Poster: Leveraging Apple's Find My Network for Large-Scale Distributed Sensing

Find My is a crowd-sourced network of hundreds of millions of Apple devices that use Bluetooth Low Energy (BLE) to detect and track the location of items. We explore the limits and opportunities of using this proprietary network for large-scale distributed sensing. The key idea is to let low-cost sensing devices emit specially crafted BLE advertisements that trick nearby Apple devices into generating location reports that carry arbitrary sensor data, which can then be retrieved from the Apple servers. This paper reports on our ongoing work to reverse engineer the Find My system and to design a protocol for the efficient and reliable collection of data from sensing devices via the Find My network. Preliminary results from real-world experiments demonstrate the feasibility of our approach and a several-fold performance improvement compared with the state of the art.


MOTIVATION
We explore the following research question: Is it possible to repurpose Apple's Find My location tracking network to collect arbitrary  data from low-cost sensor devices?An affirmative answer would allow for large-scale distributed sensing in populated areas without the need to install and maintain a dedicated communication infrastructure.Instead, we could exploit the broad coverage provided by hundreds of millions of Apple devices around the world for applications such as air-quality monitoring and energy metering.
Figure 1 shows the basic architecture of the crowd-sourced Find My network.It relies on finder devices (iPhones, iPads, etc.) that send location reports about the presence of nearby items.Items are low-cost, battery-powered devices emitting BLE advertisements.Finder devices detect nearby items by regularly scanning for BLE advertisements and report their current location to the backend upon the reception of an advertisement.The owner of a particular item can retrieve the latest location reports from the backend.The Find My network employs end-to-end encryption between finder devices and owners to preserve privacy.
As shown in Figure 1, we aim to empower sensor devices to report arbitrary data efficiently and reliably via the Find My network to owners, without impairing Find My's location-tracking functionality.The next section provides an overview of our ongoing work toward achieving this goal.a legitimate advertisement packet have for a finder device to process it?How to piggyback arbitrary data onto these advertisement packets?How does a finder device generate location reports based on the advertisements it receives from the same or different sensor devices?Is there a way for the sensor devices to maximize the overall throughput and/or to minimize the end-to-end latency?
Reverse engineering.To answer these and other questions, we reverse engineer the behavior of the finder devices.This is necessary since Find My is a proprietary (closed-source) system.Using a jailbroken iPhone 13 mini running iOS 15.0, we inspect the logs of key services (e.g., bluetoothd, locationd, searchpartyd), analyze traffic captures with Wireshark, and use Ghidra to disassemble parts of relevant binaries responsible for transforming advertisements into location reports.
We reveal several insights that have not been known so far.For example, a finder device creates a new location report at most every 2 s even if it receives multiple advertisements for the same key during that period.A finder device makes up to 96 submissions to the backend per day, each containing up to 200 location reports.The minimum submission interval ranges from 15 min to 38 min depending on the power and connectivity state of the finder device.We also reveal how location reports are filtered and discarded on the finder devices before they are reported.
Protocol design.Based on our findings, we design an end-toend protocol to transfer data from sensor devices to owners.The protocol transfers data in units of frames, each having a length of 92 bytes.A sensor device transmits a frame by encoding it into a series of advertisements.Specifically, we repurpose a field that is usually used by AirTags to share their current battery status to encode 1 byte per advertisement.This field can be freely controlled by the sensor devices and is included unchanged in the location reports.Since BLE advertisements are not acknowledged, we use forward error correction (Reed-Solomon) to mitigate the impact of occasional transmission failures.To map received bytes back to the correct frame, we leverage the timing information provided by the finder devices as part of their location reports.Owners need to regularly poll for new location reports because the backend stores only the last 2000 location reports for each advertisement key for up to one week.

PRELIMINARY RESULTS
Our evaluation features one sensor device and one owner.The sensor device is a Nordic nRF52840 development kit that runs our proposed protocol.A Mac Mini acts as the owner, retrieving location reports from Apple's servers via OpenHaystack [2] every 10 min for all used advertisement keys.Using this setup, we conduct experiments in three different environments: office, store, and home (residential building).
Figure 2 shows the average number of location reports in the three environments depending on the hour of the day.Each experiment lasts for one week.We can correlate these results to the number of nearby finder devices and their power state.For instance, we only observe location reports during working hours in the office environment.By contrast, in the home environment we see particularly many location reports during the night when the finder devices are presumably being charged.This confirms our findings from Section 2 that the behavior of finder devices exhibits a strong dependence on environmental factors.
In terms of end-to-end performance, we measure a sensor data throughput of 1.1 bit/s with our protocol.This is a 32× improvement over recent prior work, which reports a throughput of 0.03 bit/s [3] while improving the reliability compared to more basic protocols [1] that do not address the unique transmission characteristics and high error rates of Find My messages.

Figure 1 :
Figure 1: Overview of Apple's Find My network.

Figure 2 :
Figure 2: Average number of location reports in three different environments depending on the hour of the day.