Building Your Own AirTag Network: How OpenHaystack Reverse-Engineered Apple’s Find My Protocol
Hook
A BBC micro:bit costs $15 and can be tracked anywhere on earth using Apple’s Find My network—no cellular connection, no subscription, and no official API required.
Context
Apple’s Find My network allows devices to be located even when offline through a crowd-sourced infrastructure of nearby iPhones. Every iPhone running iOS 13 or newer participates by default, detecting nearby Bluetooth beacons and uploading encrypted location data to Apple’s servers. But Apple’s ecosystem is notoriously closed, with no public API for developers to leverage this infrastructure.
Researchers at the Secure Mobile Networking Lab at TU Darmstadt decided to reverse-engineer the offline finding protocol. Their work began in June 2019, after Apple’s initial announcement of offline finding. The result was OpenHaystack—a framework that proved you don’t need Apple’s blessing to access the Find My network. You just need to understand the cryptographic protocol and a clever workaround for accessing Apple’s private APIs. This isn’t just a practical tool; it’s security research that uncovered a critical vulnerability (CVE-2020-9986) allowing malicious apps to access location data, which Apple has since patched.
Technical Insight
OpenHaystack’s architecture is split into two distinct components that work in concert: a macOS application that retrieves and decrypts location reports, and firmware for Bluetooth Low Energy devices that broadcast public keys.
The cryptographic design is elegant. OpenHaystack uses elliptic curve cryptography with the P-224 curve to generate key pairs. When you create a new accessory in the app, it generates a private key that stays securely in your Mac’s keychain and a corresponding public key that gets deployed to your tracking device. The tracking device does nothing but broadcast this public key via BLE advertisements—it has no GPS, no cellular radio, no internet connection. It’s essentially a beacon shouting ‘I exist!’ to nearby iPhones.
Here’s where it gets interesting: when an iPhone detects your beacon, it doesn’t send ‘I found device X at location Y’ to Apple’s servers. Instead, it encrypts the GPS coordinates using the public key it received from the beacon and uploads that encrypted blob. Apple’s servers store these encrypted location reports but have no way to decrypt them or link them to specific users. Only someone with the corresponding private key—you, on your Mac—can decrypt and view the actual locations.
The biggest technical hurdle was accessing Apple’s private API for downloading these location reports. Apple doesn’t offer a public endpoint for this. OpenHaystack’s solution is audacious: it creates a Mail plugin that inherits Apple Mail’s entitlements. The OpenHaystack plugin uses these privileges to access the private API. This is why installation requires temporarily disabling macOS Gatekeeper—you’re installing an unsigned Mail plugin that Apple hasn’t authorized.
Deploying firmware to devices is surprisingly straightforward for supported hardware like the BBC micro:bit. The app generates a firmware image containing your accessory’s public key and can flash it directly via USB. For other Bluetooth devices, you can extract the public key (right-click on the accessory) and manually integrate it into your own firmware.
The system’s privacy model deserves attention. Because location reports are end-to-end encrypted with keys Apple never sees, the company genuinely cannot determine which reports belong to which user or track individual accessories. This is cryptographic privacy, not policy-based privacy. However, OpenHaystack accessories broadcast a fixed public key, making them vulnerable to tracking by anyone in proximity who can correlate Bluetooth advertisements over time. Implementing key rotation would require accessories to maintain synchronized state with the server—significantly more complex for a DIY project.
Gotcha
OpenHaystack comes with significant limitations that prevent it from being production-ready. The installation process requires disabling Gatekeeper, which is a major security protection for macOS. While you re-enable it afterward, installing an unsigned Mail plugin that accesses private APIs should make any security-conscious user uncomfortable. You’re trusting code that Apple hasn’t verified, and while the project is open-source, it’s still a risk vector.
The lack of key rotation is a real privacy concern. Your DIY tracker broadcasts the same identifier continuously, meaning anyone with a Bluetooth scanner can track your movements if they know what to look for. The README explicitly warns: ‘OpenHaystack accessories using our firmware broadcast a fixed public key and, therefore, are trackable by other devices in proximity.’
Location updates are also unreliable and slow. The README warns it can take up to 30 minutes for the first location report, and there’s no guaranteed update frequency. You’re dependent on nearby iPhones having network connectivity and Apple’s backend processing your reports. For time-sensitive tracking needs, this system is inadequate. The software itself is explicitly labeled as experimental and untested—this is a research project, not a consumer product.
Verdict
Use OpenHaystack if you’re a hardware tinkerer who wants to experiment with global tracking on a budget, you’re interested in the security research aspects of reverse-engineering closed protocols, or you need to track low-value items where occasional location updates are sufficient and privacy concerns are minimal. It’s genuinely impressive what you can accomplish with $15 hardware and clever cryptography. Skip it if you need reliable, production-grade tracking for valuable items, you’re uncomfortable with the privacy implications of fixed public keys and trackable Bluetooth advertisements, or you’re not willing to install unsigned system plugins that access private APIs. This is a proof-of-concept that demonstrates the accessibility of Apple’s supposedly closed ecosystem, but it’s not a replacement for official accessories unless you prioritize experimentation over reliability.
