Apple’s Find My Network: Can be Abused to Leak Secrets Via Passing Devices
Apple’s Find My network, which is used to track iOS and macOS devices – as well as more recently AirTags and other kits – has been revealed to be a possible espionage tool.
In brief, passing Apple devices can be used to send data over the air from one location to another, such as a computer on the other side of the world, without the need for any other network connection.
Using Bluetooth Low Energy (BLE) broadcasts and a microcontroller designed to act as a modem, Fabian Bräunlein, co-founder of Positive Security, invented a way to send a limited amount of arbitrary data to Apple’s iCloud servers from devices without an internet connection. A Mac application can then download the data from the cloud. He dubbed his proof-of-concept service Send My in a blog post on Wednesday.
When activated in Apple devices, the Find My network acts as a crowdsourced location-tracking system. Participating devices transmit over BLE to other nearby Apple devices, which then relay data back to Cupertino’s servers via their network link. Authorized device owners can then use the company’s iCloud-based Find My iPhone or iOS/macOS Find My app to get location reports on enrolled hardware.
Researchers from Germany’s Technical University of Darmstadt – Alexander Heinrich, Milan Stute, Tim Kornhuber, and Matthias Hollick – released an overview of Apple’s Find My network’s protection and privacy in March, uncovering a few issues along the way.
Bräunlein’s aim was to see if the Find My network could be exploited to send arbitrary data from devices that didn’t have access to the internet. “Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power consumption of mobile internet,” he states. “It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users.” Since he didn’t find any rate-limiting mechanism for the number of location reports devices can send over the Find My network, he theorizes that his strategy may be used to deplete smartphone users’ data plans.
With each report being more than 100 bytes, broadcasting a large number of unique public encryption keys as part of the Find My protocol would increase the amount of mobile traffic sent. Bräunlein used an ESP32 microcontroller with OpenHaystack-based firmware to transmit a hardcoded default message and listen for new data on its serial interface for his data exfiltration scheme. These signals will be picked up by nearby Apple devices that have to Find My broadcasting switched on and transferred to Apple’s servers.
In order to satisfy Apple’s authentication criteria for accessing location data, obtaining data from a macOS computer necessitates the use of an Apple Mail plugin that runs with elevated privileges. To view the unsanctioned transmission, the user must also install OpenHaystack and run DataFetcher, a macOS app created by Bräunlein.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.