sorenjan 4 days ago | next |

I wish there was a good option for non Apple users. From what I've heard Google made their version pretty bad, as expected. They rate limit how often you can search for your own tags, they won't show the location until a tag has been seen by multiple phones, there's poor coverage. One test I saw showed that Samsung's network was better, which makes no sense since Samsung phones should be a subset of all Android phones in Google's network, but that's Google products for you. Sounds good in theory but poorly executed, even years after Apple showed how to do it.

https://security.googleblog.com/2024/04/find-my-device-netwo...

https://9to5google.com/2024/08/01/find-my-device-stress-test...

https://9to5google.com/2024/08/03/google-android-find-my-dev...

https://www.androidcentral.com/accessories/testing-new-googl...

suddenexample 4 days ago | root | parent | next |

It's actually hilarious that whoever was in charge of Google's finder network decided to cripple the product's one and only function by prioritizing privacy.

In this tradeoff, Google gained a handful of articles mentioning the "innovative" privacy improvements (before the writers had a chance to test how terribly the network actually performs). For that, they sacrificed the chance to compete with Apple in this category, which outside of device revenue also weakens Android/Pixel ecosystem and market share. You really can't make up this level of incompetence.

izacus 4 days ago | root | parent | next |

> It's actually hilarious that whoever was in charge of Google's finder network decided to cripple the product's one and only function by prioritizing privacy.

That sounds like that "whoever" was the corporate legal team. Every time I tracked down these kind of idiocities in large corpos, it's usually legal or security team that overrode common sense and sabotaged their own product.

ferfumarma 3 days ago | root | parent | prev | next |

> It's actually hilarious that whoever was in charge of Google's finder network decided to cripple the product's one and only function by prioritizing privacy.

That is a hilariously apt and depressing point. Wow.

KennyBlanken 3 days ago | root | parent | prev | next |

Google's interest in user privacy extends as far as keeping competitors or customers of google from getting data about an Android user other than through Google.

talldayo 3 days ago | root | parent |

Well sure, you could accuse Apple and Huawei of the exact same thing and still be right. Hardware OEMs are extremely desperate to force their customers through first-party services to extend the value of their sale. News at 11.

Because America lacks any form of conscious consumer protection, this is apparently fine to our regulators. Our market is entirely comfortable with OEMs fighting over who gets the right to exploit a customer with their defacto monopoly.

WinstonSmith84 4 days ago | root | parent | prev | next |

It's hard to believe how Google could mess up their network so badly. Apple network shall be totally dwarfed.

As a nomad-traveler, the Apple network is not particularly relevant to me, I don't travel to the wealthiest cities with a lot of Apple phones, but to the "rest of the world" where Android market share is close to 90% dominance. But even there, it still seems that Apple is doing better than Google (...)

RobotToaster 3 days ago | root | parent | prev | next |

> From what I've heard Google made their version pretty bad

I have one on my keys. The one time I tried to use it, despite refreshing multiple times, it gave me a bubble with a quarter mile radius. It turned out to be in my bag right next to me.

kmarc 3 days ago | root | parent | prev | next |

Samsung's solution is not a subset, but a superior, separate concept.

It works incredibly well, even at the most remote countries' airports, villages, etc I can find my 2 tags. A peace of mind.

This guy concludes that Samsung SmartTag is the best, even if you are an iPhone user:

https://m.youtube.com/watch?v=9wefUV_bR0Y

garbagewoman 4 days ago | root | parent | prev | next |

I dunno, a less than perfectly all-seeing omnipresent tracking network actually is a little comforting

sorenjan 4 days ago | root | parent | next |

It's not very useful for tracking your things though, which arguably is why you would use it. I wouldn't trust Google's network to find a stolen bike or lost luggage for instance, but air tags are used for that all the time[0]. Finding my lost keys at home is a perfectly valid use case for tags, but you don't need a network for that, just some Bluetooth and maybe UWB.

[0] https://www.forbes.com/sites/barrycollins/2024/12/17/lost-lu...

https://help.vanmoof.com/hc/en-us/articles/16053155393181-Ho...

_ink_ 4 days ago | root | parent | prev |

There is a setting, where you can disable that it needs to be seen by multiple phones.

Tajnymag 4 days ago | root | parent |

No, that's the whole point of the fiasco. That setting is not for the tracker but for the tracking devices. For Google Find My trackers to behave similarly to AirTags, every single android user would have to go to their Find My settings and explicitly change, how sensitive their phone is.

abalaji 4 days ago | prev | next |

Looking through the code, it looks like this uses your personal Apple Mail entitlements to pull the locations that get collected by devices on the FindMy network:

https://github.com/seemoo-lab/openhaystack/blob/8d214aa5eb68...

I wonder if this were also possible by making an Apple developer account.

exabrial 3 days ago | prev | next |

Can someone point me to something I saw earlier? Apple alerts users to "tags that might be following you". Someone made an implementation that used a KDF to rotate the mac address or private key or something, but it was predictable in a way you could track each derivation of the of the mac/private key.

There is a really obnoxious petty theft problem where I live, and the time it takes to constantly get my windows fixed or forced entry crap removed is worth a significant amount of my personal time. I have zero desire to confront anyone, but I'd like to be able to create a track for a PI or Law enforcement some day.

hattmall 3 days ago | root | parent | next |

You can buy GPS cellular trackers. Then just get a really cheap or even free IOT sim.

Alternatively you could probably just walk to your nearest drug addict hangout with case of bottled water and ask them to stop breaking into your stuff.

IshKebab 3 days ago | root | parent | next |

Can you though? Every time airtags come up here someone is like "you can get GPS trackers already! they're cheap!" but I actually looked and actual GPS trackers that don't require a subscription or have various other flaws seem to be very difficult to find.

If there's a GPS tracker that uses an eSIM and isn't sketchy af and has decent battery life and isn't £100 let me know! I would love that for my bikes.

snug 3 days ago | root | parent |

Yup, usually $20-30 per month is what I found. It would be cheaper to just use an old phone and use a cheap pay as you go cell service

stavros 3 days ago | root | parent | prev | next |

Hm, AFAIK AirTags rotate their private key anyway, so I don't know if that will help your problem. Maybe they rotate it slowly, though, I'm not very familiar with the exact algorithm.

wickedsight 3 days ago | root | parent | prev |

In my submissions you can find a link to an article I wrote about OpenHaystack and those alerts. TL;DR, I was never warned by iOS about an OpenHaystack based tracker that I stuck inside my car for a while. That was a couple of years ago though, so things may have changed.

solarkraft 4 days ago | prev | next |

I wish it had a way to integrate with the Find My app instead of having to go through their own (wonky) process to retrieve locations. The chinese clones can do it (even with their own branding), so it must be possible somehow.

alibarber 4 days ago | root | parent | next |

I think that's the wall in Apple's walled garden here. From reading the official Apple spec. for partners a while back, as part of the pairing process, something is signed by the device with a cert/key that apple issued to that developer (after coming to an agreement i.e - $$) - and, crucially, is different from the keypair that the device will use to actually broadcast. This is then validated by apple and thus allowed to be added to that apple-id's account and hence on to the app.

The keys broadcasted by the devices themselves in 'lost' mode (i.e. not in 2 way contact with the owner's device) are arbitrary and completely opaque, Apple doesn't have any way of tying them to an ID or device or developer. This is how the proposed project here works - these keys will always find their way to the apple server.

It seems like the knockoff ones have just hijacked a legit key for the pairing process. This means if Apple desires and finds out the key, it can probably remove all devices from all accounts - although the devices themselves will keep on broadcasting and their locations could be accessed in the above janky way. I wonder too if the original key owner might get a large bill for per-device royalties if/when Apple searches it's DB for a count of 'devices-added-to-an-apple-id-signed-by-this-key'...

nl 3 days ago | root | parent |

This isn't actually the case. Apple supports 3rd party trackers - see https://mfi.apple.com/ and https://developer.apple.com/find-my/

alibarber 3 days ago | root | parent |

Yes, this is exactly what I’m saying.

Apple officially supports third party trackers, who’s manufactures are issued, by apple as a part of their MFI programs, keys with which these third party devices must use to sign their pairing requests to the users apple account.

Perhaps these $5 devices do indeed include legitimate keys from apple to use from this, perhaps they have copied one from another device.

oulipo 4 days ago | root | parent | prev | next |

The Chinese clones use the Apple FindMy program, so they are official tags which can be displayed in the app. The OpenHaystack is a hack which uses different keys, and can't be shown on the app for cryptographic reasons

emsixteen 4 days ago | root | parent | prev |

The clones are limited though, are they not? Like, they don't have the directional stuff and all that do they? I may be misremembering what I've read elsewhere.

dalemhurley 4 days ago | prev | next |

This is amazing. I love Apple AirTags but they are so bulky and an odd shape.

I would love a AirTag the shape of a credit card to go into my wallet.

I would love a smaller AirTag to go on my cats collar.

rahimnathwani 4 days ago | root | parent | next |

You can buy third party "Find My" compatible tags for about $5 from Temu or Aliexpress. Although they're about the same size as regular Airtags, they're:

- easier to take apart (if you want discard the casing), and

- cheaper

I took one of the ones I have out of its casing to see what could be made thinner, and I found that most of the thickness was due to:

- The batter holder (CR2032)

- The speaker

- The button

The speaker and button could probably be dispensed with after initial setup. The battery holder could be removed, and the power supplied from the side instead of the top (if you want a thin card-like form factor).

Havoc 4 days ago | root | parent | next |

Guessing those are missing ultra wide band?

Seems doubtful to me that someone implemented all three frequencies at 5 bucks

ceejayoz 4 days ago | root | parent |

How much do you think a $20 AirTag costs to actually manufacture?

stavros 3 days ago | root | parent |

I don't know how much it costs to manufacture, but nobody is selling a UWB tag for $5. For $5, you only get BLE.

ceejayoz 3 days ago | root | parent |

I certainly can't claim to have ordered and received one, but there are absolutely $5 UWB devices for sale on AliExpress, and that's before any bulk discount.

If Apple sells them for $20 it's highly likely some random Chinese seller can make money at $5.

stavros 3 days ago | root | parent |

Can you link me to one? I haven't found any of those.

namibj 3 days ago | root | parent |

I'm looking for a source of like ~100 UWB-only ones aiming for about 2~3 weeks of battery runtime on a pack of 2~3 AA batteries. Mostly depends on what voltage end the chips handle better: 2V low end, or 4.5V high end.

The aim is to keep track of where shared equipment is during the logistics phases of 39c3.

And, also, using the quite possibly wall-wart-piwered base station network to provide what's essentially rather precise indoor-GPS to users with sufficiently open FiRa hardware.

stonegray 3 days ago | root | parent | prev |

The problem is they don’t have accurate positioning via UWB, so you only get a map pin and a beep, not an arrow and an exact distance.

The $5 tags are comparable to tile or google tags, but miss the key feature of airtags.

rahimnathwani 3 days ago | root | parent | prev | next |

I was wondering what you were talking about, as I have never seen the arrow when trying to locate a genuine AirTag that's misplaced within our house.

But that's because neither of the devices I've used to locate things (a recent iPad and an iPhone X) have the UWB hardware.

rahimnathwani 3 days ago | root | parent | prev |

Another thought: these $5 tags still seem as good or better than a DIY tag using the current version of OpenHaystack, right? Unless OpenHaystack supports UWB?

sodality2 4 days ago | root | parent | prev | next |

They make super-thin AirTag compatible cards that fit in wallets.

layer8 4 days ago | root | parent | next |

The ones I’ve seen don’t have precision finding, but yes. Some even have wireless charging.

omnimus 4 days ago | root | parent |

Only Apple Airtags have precision finding. I assume because its something not allowed to third parties.

heywire 4 days ago | root | parent | prev |

I’ve even seen some wallets with built in “Find My” support.

BuildTheRobots 4 days ago | root | parent |

Kindle cover would be extremely useful.

namibj 3 days ago | root | parent | next |

I wish me a budget 10000 mAh size "phone slab format/shape" power bank with like 18W output at 9~12V kind of "fast charge" style, and a built in Google air tag. They already have a button and a battery and a case; only need to add the BLE and the Google-mandated buzzer. I'd pay 5 bucks more than for the competition without the integrated tracker. That should easily cover the cost, right?

bookofjoe 3 days ago | root | parent | prev | next |

Here's my 8.5 lb calico cat with the AirTag* she's had on her collar since she was a 3-month old kitten:

https://imgur.com/a/r9EGSOc

*Photo taken a moment ago with Meta Stories glasses

Alive-in-2025 3 days ago | root | parent |

Kind of a weird flex by mentioning the meta glasses. Nice looking cat

* Wrote this on my cell phone. ;-)

bookofjoe 3 days ago | root | parent |

>Kind of a weird flex — I love this! So HN.

Because once when I posted an imgur photo here with no camera provenance, a commenter asked "What camera was used to take that photo?

FunFact: it's MUCH easier to take a photo of your cat with glasses than a phone — hands-free is the future IMHO

Alive-in-2025 2 days ago | root | parent |

You can't win with people complaining on hacker news ;-) I was just thinking of the old days when iphones first came out and so many people added them to their signatures "sent from an iphone" or something.

It's all cool.

bookofjoe a day ago | root | parent |

Re: signatures "Sent from my iPhone" and "Sent from my iPad": those are the Apple defaults; you have to go into Settings and change them if you want to not have them appear at the end of every email.

When the devices first came out people who were early adopters liked to use them as a sign of how cool and hip they were: I know many such individuals.

Nowadays most people I'm related to and friends STILL have those defaults in place because they don't realize they can get rid of them.

You can always tell a non-techie by the fact those defaults are still there.

haliskerbas 4 days ago | prev | next |

Haven’t done the research but I wonder if you can use this to piggyback with tiny arbitrary data data payloads.

nik282000 4 days ago | root | parent | next |

Yup, there was a project recently that used the airtag network to transmit data from a hardware keylogger. The computer could be totally gapped and the data still gets home via the typist's iPhone.

LelouBil 4 days ago | root | parent | prev |

I saw someone use this to track his mail state. They have a contact sensor inside their mailbox that rotates the broadcasted key based on the trigger count.

If the key changed, aka a new different device is visible, you know mail has been dropped in, very clever !

teruakohatu 4 days ago | root | parent | next |

That is a fascinating project. Here is the link if anyone else is interested:

https://hackaday.com/2022/05/30/check-your-mailbox-using-the...

I wonder if the creator had neighbourhood style mailboxes down the road? If not this seems quite complicated solution for an object that is probably with range even BLE.

I tried building a mail sensor a couple of years ago where the mailbox was a fair distance from where I was living. I was not able to create a solution that didn't either have false positives or false negatives. For an outdoor object jostled by wind and rain it is harder than it seems.

miki123211 4 days ago | root | parent | prev |

I wish we had more / more easily accessible networks that let you do this.

Something that would let you send extremely tiny (<1kB) packets, using a wireless protocol that could be implemented extremely cheaply, piggybacking on the bandwidth of nearby internet-connected devices in a privacy-preserving way.

Amazon has a network like this called Sidewalk, using Alexa devices as gateways, but I don't think it's very open to third-party experimentation, and it's definitely not an interoperable standard on the gateway side.

xyst 4 days ago | prev | next |

I wonder what’s the upper limit of transmissions a single device can upload to Apple servers? If the Apple device has no cell service or WiFi, how long will the history of that location ping reside on device?

Also, is there a DoS vector here?

- attacker manages to simulate 1M+ Bluetooth devices

- victim randomly passes by and it crashes their phone due to a massive number of devices in single location and constantly uploading to Apple servers

raffraffraff 4 days ago | prev | next |

Hmmm, but can you use it to set up an actual AirTag without having another apple device like iPhone or Mac?

bhaney 4 days ago | prev | next |

This is a technically interesting project, but is there any situation at all where it's worth using? It seems like it just allows you to build airtag-like devices that sorta work on the Find-My network with some rough edges, but I can buy proper AirTag clones in various form factors for a couple bucks - far cheaper than I could ever make a custom bluetooth device using this project. Am I missing a use-case?

crummy 4 days ago | root | parent | next |

If you had a laptop with Bluetooth, you could install this on it and find it if it were lost, I think.

bhaney 4 days ago | root | parent | next |

Okay yeah, that appears to be true. Looks like the broadcast part currently only runs on Linux (or microcontroller firmware), while the client only works on macOS, so you'd need to lose your Linux laptop and then find it with your Apple computer, but it does seem like that setup would work if you had it. Maybe it'll be ported to other OSs at some point, if that's even possible.

bpbp-mango 4 days ago | root | parent | prev | next |

Are the clones any good though? Where do you even get them?

bhaney 4 days ago | root | parent | next |

They've been perfect for me. I buy them on Temu for around $2.50 each and they work exactly like normal AirTags minus the ultra wideband precision finding. I pair and track them in the normal iOS FindMy app. Haven't been using them long enough to know how long the batteries last, but they advertise >1 year and they still all report pretty full batteries after a few months of usage, so I'm hopeful.

The credit card form factor ones for wallets are more expensive ($10) but can be wirelessly recharged on Qi chargers.

cjrp 4 days ago | root | parent |

Any recommendation for brand etc for credit card sized ones? I’ve an old Tile that needs replacing.

bhaney 4 days ago | root | parent |

"Brand" is a somewhat nebulous concept for chinese knockoffs, but the particular ones I got are each branded as "RSH Smart Tag." Though I'm pretty sure all the different listings are the same device coming out of the same factory with different random brand names printed on them. I'd just compare all the ones that say they work with iOS Find My and have wireless recharging, then get the cheapest one, specific branding be damned.

Edit: I just checked, and actually only two of my cards (which came in a two-pack) are branded with RSH, and the other one has no branding on it at all. It's definitely an identical device though - the only difference is the lack of branding.

solarkraft 4 days ago | root | parent | prev |

They are quite good. I get mine on AliExpress and the batteries have been lasting for at least a couple of months now.

uzyn 4 days ago | prev | next |

Impressive. Would Apple be able to simply block non-Apple usage of Find My network usage simply by refusing to relay non-Apple BLE ID?

malmeloo 4 days ago | root | parent | next |

No, the BLE identities of these tags are currently practically indistinguishable from original tags, and could be made completely identical if necessary. In fact, changing the device's MAC address is part of the specification. What they could block, is the method used by these projects to fetch encrypted location reports. However, the original OpenHaystack project (this one) needs to run on macOS and lets the system handle account authentication, so it's unlikely to get blocked any time soon.

Brajeshwar 4 days ago | root | parent | prev |

If I remember correctly, Apple was supposed to openly accept and encourage others to leverage their network and make more “AirTag” capable devices.

denysvitali 4 days ago | root | parent | next |

Yes, because they get a commission for every device registered on the network.

In the join process, there is a key that is shared only for developers who paid the fee - which is why it's not really trivial to create an AirTag clone without dumping the Apple AirTag flash

heywire 4 days ago | root | parent | prev |

A quick search on Amazon shows a number of generic trackers compatible with “Find My”. In fact, the one on my dog’s collar is one of these.

1024core 3 days ago | prev | next |

QQ: Why would one build your own? Is the cost of building one's own lower than just buying an Airtag off the shelf? I recently bought some for about $15. Would building my own be cheaper?

culi 3 days ago | root | parent |

I used to put one on my indoor/outdoor cat. She was a small cat so I always felt bad by how large the airtag was.

If we were still doing this, I would consider building an optimized one that's smaller and a better shape for her

Another use-case could be to build a tag that is able to leverage multiple different networks (Tile, Chipolo, etc)

pishpash 3 days ago | prev | next |

So, how exactly do you "build your own tags"? You need Bluetooth-enabled devices that can run this software?

pyronik19 4 days ago | prev | next |

Would there be a way for the bluetooth device to rotate its broadcast keys in a predictable way to avoid the iphone notification of "unknown airtag close by" messages? Seems like this could be exploited for surveillance.

mrshadowgoose 4 days ago | root | parent | prev | next |

Sure, that works.

One can also just cycle through a sufficiently large bank of pre-allocated keys, such that a findmy receiver doesn't see the same key too frequently.

denysvitali 4 days ago | root | parent |

You just need to derive a new key, this process is already part of the protocol to avoid being tracked while you wear your airtag

denysvitali 4 days ago | root | parent | prev |

Technically it would need to rotate every 15 minutes or so - the notification you're talking about happens when the device is in "lost mode" (away from its owner): in that case the key is rotate every 24 hours

letters90 4 days ago | prev |

> All you need to use is a mac.

Might as well require you to pay 1000$ up front to use.