeguards against Apple learning your location.

Here's how the new system works, as Apple describes it, step by step:

When you first set up Find My on your Apple devices—and Apple confirmed you do need at least two devices for this feature to work—it generates an unguessable private key that's shared on all those devices via end-to-end encrypted communication, so that only those machines possess the key.
Each device also generates a public key. As in other public key encryption setups, this public key can be used to encrypt data such that no one can decrypt it without the corresponding private key, in this case the one stored on all your Apple devices. This is the "beacon" that your devices will broadcast out via Bluetooth to nearby devices.
That public key frequently changes, "rotating" periodically to a new number. Thanks to some mathematical magic, that new number doesn't correlate with previous versions of the public key, but it still retains its ability to encrypt data such that only your devices can decrypt it. Apple refused to say just how often the key rotates. But every time it does, the change makes it that much harder for anyone to use your Bluetooth beacons to track your movements.
Say someone steals your MacBook. Even if the thief carries it around closed and disconnected from the internet, your laptop will emit its rotating public key via Bluetooth. A nearby stranger's iPhone, with no interaction from its owner, will pick up the signal, check its own location, and encrypt that location data using the public key it picked up from the laptop. The public key doesn't contain any identifying information, and since it frequently rotates, the stranger's iPhone can't link the laptop to its prior locations either.
The stranger's iPhone then uploads two things to Apple's server: The encrypted location, and a hash of the laptop's public key, which will serve as an identifier. Since Apple doesn't have the private key, it can't decrypt the location.
When you want to find your stolen laptop, you turn to your second Apple device—let's say an iPad—which contains both the same private key as the laptop and has generated the same series of rotating public keys. When you tap a button to find your laptop, the iPad uploads the same hash of the public key to Apple as an identifier, so that Apple can search through its millions upon millions of stored encrypted locations, and find the matching hash. One complicating factor is that iPad's hash of the public key won't be the same as the one from your stolen laptop, since the public key has likely rotated many times since the stranger's iPhone picked it up. Apple didn't quite explain how this works. But Johns Hopkins' Green points out that the iPad could upload a series of hashes of all its previous public keys, so that Apple could sort through them to pull out the previous location where the laptop was spotted.
Apple returns the encrypted location of the laptop to your iPad, which can use its private key to decrypt it and tell you the laptop's last known location. Meanwhile, Apple has never seen the decrypted location, and since hashing functions are designed to be irreversible, it can't even use the hashed public keys to collect any information about where the device has been.¹

As staggeringly complex as that might sound, Apple warns that it's still a somewhat simplified version of the Find My protocol, and that the system is still subject to change before it's actually released in MacOS Catalina and iOS 13 later this year. The true security of the system will depend on the details of its implementation, warns Johns Hopkins' Green. But he also says if it works as Apple described to WIRED, it might indeed offer all the privacy guarantees Apple has promised.

"I give them nine out of 10 chance of getting it right," Green says. "I have not seen anyone actually deploy anything like this to a billion people. The actual techniques are pretty well known in the scientific sense. But actually implementing this will be pretty impressive."

NordVPN

The proposed workaround, aka 'ghost proposal'

So far, companies like Apple have been able to tell law enforcement that it has no way to provide them with access to Messages chats and FaceTime calls because the services use end-to-end encryption. This means that Apple doesn't know the encryption key and therefore cannot access the content.

But Britain's Government Communications Headquarters (GCHQ) thinks it has a clever workaround. First revealed back in February, it wants messaging companies to secretly add law enforcement agencies as invisible participants in chats.

It's relatively easy for a service provider to silently add a law enforcement participant to a group chat or call. The service provider usually controls the identity system and so really decides who's who and which devices are involved — they're usually involved in introducing the parties to a chat or call…. In a solution like this, we're normally talking about suppressing a notification on a target's device… and possibly those they communicate with."

In short, Apple — or any other company that allows people to privately chat — would be forced to allow the government to join those chats as a silent, invisible eavesdropper.

For obvious reasons, the plan is being known as the 'ghost proposal.'

Open letter

The open letter was sent on May 22 and made public today. It says the ghost proposal must be rejected on three grounds:

It violates fundamental human rights
It creates new security risks
It violates GCHQ's own stated principles

As the letter puts it:

This proposal to add a "ghost" user would violate important human rights principles, as well as several of the principles outlined in the GCHQ piece. Although the GCHQ officials claim that "you don't even have to touch the encryption" to implement their plan, the "ghost" proposal would pose serious threats to cybersecurity and thereby also threaten fundamental human rights, including privacy and free expression. In particular, as outlined below, the ghost proposal would create digital security risks by undermining authentication systems, by introducing potential unintentional vulnerabilities, and by creating new risks of abuse or misuse of systems. Importantly, it also would undermine the GCHQ principles on user trust and transparency set forth in the piece.

The signatories say that iMessage, WhatsApp and Signal go to particular lengths to guard against exactly this risk – of third-parties managing to add themselves to a conversation.

For example, iMessage, has a cluster of public keys – one per device – that it keeps associated with an account corresponding to an identity of a real person. When a new device is added to the account, the cluster of keys changes, and each of the user's devices shows a notice that a new device has been added upon noticing that change […]

[Another method is known as] a "safety number" in Signal and a "security code" in WhatsApp (we will use the term "safety number"). They are long strings of numbers that are derived from the public keys of the two parties of the conversation, which can be compared between them – via some other verifiable communications channel such as a phone call – to confirm that the strings match. Because the safety number is per pair of communicators — more precisely, per pair of keys — a change in the value means that a key has changed, and that can mean that it's a different party entirely. People can thus choose to be notified when these safety numbers change, to ensure that they can maintain this level of authentication. Users can also check the safety number before each new communication begins, and thereby guarantee that there has been no change of keys, and thus no eavesdropper.

This is why, when you add a new Apple device, you get an alert on your existing devices.

The letter emphasises the fundamental problem that any backdoor created for use by the good guys inevitably carries the risk that it will be exploited by the bad guys. This is, of course, the reason Apple refused to create a weakened version of iOS for the FBI in the San Bernardino shooting case.

The lengthy letter condemning the proposal to secretly add law enforcement agencies to encrypted chats is signed by tech giants, civil rights organizations and security experts. You can read it here.

Photo: Shutterstock

Check out 9to5Mac on YouTube for more Apple news:

[embedded content]

Search This Blog

Android Full Encryption