What does HackerNews think of openhaystack?

The location report is signed with a public key advertised by the "lost" device.

To retrieve the device's location and to prevent Apple from knowing who lost the device, all signed in users can download any location report for a given public key.

This is explained better here: https://github.com/seemoo-lab/openhaystack

I'll give you that E2EE arrived late and is off by default. But:

> For Find My, since they can even locate switched off phones

They can't. Find My is actually truly end-to-end encrypted, at least the version used for when a device is off (I'm not 100% sure how encrypted the self-reported version is for powered on iPhones with data).

Copy-pasting my summary about how Find My works from another comment in this post:

> The master private key used by the system is generated locally and never leaves your Apple devices in a state that anyone except your devices can read it.

> The master key is used to derive an AirTag specific private key which is provisioned to the AirTag and is in turn combined with an increasing counter which generates a third private key that's never stored anywhere. The ID broadcast is the public key of this third key. It changes every 30 minutes or 1 hour, I forget which.

> Other devices see this key, use it to encrypt their own location, and upload that encrypted blob along with the public key to Find My, and in order for Apple to even know which account the encrypted blob they can't decrypt belongs to I have to actually request the location of my AirTag by locally deriving the keypair it used for a certain point in time.

This has all been proven through [1] where they read the whitepaper (which I can't for the life of me find now but know exist because I've read it, or at least parts) and implemented OpenHaystack which proves Apple aren't lying about anything because if they did then OpenHaystack wouldn't work.

1: https://github.com/seemoo-lab/openhaystack

Check out https://github.com/seemoo-lab/openhaystack

DIY Airtags: https://github.com/seemoo-lab/openhaystack

AirTags have a lot of privacy protections. The stalkers were only caught because they were dumb enough to use their own identifiable Apple IDs.

Just creating one with a fake protonmail email will make it quite difficult, though you will also have to purchase an iOS device just for that. Still not unthinkable.

You can even build your own tracker for some apple's network: https://github.com/seemoo-lab/openhaystack

I know :) [1]. It's just the usual response to any of those "creep stalks victim using Airtag" article popping up here repeatedly in the past. I first thought it was one of those again.

[1] In case anyone wants to read a bit more about this: Secure Mobile Networking Lab has excellent information about how all this works: https://github.com/seemoo-lab/openhaystack and its linked references.