A loophole in Apple’s Find My network allows remote attackers to turn any Bluetooth device into an AirTag-like tracker and stalk users’ location globally, researchers from George Mason University have disclosed.
Over 1.5 billion iPhones worldwide act as free tracking agents and can locate any device, whether it’s a desktop computer, smartphone, smartwatch, or even an IoT device.
Attackers don’t need special (root) permissions or hacking expertise to achieve a 90% success rate within minutes and at a cost of only a few dollars.
“We present nRootTag, a novel attack method that transforms computers into trackable “AirTags” without requiring root privileges,” Junming Chen, Xiaoyue Ma, Lannan Luo, and Qiang Zeng, researchers at George Mason University, write in a paper.
“It can locate a computer in minutes, posing a substantial risk to user privacy and safety. The attack is effective on Linux, Windows, and Android systems, and can be employed to track desktops, laptops, smartphones, and IoT devices.”
Apple’s Find My network is a massive network that relies on encrypted location reports sent by Apple devices. It helps locate lost devices and AirTag trackers. Researchers targeted it with their own crafted “lost messages.”
Here’s how they did it.
First, an attacker would need that user to run a malicious app or software that asks for basic Bluetooth permissions, which are common for apps like fitness trackers or headphones.
“Applications that rely on Bluetooth can easily legitimize their use of Bluetooth while concealing malicious objectives,” the researchers explain.
The vulnerability in Apple’s Find My network allows any type of Bluetooth device, not just Apple devices, to send “lost message” advertisements and be tracked by the network.
While each AirTag has an encrypted and unique ID, researchers discovered a loophole, enabling attackers to create public/private key pairs matching the Bluetooth address. For a few bucks, a giant list (rainbow table) of matching pairs can be made using a cluster of modern GPUs.
“We can precompute rainbow tables that store the keys for various public addresses. As
as a result, given a public address, the matching public/private key pair can be retrieved instantly,” the paper reads.
“Given a public key, the server uses its hash value to query the Apple Cloud for location reports, then decrypts the reports using the private key.”
When an infected device, having the right key, starts sending “lost message” advertisements to Find My network, any nearby Apple devices, that receive the messages, will report the location back to Apple’s servers.
These reports can then be accessed and decrypted.
For researchers, practical measurements of location yielded an average wait time of 5-10 minutes. Attacks succeeded on nine tested Android devices, two Windows devices, and all 12 tested Linux distributions.
For the price of a coffee, attackers can rent cloud servers to brute-force keys, but storing them is another question. Some attacks could be performed with approximately 20TB of storage. However, a universal master rainbow table would require 1.75 petabytes (PB), or 1,750 terabytes of storage.
The researchers responsibly disclosed the vulnerability. The Apple Security Team acknowledged the issue and released patches to fix it in iOS 18.2, visionOS 2.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, Sonoma 14.7.2, and Sequoia 15.2.
“However, the attack remains effective as long as unpatched iPhones or Apple Watches are in the proximity of the computer running our trojan,” the researchers warn.
Your email address will not be published. Required fields are markedmarked