Apple’s Find My network feature that serves as a way of device tracking could also function as a spying tool. Specifically, a vulnerability in the Find My network could expose sensitive data from a device to nearby devices without internet.
Find My Network Vulnerability Exposed Data
Fabian Bräunlein of Positive Security shared details about a serious vulnerability in Apple’s Find My network in a blog post.
Briefly, the Find My network helps to locate devices or any non-internet-connected stuff using AirTags. Apple recently launched AirTags that work over Bluetooth. Thus, it allows safe and private transmission of data between the AirTag and the receiving device. Whereas, the receiving devices may relay the data over the internet to the Apple servers to retrieve the location reports.
However, as Bräunlein observed this entire process lacked specification of AirTags. Thus, it became possible for anyone to access reports not related to their AirTags.
Apple does not know which public keys belong to your AirTag, and therefore which location reports were intended for you. This means the endpoint to request location reports for a specific key id does not perform any authorization (but you need to be authenticated with any Apple ID to access the endpoint).
The security solely lies in the encryption of the location reports: The location can only be decrypted with the correct private key, which is infeasible to brute force and only stored on the paired Owner Device.
Thus, the researcher came up with the “Send My” exploit that comprises a microcontroller transformed into a data uploader via an ESP32 firmware, and a DataFetcher to retrieve, decode, and display the data. For this, he used OpenHaystack.
Regarding how it works, the researcher states,
When sending, the data is encoded in the public keys that are broadcasted by the microcontroller. Nearby Apple devices will pick up those broadcasts and forward the data to an Apple backend as part of their location reporting. Those reports can later be retrieved by any Mac device to decode the sent data.
According to the researcher, preventing this exploit in its entirety is difficult given how the Find My Offline system works.
In a real-world scenario, an adversary may exploit this issue to deplete nearby iPhone’s data plans, hack into the air-gapped systems, or even exploit IoT devices even without the internet.
Nonetheless, as mitigations, he recommends implementing BLE advertisement authentication and Rate limiting of the location report retrieval.