system design · system-design

Design Find My / AirTag (Crowdsourced BLE Network)

BLE crowdsourced location, on-device crypto, anti-stalking, lost mode, battery-aware. Apple-specific signature SDI.

expert5hgeneralswiftsystem-design
Ask GPTConfidence

Theory

Explanation

Intuition first, formal definition second. Skim the bullets if you already know this; read the prose if you don't.

AirTag broadcasts BLE beacons. Any nearby Apple device (1B+ devices) reports the beacon's public-key ID + the device's own location, encrypted such that only the AirTag owner can decrypt. Apple sees ciphertext + opaque keys, never knows who is reporting whom or where.

AirTag generates rotating elliptic-curve public keys (changes every 15min from a master seed only the owner knows). Broadcasts current public key in BLE advertisement. Nearby finder device captures advertisement, encrypts its current location with that public key, uploads to Apple's servers indexed by hash(public_key). Owner device generates the same rotating keys (from same seed), queries Apple for any reports against those hashes, decrypts locally. Anti-stalking: foreign AirTag detected near a non-owner triggers alert + chirps.

When to use

Crowdsourced device-finding, asset-tracking with privacy.

When not to

High-frequency GPS tracking needs (LTE-M trackers better).

sequenceDiagram
  participant AT as AirTag
  participant F as Finder iPhone
  participant Apple as Apple Server
  participant Owner as Owner iPhone
  loop every 15 min
    AT->>AT: derive rotating public key from seed
    AT->>F: BLE advertisement (pub_key_i)
  end
  F->>F: encrypt(finder_location, pub_key_i)
  F->>Apple: PUT report indexed by hash(pub_key_i)
  Owner->>Owner: derive expected pub_keys from same seed
  Owner->>Apple: GET reports for hashes
  Apple-->>Owner: encrypted location reports
  Owner->>Owner: decrypt with priv_keys

Key insights

  • Apple cannot link a tag to its owner because index is hash of rotating pub key, different every 15min.
  • Crowdsourcing leverages 1B devices; even rural areas get coverage in cities.
  • Anti-stalking is a regulatory requirement; detection runs on iOS continuously.
  • Battery life > 1 year requires careful BLE timing + rotation cadence.
  • Identity rotation prevents long-term tracking by adversaries scanning BLE.