Apple's Find My feature requires two devices, boasts extreme security safeguards

A report on Wednesday digs deep into Apple's new Find My service, an upcoming iOS 13 and macOS Catalina feature that leverages encrypted crowdsourced data to pinpoint the location of a missing or stolen iPhone, iPad or Mac.

Apple SVP of Software Engineering Craig Federighi unveiled Find My onstage at the Worldwide Developers Conference on Monday, touting the new tool's ability to track the location of iOS 13 and macOS Catalina devices even when they are offline.

A high level overview of the technology revealed Apple is leveraging its massive user install base to power Find My. Target devices send out Bluetooth beacon signals that are picked up by nearby iOS or Mac machines, which relay the identifier and their own location information back to Apple for later perusal by Find My users.

The entire process, from beacon generation to crowdsourced location data gathering, is automated, encrypted and designed in such a way that disallows bad actors — and Apple itself — from snooping on unsuspecting device owners.

"Now what's amazing is that this whole interaction is end-to-end encrypted and anonymous," Federighi said. "It uses just tiny bits of data that piggyback on existing network traffic so there's no need to worry about your battery life, your data usage or your privacy."

Apple provided additional context on the inner workings of Find My in a discussion with Wired. The publication broke down the system into a series of steps, the first of which reveals Find My requires at least two Apple devices to function.

When setting up Find My, the at least two Apple products generate a cryptographically strong private key that is shared between registered devices through end-to-end encrypted communication. This key is stored locally, presumably in iPhone's Secure Enclave or Mac's T2 chip, for later use.

A public key, which can only be decrypted with the aforementioned private key, is also generated and acts as the beacon sent out to nearby devices via Bluetooth. This public key rotates frequently (the exact timing was left undisclosed) and in such a way that new numbers cannot be linked to previously used key versions.

The Bluetooth beacon is broadcast to nearby devices, which automatically pick up the signal, intertwine their own location using the public key and send this information along with a hash of the public key to Apple's servers.

With the data stored in Apple's cloud, users looking for a lost device open Find My on a second Apple device to conduct a search. The second device sends a hash of its own public key to the cloud, which is matched with the stored beacon key. How, exactly, Apple is able pair two rotating public keys is at this point unknown.

Finally, Apple transmits the encrypted location of the lost device down to Find My user devices, which decrypt the information using the stored private key.

Find My debuts with iOS 13 and macOS Catalina this fall.