1. Home

Google Find My Device

You are reading a single comment by @ssievert and its replies. Click here to read the full conversation.

  • the mention of a 'message' that can be decrypted sounds super exciting, but I don't see any message of it in the advertising frame format?

    By message I meant the stuff that a phone generates when it sees the tag. So probably current location of the phone, encrypted with the EID that the tag is advertising. Some more info on what such a message looks like, and what it actually contains, might be really interesting, but I've kind of given up on finding any, at least for now.

    Or I guess Google will only handle EIKs that have been registered with it?

    That's the thing: There doesn't seem to be anything, aside from the EIK, that allows someone to identify a tag, and ideally Google doesn't know the EIK; otherwise they'd be able to decrypt those messages containing location info on the server side, which they claim is not possible here, in the section about end-to-end encryption.
    But I'm betting my (at least two) blocked Google accounts, that I created for using in the work profile of my phone, that there's some kind of login requirement 😅

    I guess the same is probably true for airtags? If you used OpenHaystack (or just cloned airtags) and had say 4 tags, and just cycled to the next every hour, it would probably think you weren't being tracked?

    Well, there is this project: https://github.com/positive-security/find-you that claims to do pretty much exactly that. The last update was more than two years ago, so it may be outdated by now.

    Usually devices should change their address and EID every 1024 seconds anyways, to fulfill the requirement that your stuff cannot be tracked by someone else.
    I guess you could also change the tx power to simulate getting closer and further away, stop sending advertisements entirely for a period of time, or vary the time between advertisements in some way ¯\_(ツ)_/¯

    Interestingly the Pixel 8 can apparently still be tracked if it is powered off, using "specialized Pixel hardware" (first section).
    So, depending on how much that "specialized Pixel hardware" can do, Google may need to officially support a device that can only send advertisements.

    But I probably just missed something, and unwanted tracking protection is a little more advanced than relying on the tag being nice :)

    So you think doing all the crypto stuff on a Puck.js would be feasible?

About

Avatar for ssievert @ssievert started

About Terms of Use Privacy Policy Cookie Policy Report a problem