Skip to main content

OpenHaystack is a new open-source tool that lets you create DIY AirTags on Apple’s Find My network

OpenHaystack is a new open-source tool that lets you create DIY AirTags on Apple’s Find My network


You’ll need a Mac, a BBC micro:bit, and some determination

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Image: OpenHaystack

Apple has promised to open up its Find My app to third-party accessory makers. But ahead of that, there’s a new tool that will let anybody make their own Bluetooth tracking tag to use with the Find My network so they can track its location. OpenHaystack is a new open-source tool developed by security researchers at the Secure Mobile Networking Lab, who have essentially reverse-engineered the way Apple devices register themselves to the Find My mesh network.

It is, in short, a way to create your own DIY AirTags today.

OpenHaystack works via a custom Mac app that can be used to track the location of custom tags that you create. As of right now, the tool has direct support to make a tracking tag using the BBC micro:bit mini computer, though other Bluetooth Low Energy (BLE) device support could be added by other developers in the future. Once registered on Apple’s Find My network, the OpenHaystack app will be able to report the tag’s location just like Apple’s Find My app works for iPhones and other Apple devices.

The whole system is a bit of a hack — in the sense that it’s complex, not in the sense that it’s actually hacking anything. It uses a plugin for Apple Mail (which authenticates you as a genuine Apple user) to get the necessary access to Apple’s Find My network to create and locate the keys — so Mail needs to be running for OpenHaystack to work.

There don’t appear to be serious security implications for the Find My network itself, either (though the team has submitted other bug reports to Apple). That doesn’t mean you should just go ahead and start using OpenHaystack, however. There’s an important disclaimer on the project:

OpenHaystack is experimental software. The code is untested and incomplete. For example, OpenHaystack tags using our firmware broadcast a fixed public key and, therefore, are trackable by other devices in proximity (this might change in a future release). OpenHaystack is not affiliated with or endorsed by Apple Inc.

A high-level understanding of how the security model for Find My works also helps understand why OpenHaystack is possible.

Find My works by using a combination of public and private keys. Any Apple user can access the public keys for devices in the Find My network, but you need the private key in order to actually access location information. This means not even Apple can access your location information without your private keys. The network is possible because Apple devices communally track the public keys, but only users can get location data from private keys.

How OpenHaystack gets on the FindMy network
How OpenHaystack gets on the Find My network.
Image: OpenHaystack

What OpenHaystack does is create one of those public / private key pairs for your own Bluetooth tag and uses Apple Mail to register it in the Find My network. To Apple, it just looks like another iPhone. The Mac app then accesses the public key database, pairs it with the private key you created, and bam: secure location data.

From the way it’s designed, it seems like it might be difficult for Apple to cut off OpenHaystack easily without also cutting off a bunch of older Apple devices. However, it’s also surely true that Apple as a company won’t like the whole thing and may try to find a way to block it. A developer could use the system to create a way to add Android devices to the Find My network.

The team behind OpenHaystack has written a paper detailing its methods and disclosing a now-fixed security flaw. It also released the source code for its firmware, which other developers could use to adapt OpenHaystack to other BLE devices.

Apple’s official support for third-party accessories is still coming. Belkin has already announced a set of earbuds that will support Find My. Given how complex the setup of OpenHaystack is, it probably won’t gain mass adoption. It’s similar in some ways to AirMessage and Beeper, two tools that use Mac utilities to redirect iMessages to Android devices. Apple’s ecosystem is locked down in any number of ways, but the Mac finds a way.

Today’s Storystream

Feed refreshed Two hours ago The tablet didn’t call that play by itself

Emma RothTwo hours ago
Missing classic Mario?

One fan, who goes by the name Metroid Mike 64 on Twitter, just built a full-on 2D Mario game inside Super Mario Maker 2 complete with 40 levels and eight worlds.

Looking at the gameplay shared on Twitter is enough to make me want to break out my SNES, or at least buy Super Mario Maker 2 so I can play this epic retro revamp.

External Link
Russell BrandomTwo hours ago
The US might still force TikTok into a data security deal with Oracle.

The New York Times says the White House is still working on TikTok’s Trump-era data security deal, which has been in a weird limbo for nearly two years now. The terms are basically the same: Oracle plays babysitter but the app doesn’t get banned. Maybe it will happen now, though?

Asian America learns how to hit back

The desperate, confused, righteous campaign to stop Asian hate

Esther Wang12:00 PM UTC
Richard LawlerTwo hours ago
Don’t miss this dive into Guillermo del Toro’s stop-motion Pinocchio flick.

Andrew Webster and Charles Pulliam-Moore covered Netflix’s Tudum reveals (yes, it’s going to keep using that brand name) over the weekend as the streamer showed off things that haven’t been canceled yet.

Beyond The Way of the Househusband season two news and timing information about two The Witcher projects, you should make time for this incredible behind-the-scenes video showing the process of making Pinocchio.

External Link
Emma Roth4:13 PM UTC
Netflix’s gaming bet gets even bigger.

Even though fewer than one percent of Netflix subscribers have tried its mobile games, Netflix just opened up another studio in Finland after acquiring the Helsinki-based Next Games earlier this year.

The former vice president of Zynga Games, Marko Lastikka, will serve as the studio director. His track record includes working on SimCity BuildIt for EA and FarmVille 3.

External Link
Andrew J. Hawkins3:37 PM UTC
Vietnam’s EV aspirant is giving big Potemkin village vibes

Idle equipment, absent workers, deserted villages, an empty swimming pool. VinFast is Vietnam’s answer to Tesla, with the goal of making 1 million EVs in the next 5-6 years to sell to customers US, Canada and Europe. With these lofty goals, the company invited a bunch of social media influencers, as well as some auto journalists, on a “a four-day, multicity extravaganza” that seemed more weird than convincing, according to Bloomberg.

James Vincent3:17 PM UTC
Today, 39 years ago, the world didn’t end.

And it’s thanks to one man: Stanislav Petrov, a USSR military officer who, on September 26th, 1983, took the decision not to launch a retaliatory nuclear attack against the US. Petrov correctly guessed that satellite readings showing inbound nukes were faulty, and so likely saved the world from nuclear war. As journalist Tom Chivers put it on Twitter, “Happy Stanislav Petrov Day to those who celebrate!” Read more about Petrov’s life here.

Soviet Colonel who prevented 1983 nuclear response
Photo by Scott Peterson/Getty Images
The Verge
James Vincent3:03 PM UTC
Deepfakes were made for Disney.

You might have seen the news this weekend that the voice of James Earl Jones is being cloned using AI so his performance as Darth Vader in Star Wars can live on forever.

Reading the story, it struck me how perfect deepfakes are for Disney — a company that profits from original characters, fans' nostalgia, and an uncanny ability to twist copyright law to its liking. And now, with deepfakes, Disney’s most iconic performances will live on forever, ensuring the magic never dies.

External Link
Elizabeth Lopatto2:41 PM UTC
Hurricane Fiona ratcheted up tensions about crypto bros in Puerto Rico.

“An official emergency has been declared, which means in the tax program, your physical presence time is suspended,” a crypto investor posted on TikTok. “So I am headed out of the island.” Perhaps predictably, locals are furious.

The Verge
Richard Lawler2:09 PM UTC
Teen hacking suspect linked to GTA 6 leak and Uber security breach charged in London.

City of London police tweeted Saturday that the teenager arrested on suspicion of hacking has been charged with “two counts of breach of bail conditions and two counts of computer misuse.”

They haven’t confirmed any connection with the GTA 6 leak or Uber hack, but the details line up with those incidents, as well as a suspect arrested this spring for the Lapsus$ breaches.

The Verge
Richard Lawler1:00 PM UTC
Green light.

Good morning to everyone, except for the intern or whoever prevented us from seeing how Microsoft’s Surface held up to yet another violent NFL incident.

Today’s big event is the crash of a NASA spaceship this evening — on purpose. Mary Beth Griggs can explain.

David Pierce12:54 PM UTC
Thousands and thousands of reasons people love Android.

“Android fans, what are the primary reasons why you will never ever switch to an iPhone?” That question led to almost 30,000 comments so far, and was for a while the most popular thing on Reddit. It’s a totally fascinating peek into the platform wars, and I’ve spent way too much time reading through it. I also laughed hard at “I can turn my text bubbles to any color I like.”