Also seems to hard code a MacBook device agent in order to associate the generated keys with a device.
As with anything in the centralized world, I wouldn’t use this on an account with a high number of services/digital assets tied to it. I wouldn’t be surprised if Apple bans accounts that use this.
Wouldn’t be difficult to find out either given the unique “adsid” code that is required to login.
> Also seems to hard code a MacBook device agent in order to associate the generated keys with a device.
Hold short, so you don't need an iOS device technically to onboard AirTags, any Apple device is sufficient? Why in the name of everything that is holy does Apple not support this officially, just to push sales for iOS devices or what?
(Angry rant of someone who bought an extra used iPhone despite owning like 5k in Apple desktop/mobile gear, just to be able to onboard some AirTags)
I think Apple just doesn't think about use cases outside their ecosystem as a general rule, in the same way that SF engineers don't think about uses outside the Bay. It's not malicious when things stop breaking because they lose mobile connectivity, or when your rideshare app demands you wait outside in the middle of winter in Minnesota, these issues just aren't thought of as an organization.
> I think Apple just doesn't think about use cases outside their ecosystem as a general rule
No. They deliberately do this for gatekeeping. That's what I'd expect from a company forcing you to own a Mac in order to develop for iOS, by license terms.
If it's just technical issues Apple usually do have more helpful alternatives, for example you can only request password reset for your Apple ID on an Apple device (because they can throttle and potentially ban a threat actor trying to stuffing, I guess?), but they invite you to go to an Apple Store and use iPad in the store to do it if you happen to not have one.
> why in the name of everything that is holy does Apple not support this officially, just to push sales for iOS devices or what?
You answered your own question ;).
My best guess (assuming it wasn’t malice/greed): not many people have access to an NFC/RFID reader and it’s Apple. So it has to be soft locked somehow behind the Apple Wall. So, in order to provide that “just works” experience. It’s better to advertise iPhone method as a way to get the tags registered.
Other methods exist, but your mileage varies. Also, Apple may change the APIs at any time and break that process. Thus, no support provided.
The auth lib for iCloud is inherently insecure, for you, and obviously not for Apple, Inc. I would fork this project into two separate products, which is abhorrent to do, but it must be done.
I would never consciously integrate a library from a third party.
I am in the middle of scanning every single release of 'VenToy' into
virus scanners, awaiting for the moment when an NZ-type vulnerability proves true.
Its not that Apples payment stream depends on this, its their subscription model.
Beware of offering a feature free that Apple thinks is interesting, they will lock you out, and start charging people for it.
Doubly beware of p*ssing off geeks, the will go to bed on Friday, in an angry state, and fervently work all weekend both to black box your product, but to trivialize the implementation of it. Now those are the really scary people.
This concept would possible be used to get around the stalking features that Apple et al has implemented.
Ex: Get N donor tags. Have it cycle through the N tags every 24/N hours. Therefore, to apple (/ device tracking), the "stalkee" is never being followed by a single tag for an extended period of time.
If it's not patched yet: I heard you can just power cycle a tag on a timer to evade detection. Add a large battery with a simple timer circuit, remove the beeper and you got yourself an amazing tracking device.
IIRC this came up in the context of tracking shipments with expensive equipment, where it can be in transit for many months. The tags are so power efficient that they work for ages on a large battery, existing GPS solutions just didn't cut it.
>If it's not patched yet: I heard you can just power cycle a tag on a timer to evade detection
I'm not sure how apple could ever patch it. If you were willing to add a power-cycling microcontroller to your airtag, it wouldn't be that much effort to also add a bank of airtags to cycle through, which would make the apparatus totally indistinguishable from a group of airtags coming in and out of range constantly.
> Ex: Get N donor tags. Have it cycle through the N tags every 24/N hours. Therefore, to apple (/ device tracking), the "stalkee" is never being followed by a single tag for an extended period of time.
If you have to cycle the tags constantly, couldn't you just physically follow the person and spend less effort/money at that point? Or get a GPS tag that doesn't use the AirTag "network" at all, no cycling needed.
You wouldn't actually physically cycle/replace the tag. As you can see in the README, you can clone real tags, which could be advertised by the device in intervals.
right, I'm actually wondering if one could build an esp32 device that did this itself (i.e. without the need of a flipper zero). Basically something in a similar form factor of an actual air tag.
the anti-stalking features make airtags less useful for anti-theft (or theft discovery), as any aware thief can just disable the tag due to the anti-stalking feature (apple does note that its not designed for anti-theft purposes). But if one can defeat the anti-stalking feature, it makes it much more practical for this.
Personally, I wish Apple allowed one to permanently put their air-tag into law enforcement mode, which would prevent you personally from tracking it (and remove it from stalking alerts), but would provide legally recognized law enforcement the ability to request the tracking record (i.e. same process that they might use for requesting cell phone location data).
In my experience, their efforts are directly correlated with the tools and information at their disposal. Report stolen property? They’ll take a report. Report the location of stolen property? Much more likely to investigate. It shouldn’t surprise anyone that they are loath to expend a limited amount of resources on anything other than triaged harm reduction. If they can recover stolen property while securing a successful prosecution of the thieves, without exerting a ton of time and effort, they probably will. That said, I have experienced needlessly unhelpful police encounters, so YMMV with pragmatism.
For anything that may be insured, they likely just want to get you your paperwork, so you can file a claim. Why bother getting something you can replace? For other things, they may care if there is an evidence trail to follow.
In the case that one is using an airtag for ant-theft purposes and they do not want to alert the thief of the existence of the airtag while maintaining the intention of the alerts (anti-stalking).
ex. You notice your bike is stolen. immediately turn on law enforcement mode. The anti-stalking notifications are disabled but the owner can no longer track the airtag. However, after alerting the police, they could access the location of the device and investigate or recover the bike.
(in case elaboration is useful: AirTag relies on GPS location reports from user unaware iOS phones. This enables a stalker to throw a tag into your backpack and follow you. iOS notifies this happening to the user based on tag ID, and presumably GP meant that cycling through fake IDs could bypass triggering that.)
- My family’s old subhz car keys are dying so I cloned it & use the flipper when the real one doesn’t work. It’s a car from before the 2000s so no security whatsoever.
- Apartment, lift, gym rfid. Don’t need to bring multiple sets of cards
- IR is also helpful as a backup while I procrastinate going out and buying batteries for some remotes.
Rolling keys is more of an RF thing, fobs are NFC or RFID (rolling key is still vulnerable to a simple replay attack).
For NFC/RFID it depends entirely on the card. You can easily clone Mifare Classic, but on newer ones there's no way I know of, and the software does not (yet) have support for Legic (which has been broken for over a decade).
My dogs' microchips have a body temperature sensor. When one of them is acting like they might be sick, I can take their temperature with via my Flipper's RFID reader.
Not OP, but I've used it to clone (my own!) hotel key cards. I've accidentally left my key in the room when I unlocked the door, then absentmindedly tossed the card onto the dresser instead of putting it right back into my wallet. It's nice to have a backup in my bag.
Other hotels have an iPhone app you can use to unlock your door. That's another nice backup, but I've found I can have my Flipper out and the room door open faster than I can open my phone, find the app, launch it, inevitably have to log back in because it's been more than 30 seconds since I last opened it, etc.
I use this and it's great. Consumes basically no power, too. I'd like it if it could talk to Google's "Find device" network, but it's already working really well with Apple's network.
Sadly this requires a "donor" tag to impersonate (which then can't be used for as long as you want this to work), or using OpenHaystack which requires using a Mac in order to get the data.
How? The README [0] states that a Mac is required. Do you mean that you use the Find My network to keep track of your Linux machine's location (as described in [1]), but not to locate devices (which requires either macOS or a proxy server running on macOS)?
How do i use it without an Airtag? At the step number 9 the setup asks me to enter an Apple ID, which i do not have. Is there a way to track it on Android or Linux without an Apple ID?
I've tried to create an Apple ID recently on a non-Apple platform and it was a huge PITA. Tried using different browsers on Windows and Linux, tried Apple Music on Android , tried iCloud on Windows - nothing.
Basically I was able to pass email and phone number verification, but then "Continue" button on the "Apple ID & Privacy " page doesn't work and you can't get around it. No error or description whatsoever, just internal server error in the browser's console.
Turns out it's a known problem and the same button works perfectly fine when pressing it on an Apple device. I haven't tried it in a macOS VM though, but presumably Apple flags such accounts anyway.
Yeah, Apple is crap that way. Whenever I log in from my Linux desktop, they "lock" my account and I have to go through a long process where I verify my email, phone, password, and they send me an SMS code.
If you want, I can create an account for you on my Mac, email me (email in profile).
https://github.com/biemster/FindMy/blob/113ebf4017729b92a381...
Seems to be auth lib for iCloud.
Also seems to hard code a MacBook device agent in order to associate the generated keys with a device.
As with anything in the centralized world, I wouldn’t use this on an account with a high number of services/digital assets tied to it. I wouldn’t be surprised if Apple bans accounts that use this.
Wouldn’t be difficult to find out either given the unique “adsid” code that is required to login.