3

I was reading Google's blueprint about their new technology called Find My Device and what took my interest was unknown tracker identification and how Google does that.

Unknown tracker alerts. The Find My Device network is also compliant with the integration version of the joint industry standard for unwanted tracking. Being compliant with the integration version of the standard means that both Android and iOS users will receive unknown tracker alerts if the on-device algorithm detects that someone may be using a Find My Device network-compatible tag to track them without their knowledge, proactively alerting the user through a notification on their phone.

Does anybody know how it is implemented except location data send rate limiting and throttling? My understanding is that any person that passes by the phone owner and has enabled "Find my Device" function will be treated by Google as a potential spy that tracks its victim, which in fact is not true. In very crowded places like airports and train stations this approach may generate a lot of noise and hide real unknown tracking from the legitimate users of the Find My Device network. The density of signals in such areas can be very verbose and not useful. Any idea how Google identifies malicious from non-malicious actors?

P.S. Yes, I've read Unknown tracking draft specification Google is referring to in its blog, but it is written in a very clumsy language so I wasn't able to get this chunk of information. I'd be grateful if anybody can point out the necessary chapter of this draft where this algorithm is described. Not to mention we have no idea if Google fully adhered to this spec.

Improve this question

4 Answers 4

Reset to default
5

The doc is pretty detailed on how it avoids some of the problems you mentioned, such as crowded train stations, or traveling on the same train with someone for a long time.

Section 3.3 requires a tag to keep an internal state that says "I can send my location to my owner on the network." This state means the tag is capable of revealing its location, putting it in the danger zone of being an unwanted tracker. Section 3.3 also mentions a "near-owner" state (detailed in section 3.8) that says "I'm near my owner" or "I'm separated from my owner." It's assuming that if the tag is traveling with its owner, you are already visible to the owner and they are probably a bigger threat than the tag. This helps reduce false positive alerts, and as we'll discover in section 3.5, this also helps protect a legitimate tag owner from being tracked by someone else using their own tags against them.

Section 3.4 details how to figure out when to change the state from near-owner to separated. Section 3.4.4 says it has to mark itself as separated after 30 minutes away from its owner.

Section 3.5 talks about the MAC address, which is the ID the tag sends over Bluetooth to any nearby phones.

  • If the MAC address never changed, someone could use your real tag to identify you every time your tag enters their zone -- bad for your privacy.
  • But if the MAC address randomly changes every time you look at it, your phone can't tell when the same tracker has been with you for too long -- bad if you're being tracked with someone else's tag.

Section 3.5 says the MAC has to rotate every 15 minutes when it's with its owner, but every 24 hours when it's not. So if your phone sees the same MAC for more than 15 minutes, it can alert you that it might have picked up an unwanted tracker.

Sections 3.6 through 3.11 all talk about technical required Bluetooth data.

Section 3.8 says the device has to send out the current value of the "I'm near my owner" or "I'm separated from my owner" flag. To filter out large crowds of people with tags in their pockets, your phone would ignore all the MAC addresses flagged that they're near their owners, and track only the MAC addresses of the "separated" tags that put you at risk.

3.12 lists ways to help someone physically discover a separated tracker. It starts 6 hours after it's been separated from its owner. If it has a motion sensor, beginning 8-24 hours after it's been separated it has to make a sound when it's moved, flash lights, vibrate, or do something else to attract attention. Also any time after 6 hours a non-owner can use their phone to make it beep, flash lights, or whatever to help them find it.

3.13 says that the finder of an unwanted tracker must be provided with instructions how to disable that exact device.

3.14 says every device has to have an ID printed on it, such as a serial number, and 3.15 says the manufacturer has to keep an registry matching serial numbers to owners, and to provide that data to law enforcement in response to a lawful request.

Sections 4 & 5 are more technical requirements.

Section 6 says what your phone must do. 6.1 says it has to provide the "near-owner" information so your tag knows when it's with you or not.

The rest of the doc is more technical requirements.

EDIT

The "random looking MAC" is likely generated using a cryptographic algorithm in a "counter" mode, something like encrypting a sequential value with a secret key that Google knows, but obviously doesn't share. Determining how to do this would be up to each implementer's cryptographers, and wouldn't have to be standardized.

Improve this answer
3
  • Perfect explanation, thank you! Two things in the spec that aroused my curiosity: Bluetooth MAC address field which looks random how they achieve that? I didn't find that Vol 6, Part B, Section 1.3.2 of the [BTCore5.4] they are referring to. The second thing is motion sensor that helps to locate the spy tracker. What if the device doesn't have a motion sensor, it is declared as non-conformant to this spec? Commented Nov 15, 2024 at 16:49
  • 1
    I added a guess. If it's not in the standard, there's no reason they'd need to tell us how it works. Commented Nov 16, 2024 at 19:47
  • I'm not sure if it's absolutely required, although if it does exist it needs to behave according to the spec. Accelerometer chips are cheap and small enough and could be added to any device. So there's no reason not to include one if it improves the safety of the users. Commented Nov 16, 2024 at 19:56
4

As far as I know, the Find my Device app on the phone has a cache of all recently contacted tags. So, I imagine that if a tag is marked as "unknown" and is still with you beyond a certain distance in time and space (i.e. when the phone "sees" the tag and tries to add it to its cache, it finds it's already there, but it's not a registered known tag), then that tag might be considered to be "unknown" and "traveling with you", and at that point you'll be warned.

A casual brush in the airport won't trigger this scheme, while AirTags in someone's backpack near you during a tube commute probably might.

Improve this answer
2
  • that makes sense. do you think this is described in the spec I attached, or it is google-specific implementation piece? Commented Nov 5, 2024 at 22:58
  • 2
    The "spec" and related info - when I did my research - had a lack of details so complete and thorough that it just has to be intentional (e.g. possibly an attempt to implement "security through obscurity"). What bugged me the most was the lack of an option to make a tracker "known", and any reasonable explanation of said lack. A possibility is that AirTags send a beacon that changes every time, using a cryptographic rolling code, so that there is no way of "knowing" them unless you're Apple. Commented Nov 6, 2024 at 0:43
1

There are three uses for a tag: To recover lost items, to stalk a victim, or to find a thief. In the first use case, which is fully legitimate, someone lost say their camera with a tag. You walk past the camera: You get closer, at the closest point your phone reports the tag, then you go further away. There is a rare case when you stay near the tag: If you have your lunch at the park bench where I lost my camera.

In the stalking case, the stalker put the tag into your pocket. Your phone noticed tag nearby and the tag tells you the owner is nearby. Then the owner disappears. That is suspicious and an indication of possible stalking. Now if you steal my camera, the exact same things happen: You and the owner are near the tag, you grab the camera, and the owner disappears. This looks the same as the stalking situation, and the thief gets a stalker alert. Society decided that preventing stalking using tags is more important than catching thieves.

So you see that stalking shows a certain identifiable behaviour of tag and owner. Both Google and Apple then try to use a strategy that maximises the chances of stalking while minimising the number of false alerts.

Improve this answer
1
  • Then the owner disappears that is very high-level and missing details that I asked for. From your description it is not clear who is the owner and how the system identifies the owner and the stalker Commented Nov 12, 2024 at 22:15
0

In this Google support article, it is explicitly said that:

Android devices participating in the Find My Device network use Bluetooth to scan for nearby items. If they detect your items, they securely send the location where they detected the items to Find My Device. Your Android device does the same to help others find their lost items when it detects them nearby.

So this is exactly as you though, other devices are fundamental.

Other technologies, such as Apple's AirTag work from the same principle.

Improve this answer
2
  • I know about bluetooth scanning and this doesn't explain anything about my question. The spy (unknown tracker) can send the same bluetooth response which can make him identifiable like the regular Find My Device phone Commented Nov 4, 2024 at 21:42
  • @Suncatcher Well because I’m not a technician at google, I don’t know for sure. But I am sure that they would have security policies/techniques in place to stop that. Commented Nov 4, 2024 at 22:34

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.