Apple’s Find My & iCloud’s Throne of Lies

It’s true.

I live in the Apple ecosystem, and have for quite some time now. I use an iPhone, have a couple of HomePods, use AppleTV, and typed this blog post (and most of my others) on an iPad. The integration is outstanding for my needs. Each iteration of iOS, iPadOS, and macOS typically have at least one useful feature to them. They also introduce some features that pique the DFIR side of my brain.

This article originally started out being about an iOS 15 feature that would allow users to track their phones in a “powered down” state, but after downloading the iOS 15 and iPadOS 15 betas, I found this feature was not operable yet, which isn’t surprising considering how it is still very early in the beta cycle. I did, however, find something interesting in the existing Find My network setup that I felt was worth sharing. This “something” not only could be helpful in certain circumstances (e.g. stolen i-Devices, missing/wanted persons), but can possibly shed some light on how the upcoming iOS 15 feature may work.  So, this blog post is more operational than it is “forensic.”

Note: while Find My functionality does apply to macOS devices, this post will focus solely on iOS and iPadOS devices.

Find My Network

The current version of the Find My app was introduced at WWDC 2019 and marked a departure from the previous version. Prior to 2019, the Find My feature required devices to have a connection to the Internet, either through cellular or Wi-Fi…or both. When iOS 13 and macOS Catalina arrived, that changed. In addition to Wi-Fi and cellular connections, Bluetooth could also be used to track an i-Device. The interesting part about this is that Bluetooth could be used even if the cellular and Wi-Fi radios were off on the device being tracked. Apple considered this to be “offline,” which made for great marketing.

As it turns out, Apple is using other Apple devices who’s Bluetooth radios are also enabled to track the “offline” devices. Crowdsourcing with Bluetooth radios isn’t novel, but how Apple implemented is. An offline device uses its Bluetooth radio to broadcast a public encryption key, which is generated when Find My is first setup on a device (along with a corresponding private encryption key). The public key is then picked up by another, unrelated i-Device within Bluetooth range. The unrelated i-Device encrypts its location using the public key it received, and then sends Apple the encrypted geolocation data and a hash of the public key it received from the “offline” device. When you attempt to locate your “offline” device using Find My, Apple sends you the encrypted geolocation data from the unrelated i-Device, which Find My decrypts using your private key.  This is a very high-level explanation, but if you are interested in the details, you can read about them here.

Traditionally, people think of logging into their iCloud account online to track lost devices there so long as it was trackable (i.e. online). But what about “offline” devices?

Practical Implications

To understand how this worked I conducted a few tests to see how this would look when in use. I loaded two test devices, an iPhone 8 and and iPad Pro, with the latest iOS 15 and iPadOS 15 betas, and logged into both using the same test account. I then put the iPhone in “Airplane mode” (you can’t see, but I’m using air quotes) by pressing the Airplane button in Control Center, which, if you have not noticed by now, shuts off the cellular and Wi-Fi radios only (hence my air quotes); the Bluetooth radio remains active. I gave the iPhone to my spouse to carry with her while she was out and about. She uses an up-to-date iPhone 11, which I confirmed had opted in to the Find My network (default is opt-in) and had the Bluetooth radio turned on before she left the house. Using Find My on the iPad, I marked the iPhone as “lost” and started tracking it.

Figure 1 shows the Find My UI on my iPad during tracking.

Figure 1.PNG
Figure 1.  Tracking the “lost” iPhone 8.

Because I knew where my spouse was going and the route she took, I knew this location was accurate. The location of the iPhone 8 is seen, along with the distance between my iPad and the iPhone (2 miles – red box). Also note the time and date in the top left of Figure 1 and put it aside for a moment.

Investigators, at times, may have a need to track an i-Device. Outside of getting a court order/search warrant to order a cellular provider to track the device near real-time using cell towers, the traditional thought is to use iCloud via a web browser, if possible. Additionally, if someone loses their i-Device, using iCloud is what we think to do. So, I logged into iCloud via a web browser, and used the Find My function there to track the iPhone 8. The results are in Figure 2.

Figure 2.PNG
Figure 2.  Um…what?

The location in Figure 2 is no where near the location in Figure 1. Figure 2’s location is where the iPhone was when I put it in Airplane mode. Also note the time and date in the upper left. They’re the same. So why is iCloud on the web reporting “37 minutes ago” (red box)?  That was they last time iCloud had seen my device. So, why is iCloud not seeing the current location of the iPhone but I can clearly see it in Find My on the iPad?

Going back to how this system works, there are three points to remember:

1. Private/public key pairs are generated on-device only.
2. The unrelated i-Device (or devices if your offline device has come into contact with multiple) has no information that can be tracked back to you or your previous locations (public keys rotate at intervals).
3. Apple can’t see the geolocation data.

The first point is important. The private/public key pairs are generated on each device on which an iCloud account is present. When a device goes “offline” it transmits its public key, but the private key remains on the device, as do the private keys of all the other devices on which the account has signed in on. In fact, it never leaves the device(s) at all, which brings up the third point. Apple can’t see the geolocation data that is sent from the unrelated i-Device(s) because the geolocation data is encrypted, and Apple does not have the private key because, again, the private key(s) never leave(s) the device(s) of the account holder who has the lost i-Device.  Because the private keys are only available on the devices on which the account is signed in on, iCloud basically acts as a relay of encrypted blobs and hashes. So, it makes sense that I was unable to see the “true” location via iCloud on the web because Apple didn’t have the private keys to decrypt the geolocation data; my iPad, however, did.

So, in essence, iCloud lied.

Investigators start out a majority of their cases playing catch-up. Whether they’re trying to locate a suspect who’s on the run and has a head start, or trying to locate a missing person who, in some sense, also has a head start, it’s always a game of catch-up. With this in mind, I decided to test this scenario using the same two devices and my spouse, but this time, I erased the iPad and let it sit for a while at the initial setup screen. I let the iPhone leave my presence (in Airplane mode) for about 20 minutes and then I set the iPad up as new, using the same test account that was on the iPhone. I opened Find My and was able to locate the iPhone. See Figure 3.

Figure 3.PNG
Figure 3.  The “head start.”

My spouse had driven to the same location as before, so, again, I knew this location was accurate (interesting that iCloud thinks that was my home – it isn’t). As before, I logged into iCloud via a web browser to see what iCloud was reporting. The results are in Figure 4.

Figure 4.PNG
Figure 4.  Wrong.  Again.

iCloud did not display the correct location in this test, so it lied again. This test revealed an important thing. If you find yourself needing to track an i-Device, the best way to get the most accurate information is to sign into another i-Device with the pertinent user account credentials if you have the authority to do so and use the Find My app. This is, assuming, the device being sought has Bluetooth enabled.

I suspect the behavior in the above tests will remain the same when the new iOS 15 “powered down iPhone tracking” feature arrives this fall. However, as with all things beta, it is subject to change between now and release.

Wipe Out

Remote device erasure. It is always a big thing in the back of the minds of investigators and examiners, and THE reason we place devices in Airplane mode and/or power down devices when we seize them. If you recall, putting an i-Device in Airplane mode disables the cellular and Wi-Fi radios only, but leaves the Bluetooth radio enabled. Bluetooth can be disabled, but requires an explicit button push. That aside, I wanted to see if offline i-Devices could be wiped. See Figure 5.

Figure 5.PNG
Figure 5.  Nope.

Figure 5 is the screen that was displayed when I tried to wipe the iPhone 8 while I was tracking it in an offline state. As you can see, the phone requires an Internet connection, which means the cellular and/or Wi-Fi radios need to be enabled for the command to be received by the device. I tried to erase the iPhone 8 anyway, but the device was intact when I retrieved it.

I suspect that when the new iOS 15 feature arrives, this behavior will be similar if not the same. If I find that it is different, I will update this post accordingly. Regardless, it is still imperative to disable all radios on an i-Device (if able) and power it down (after an AFU is obtained – if able).

Wrap Up

Steve Jobs once said “The truth is on the cloud.”  Well, that doesn’t seem to be the case here. iCloud lies when it comes to offline device tracking, but, understanding how Find My works behind the scenes makes this story-telling understandable.

Unless Apple changes how the Find My network operates, I anticipate this functionality will be very similar, if not the same, when iOS 15 arrives and iPhones can be tracked while powered down. Of course, Apple could always change it or add additional functionality later. It is absolutely critical that personnel responsible for seizure, storage, and examinations of i-Devices ensure all radios are disabled on i-Devices while in their custody.

3 thoughts on “Apple’s Find My & iCloud’s Throne of Lies

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s