Endpoint Validation for FindMy to Prevent Surreptitious Tracking

[cfossace]

Currently, there is no endpoint validation for FindMy, so the FindMy protocol provides transit for ALL traffic, even unwanted or malicious traffic.

This means is that anyone can use FindMy to place a tracker on someone (that is not an AirTag) so it will NOT be detected by Apple's anti-tracking framework.

There needs to be some kind of endpoint validation to ensure that only legitimate Apple devices (or trackers that have been developed by official Apple developers using the FindMy Developer Program) are enrolled.

1) POC for registering non-Apple endpoints to the FindMy network to be geolocated by FindMy protocol https://github.com/seemoo-lab/openhaystack

2) POC for circumventing anti-tracking framework that allows malicious actors to surreptitiously track people https://samteplov.com/uploads/who-tracks-the-trackers/trackers.pdf

3) Potential Endpoint registration approach that also preserves user privacy https://petsymposium.org/popets/2023/popets-2023-0006.pdf

[cfossace]

More POCs https://github.com/furiousMAC/antitrackingtags

[bledvina]

This is something that IETF DULT WG will be taking up as part of the WG charter: https://datatracker.ietf.org/meeting/118/session/dult

Draft charter: https://github.com/bdetwiler/draft-detecting-unwanted-location-trackers/blob/main/charter/charter-detecting-unwanted-location-trackers.md