Scott Conway

Information Security Researcher

Airtags for non Apple Users

Pointless Exposition

I’m not in the Apple ecosystem, but I was quite enthused about the announcement of the airtag and the FindMy network back in 2019. The private-by-design protocol / implementation looked great, especially compared to literally any other existing tracker. And the reporting network being more-or-less all iOS devices made sure that it would have a very large userbase to begin with. I wanted to use an airtag at this time, but the software for using them outside of the Apple ecosystem didn’t yet exist. So I settled for the privacy invasive Tile tracking network.

Then openhaystack came out. Awesome, arbitrary use of the FindMy network! However, it was a proof of concept more than anything, and thus didn’t really help me in my quest.

Then came Macless-Haystack. It looked especially promising, and possibly usable!

Laziness bred indifference, and I kept waiting to be spoonfed a solution to track airtags from non-apple devices, even with the ongoing development of Macless-Haystack. Recently, all of my tiles started experiencing hardware defects(?) around the same time, with charged batteries (the speakers appear to function, but won’t play for more than half a second, making them useless - thanks Tile!). It was evidently time for me to move on, so a check-up on using FindMy outside of the Apple ecosystem was warranted.

As of 2024, FindMy.py started development - more on its capabilities below!

Hardware Setup

As of writing, you need an iOS device running iOS 14.5 or later to provision items on the FindMy network. The iPhone 6s seems like the cheapest option. You’ll also need a MacOS host running MacOS 15 (Catalina) or later to run the Find My application.

Set up an iCloud account on the iOS device and Mac, and pair the FindMy item to your iCloud account on the iOS device. Watch it pop up on the Mac’s Find My app!

Decrypting Records

In order to use FindMy.py, you need to decrypt the FindMy device records into plist files. There are a few ways that I was pointed towards, but only one method worked for me. This issue is a good place of discussion for various decryption methods.

From that issue, I found the following:

I was able to use the original airtag-decryptor script to decrypt all FindMy records on my host. However, a few notes:

Finding the Right Plist

All plist files without a privateKey section can be discarded. You can check the pairingDate value to see when a given item was paired, and kinda guess which item it may be. The model string may identify it as an iOS device (or maybe more)? There wasn’t a model present for an official airtag.

Using FindMy.py

real_airtag.py is a great starting point for logging in and retrieving reports for a given device from its plist file. However, it needs a tiny bit of setup first.

For initial testing, you can use a public anisette server. SideStore has a list of public anisette servers here.

However, it may be best to self-host if you’re able, due to login issues on public anisette servers. I experienced an issue similar to this one from one of the top-listed public anisette servers, but have had no issues since I started hosting my own.

real_airtag.py simply prints out recent location reports for the given plist, serving as a nice proof-of-concept.

Self-Hosting Anisette

This anisette server software is recommended by the author of FindMy.py, and works well enough. Do note, the docker command / docker-compose entry will require the user to be set, as referenced in this issue.

Now What?

I’m not quite sure! I might try down the path to use Macless-Haystack, but it may also be overkill for my use-cases. Personally, I need to develop a list of wants with my use of the FindMy network. I’m hoping that a little bit of scripting and the use of FindMy.py may be all that I need.