That’s a much harder problem than VW would need to solve. Also, Find My substantially predates the Find My network and AirTags.
There are very straightforward solutions, depending on the threat model. For example, the app could send VW a private key every day, and VW would send that key to the car. Then the car sends periodic location reports, encrypted to that key. VW can, upon request, send the report to the app, which decrypts it. But VW can’t decrypt the report itself, so they don’t know the location of the car. Also, it’s forward secure in the sense that a leak of VW’s database is entirely useless after a day.
You cannot establish a private channel between app and car if you don’t already have either a pre-shared secret, or pre-shared trusted certification authority keys (such as to allow TLS-like tamper-resistant encrypted communication between app and car) that VW can’t replace.
Otherwise, if there is no pre-existing private channel, the key (which by the way would have to be the public key, not the private key) could be switched out by VW acting as a man-in-the-middle, allowing it to access all encrypted content going through it.
The same is true for Apple. There are parts of the protocol or the pairing where you have to trust Apple, either their servers, or if the establishment happens locally via bluetooth or similar, their software that runs on the local devices.
This argument seems like a fairly extreme example of the perfect being the enemy of the good. Sure, it would require a more advanced system for VW to prevent themselves from silently compromising their own system to learn everyone’s location. But the design I outlined will prevent a passive compromise of VW, and even possibly a court order, from learned everyone’s location, and it prevents even an active and highly malicious compromise from learning past locations.
"Shipping the private key" does not meet the bar for "good". You still need a way to establish trust in your key distribution and also implement the system correctly. The proper way to secure access to a physical thing you own is to only communicate directly with that thing.
This is ridiculous. It would take heroic effort for VW to prevent themselves from silently uploading malicious firmware to VW cars. There are ways to do this, but it’s also a separate problem from the problem that should actually be solved here.
I was triggered by the argument “Apple knows how to allow one to find one’s devices without Apple knowing where they are. It’s not that hard.” People misunderstand this as Apple having no possibility to learn the location if they wanted to. And that’s just not the case.
It would work exactly like how you can send an encrypted email to multiple recipients and each of them can decrypt it despite having different private keys. That part isn’t rocket science.
This is not hard. App login sets up a session with VW (which is surely already does), except the session needs a database entry and not just a JWT-like token. (Many auth frameworks do this anyway.) The database row needs to add a public key, and the server needs to send all the key changes to the car. And that’s about it.
What, exactly, makes it hard to get this to work reliably in the real world? The app already won’t work without a valid login session. The car is already sending a little blob of data to the mothership containing a location. If the communication to the mothership changes to having the mothership send a list of keys and the car encrypt its blob, that’s basically it. The total increase in communication needed is one round trip to revalidate keys.
I realize that modern development has layers and layers of documents and teams and overcomplicated interfaces, but this is the kind of thing that could be done by one developer, using two servers and a load balancer (or a more creative HA scheme with client assistance that can easily survive complete loss of a datacenter or two), that can handle the entire fleet.
The app and car will have intermittent connection to the internet.
My car for example doesn't have reliable connection when it's parked in the garage, which is where I charge it.
Your solution would add a lot of extra edge cases that needs to be considered.
You have to ensure the updated key is reliably transferred to the mothership in a timely fashion, and subsequently that the key is reliably transferred to the car in a timely fashion.
That's the back-end stuff. There's also the front-end stuff, like will my SO understand why her app isn't showing the car's location but mine is?
Not saying it's impossible, but it adds a lot of complexity beyond simply encrypting the location with multiple keys.
If the car has enough signal to report, it has enough signal to get the key update. I don't see the problem.
Losing connection for extended periods of time can get in the way of "timely" key updates but they won't cause the encryption to fail.
> That's the back-end stuff. There's also the front-end stuff, like will my SO understand why her app isn't showing the car's location but mine is?
Well the reasons I can think of are either things like the server being broken, which can happen without any encryption, or she didn't finish setting up her app and waiting for it to sync which can also happen without encryption. Or she was removed from the list because she didn't open the app for a year... which can also happen without encryption.
> Losing connection for extended periods of time can get in the way of "timely" key updates but they won't cause the encryption to fail.
To be fair, if the car is offline while a newly installed app logs in, then the app won’t be able to locate the car until the car checks in. Which is not actually the end of the world, and there are ways to mitigate this. (See iMessage and Keybase for a couple of different approaches to this. See Signal for a shockingly poor group of bizarrely mutually incompatible solutions that barely work. I think that Matrix tries, too. MLS should be able to handle it, and piggybacking off an existing standard like MLS might be entirely reasonable albeit dramatically more complex than the simple solution I outlined.)
There are very straightforward solutions, depending on the threat model. For example, the app could send VW a private key every day, and VW would send that key to the car. Then the car sends periodic location reports, encrypted to that key. VW can, upon request, send the report to the app, which decrypts it. But VW can’t decrypt the report itself, so they don’t know the location of the car. Also, it’s forward secure in the sense that a leak of VW’s database is entirely useless after a day.