Yes, with a strong emphasis on the proprietary part. Apple and Google both have their own networks.
All the Apple devices (and now, rolling out, all the Google Play Services enabled devices) scan for nearby Bluetooth LE beacons (that use their protocol) and upload (with some cryptographic operation) the location of the device who found the beacon, together with the accuracy (signal strength) to a proprietary server (Google or Apple).
Then, with the respective apps, the key holder can retrieve the reports for a given key hash and decrypt them to get the previous location.
Technically speaking, anyone with the key hash can fetch the encrypted location reports from Apple / Google servers, but they can't decrypt them.
On top of that, the key is rotating every 15 minutes (AirTag in paired mode) and there is no way to know that two keys are connected... unless you own the main key that is used to derive the rolling keys (see "update" and "diversify" in the linked paper).
Now, all of this is fantastic, until you think of this as a monopoly. Apple and Google get an interesting tax on every device that gets built and joins this network (IIRC it's 4$ for partner devices in the Apple network).
My problem with this is that no-one else other than Google and Apple can build an "open" network - you'd have to find a way to push your code to everyone's devices.
I'm surprised no-one is investigating this unfair practice.
max_|1 year ago
denysvitali|1 year ago
All the Apple devices (and now, rolling out, all the Google Play Services enabled devices) scan for nearby Bluetooth LE beacons (that use their protocol) and upload (with some cryptographic operation) the location of the device who found the beacon, together with the accuracy (signal strength) to a proprietary server (Google or Apple).
Then, with the respective apps, the key holder can retrieve the reports for a given key hash and decrypt them to get the previous location. Technically speaking, anyone with the key hash can fetch the encrypted location reports from Apple / Google servers, but they can't decrypt them. On top of that, the key is rotating every 15 minutes (AirTag in paired mode) and there is no way to know that two keys are connected... unless you own the main key that is used to derive the rolling keys (see "update" and "diversify" in the linked paper).
Now, all of this is fantastic, until you think of this as a monopoly. Apple and Google get an interesting tax on every device that gets built and joins this network (IIRC it's 4$ for partner devices in the Apple network).
My problem with this is that no-one else other than Google and Apple can build an "open" network - you'd have to find a way to push your code to everyone's devices.
I'm surprised no-one is investigating this unfair practice.
See: https://doi.org/10.2478/popets-2021-0045 and https://github.com/seemoo-lab/openhaystack