You can use Apple's Find My network to steal data — here's how

You can use Apple's Find My network to steal data — here's how

Apple's Find My network can be used to steal data from devices that are not connected to the Internet, a German researcher says.

Fabian Bräunlein of Positive Security has retrieved data from a device that only has a Bluetooth connection (essentially a homemade AirTag) and used an iPhone or Mac to get the data into Apple's iCloud server He discovered that it was possible to do this. From there, Brownline was able to access the data from his Mac.

The process is very slow; Braunlein gets a transfer rate of about 3 bytes per second, and each chunk of data is a maximum of 16 bytes. However, over time, he can transmit a reasonable amount of text. He calls his system "Send My."

Data theft works because each Bluetooth device on the Find My network sends a public encryption key to all nearby receiving Apple devices. These devices mark their own location, bundle it with the Bluetooth device's public encryption key, and send the resulting "location report" to the Apple cloud.

Bräunlein found a way to embed a message in the encryption key of the location report, resulting in a very short secret message being successfully communicated from his home-made AirTag to his Mac through Apple's Find My network.

The implications of Bräunlein's research are not purely theoretical. Millions of computers around the world are disconnected from the Internet for security reasons. This is because these computers hold highly sensitive data or perform extremely important processes, such as coordinating the movement of trains or operating power plants.

"Such technology could be employed for small sensors in uncontrolled environments to avoid the cost and power consumption of mobile internet," echoing what Amazon is already doing with its Sidewalk low energy mesh network Bräunlein wrote in a blog post." It might also be interesting to see data leakage from Faraday-shielded sites that iPhone users occasionally visit."

The data leakage from the Internet is also a problem for the iPhone, which has been the subject of a lot of attention in the past.

If some of these computers can be made to communicate via Bluetooth with iPhones that come nearby, data may be able to sneak in from or to those machines.

Bräunlein did not mention it, but it has already been shown that AirTag can be used to secretly track people for up to three days before the AirTag chirps and reveals itself. A homemade AirTag might be able to track someone indefinitely without revealing its presence.

Apple's Find My network is a huge mesh network of hundreds of millions of iPhones around the world. Each iPhone listens for Bluetooth connections from other devices on the network, and if a Bluetooth-only device is sending out a broadcast message, a nearby iPhone picks up the message and uses its cellular or Wi-Fi connection to relay the message to Apple's cloud servers.

The system was initially intended to locate lost iPhones, iPads, and MacBooks, but has since been expanded to other devices, including Belkin earbuds and VanMoof electric bicycles.

Earlier this year, German researchers (except Bräunlein) found a way to let other Bluetooth devices not approved by Apple join the Find My network.

Essentially, they created their own AirTags before AirTags was announced. (The same researchers also showed that AirDrop, which uses many of the same network protocols as Find My, also has privacy flaws and created an Android app called AirGuard.)

They created a tool called OpenHaystack that piggybacks on the Find My network. One is firmware that is loaded onto a small single-board computer, such as a Raspberry Pi, which becomes a homemade AirTag. The other is a Mac desktop application and the Mail plugin needed to make the whole thing work.

Bräunlein modified the firmware of the OpenHaystack board to the ESP2 small single-board computer, which is the homemade AirTag, and the corresponding software to the Mac. Using these tools, Bräunlein was not only able to track ESP2 using the Find My network, but also send messages using Find My's encryption protocols and location information.

Oddly enough, Apple may not be able to stop such use or abuse of the Find My network. This is because Find My messages are encrypted end-to-end and Apple cannot see the content of the message or the type of device that is sending it.

"Apple cannot know which public key belongs to your AirTag and therefore which location report is intended for you," Bräunlein wrote in his blog post. It would be difficult for Apple to protect you from this kind of abuse."

Tom's Guide has reached out to Apple for comment and will update this post as soon as we receive a response.

.

Categories