Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System

Heinrich, Alexander ; Stute, Milan ; Kornhuber, Tim ; Hollick, Matthias (2022)
Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System.
The 21st Privacy Enhancing Technologies Symposium. Online (12.07.2021-16.07.2021)
doi: 10.26083/tuprints-00020598
Konferenzveröffentlichung, Zweitveröffentlichung, Verlagsversion

Es ist eine neuere Version dieses Eintrags verfügbar.

URL / URN: https://tuprints.ulb.tu-darmstadt.de/20598

Kurzbeschreibung (Abstract)

Overnight, Apple has turned its hundreds-of-million-device ecosystem into the world’s largest crowd-sourced location tracking network called o~ine finding (OF). OF leverages online finder devices to detect the presence of missing o~ine devices using Bluetooth and report an approximate location back to the owner via the Internet. While OF is not the first system of its kind, it is the first to commit to strong privacy goals. In particular, OF aims to ensure finder anonymity, prevent tracking of owner devices, and confidentiality of location reports. This paper presents the first comprehensive security and privacy analysis of OF. To this end, we recover the specifications of the closed-source OF protocols by means of reverse engineering. We experimentally show that unauthorized access to the location reports allows for accurate device tracking and retrieving a user’s top locations with an error in the order of 10 meters in urban areas. While we find that OF’s design achieves its privacy goals, we discover two distinct design and implementation flaws that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, which could deanonymize users. Apple has partially addressed the issues following our responsible disclosure. Finally, we make our research artifacts publicly available.

Typ des Eintrags:	Konferenzveröffentlichung
Erschienen:	2022
Autor(en):	Heinrich, Alexander ; Stute, Milan ; Kornhuber, Tim ; Hollick, Matthias
Art des Eintrags:	Zweitveröffentlichung
Titel:	Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System
Sprache:	Englisch
Publikationsjahr:	2022
Ort:	Darmstadt
Publikationsdatum der Erstveröffentlichung:	2022
Veranstaltungstitel:	The 21st Privacy Enhancing Technologies Symposium
Veranstaltungsort:	Online
Veranstaltungsdatum:	12.07.2021-16.07.2021
DOI:	10.26083/tuprints-00020598
URL / URN:	https://tuprints.ulb.tu-darmstadt.de/20598
Zugehörige Links:	Verlags-DOI Organisation Forschungsdaten Forschungsdaten Verwandtes Werk
Herkunft:	Zweitveröffentlichungsservice
Kurzbeschreibung (Abstract):	Overnight, Apple has turned its hundreds-of-million-device ecosystem into the world’s largest crowd-sourced location tracking network called o~ine finding (OF). OF leverages online finder devices to detect the presence of missing o~ine devices using Bluetooth and report an approximate location back to the owner via the Internet. While OF is not the first system of its kind, it is the first to commit to strong privacy goals. In particular, OF aims to ensure finder anonymity, prevent tracking of owner devices, and confidentiality of location reports. This paper presents the first comprehensive security and privacy analysis of OF. To this end, we recover the specifications of the closed-source OF protocols by means of reverse engineering. We experimentally show that unauthorized access to the location reports allows for accurate device tracking and retrieving a user’s top locations with an error in the order of 10 meters in urban areas. While we find that OF’s design achieves its privacy goals, we discover two distinct design and implementation flaws that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, which could deanonymize users. Apple has partially addressed the issues following our responsible disclosure. Finally, we make our research artifacts publicly available.
Status:	Verlagsversion
URN:	urn:nbn:de:tuda-tuprints-205985
Zusätzliche Informationen:	Keywords: Apple, Bluetooth, location privacy, reverse engineering, trackings tags, user identification Erscheint auch in: Proceedings on Privacy Enhancing Technologies, Volume 2021, Issue 3, pages 227-245, eISSN: 2299-0984 Presentation video: https://youtu.be/unXQwBrcUSw
Sachgruppe der Dewey Dezimalklassifikatin (DDC):	000 Allgemeines, Informatik, Informationswissenschaft > 004 Informatik
Fachbereich(e)/-gebiet(e):	20 Fachbereich Informatik 20 Fachbereich Informatik > Sichere Mobile Netze Profilbereiche Profilbereiche > Cybersicherheit (CYSEC) LOEWE LOEWE > LOEWE-Zentren LOEWE > LOEWE-Zentren > emergenCITY
TU-Projekte:	HMWK\|III L6-519/03/05.001-(0016)\|emergenCity TP Bock HMWK\|LOEWE\|emergenC TP Gurevych
Hinterlegungsdatum:	20 Jun 2022 12:07
Letzte Änderung:	22 Jun 2022 11:21
PPN:
Export:

Suche nach Titel in:	TUfind oder in Google

Verfügbare Versionen dieses Eintrags

Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System. (deposited 20 Jun 2022 12:07) [Gegenwärtig angezeigt]
- Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System. (deposited 05 Mär 2021 08:10)

Frage zum Eintrag

Optionen (nur für Redakteure)

Redaktionelle Details anzeigen

OAI 2.0-Basis-URL: https://tubiblio.ulb.tu-darmstadt.de/cgi/oai2 TUbiblio verwendet EPrints 3.

Drucken |

Impressum |

Datenschutzerklärung