Hackers have worked out how to exploit Apple’s Find My network, by abusing Bluetooth on a device to effectively turn anything into a trackable AirTag.
The Find My network is considered to be an extremely useful service, allowing users to track down a mislaid iPhone, lost luggage, or even a stolen car adorned with an AirTag. However, while Apple has done what it can to make the network as secure and as trustworthy as possible, security researchers have apparently managed to work around the protections.
George Mason University researchers, associate professors Qiang Zeng and Lannan Luo and PhD students Chen and Xiaoyue Ma, created “nRootTag” as an attack that takes advantage of Bluetooth addresses. It does so by tricking the Find My network into thinking a device is a missing AirTag.
AirTag functions by sending out Bluetooth messages in the hope they are detected by iPhones and Apple hardware that happens to pass by. The location of the ping is then relayed through the Find My network to Apple’s servers anonymously, and is provided to the designated owner of the device.
In experiments, the team were able to make other non-Apple hardware behave as if it’s an AirTag and be trackable on the network.
Apple does change a Bluetooth address for an AirTag that’s based on a cryptographic key, but an attacker couldn’t do this on other hardware without needing administration privileges beforehand.
To work around this, the team’s idea was to create efficient key search techniques that can create a key compatible with the Bluetooth address. Rather than changing the Bluetooth address to match the key in Apple’s technique, the team made the key fit the Bluetooth address.
Since the Find My network trusts device signals implicitly, Find My becomes an unwitting assistive tool.
Intensive but reliable
The nRootTag technique is quite reliable, with it having a 90% success rate and working within minutes.
It’s also able to work on a wide variety of devices and operating systems, such as smart TVs and VR headsets, not just computers and smartphones. An e-bike was able to be tracked across a city, in one test case.
Furthermore without the need to have deep system access of target devices, this becomes something that can be done remotely over the Internet, without the victim’s knowledge.
“While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location,” explains Zeng. “With the attack method we introduced, the attacker can achieve this.”
The reliability and capability of the attack vector can seem quite sinister, but at the same time, the team admits that a lot of work has to be done to accomplish it. “Time is essential in an actual attack, and we don’t have a year to do the cracking,” said Chen.
To find matches quickly, the team relied on banks of hundreds of graphics processing units to handle the workload. This was achieved by cheaply renting GPUs owned by others to carry out the work.
While this is similar in concept to Bitcoin mining, it differs in that there isn’t just one solution kept. Mismatches can be saved to a database, and so can be used in the future.
The processing requirements makes it hard to believe that the attack can be used on a mass of people. However, it could theoretically be used by well-heeled marketing companies building advertising profiles without needing traditional GPS-based location services to be enabled.
On a more malicious level, the amount of resources required means it’s a technique that lends itself more to espionage and security agency activities targeting people of interest, not the public at large.
A long time to fix
The researchers contacted Apple of the issue in July 2024, as per the typical responsible disclosure process, with Apple acknowledging it in security updates. However, Apple has not disclosed how the problem will be fixed.
Even after being patched, the team is still expecting the problem to persist for years, due to users not being too willing to update their Apple devices. These slow updates will keep the Find My network somewhat vulnerable for quite some time to come.
The team plan to present their findings on the project to the USENIX Security Symposium in August.
