To the attention of owners of Apple’s macOS and iOS devices: the Find My device function has been found vulnerable. The vulnerability could be exploited to transfer data to and from random passing devices, even without being connected to the internet.
Apple’s Find My Device Vulnerable
In other words, “it’s possible to upload arbitrary data from non-internet-connected devices by sending Find My BLE broadcasts to nearby Apple devices that then upload the data for you,” said Fabian Bräunlein from Positive Security. The researcher developed a proof-of-concept using a microcontroller and a custom macOS application that can broadcast from device to device via Bluetooth Low Energy (BLE). Once an internet connection is established, the receiving device becomes capable of forwarding the data to a hacker-controlled Apple iCloud server.
The researcher named the attack “Send My,” and shared a number of use cases, such as the creation of a network for IoT sensors and draining users’ mobile data plans. Unfortunately, “Being inherent to the privacy and security-focused design of the Find My Offline Finding system, it seems unlikely that this misuse can be prevented completely,” he added.
The Send My Method Explained
Bräunlein based his discovery on previous research conducted by researchers from Technical University of Darmstadt, who reverse-engineered the Find My feature to create the OpenHaystack tool. The tool enables users to create their own accessories that can be located and tracked by the locator service. During their work, the research team also came across flaws within the system that can expose the identities of users.
How does Apple’s Find My feature work? Shortly said, the feature enables the ability to find someone’s device or item over BLE, thanks to which devices communicate using location beacons. The device’s owner can then get location reports about devices participating in Apple’s iCloud-based Find My iPhone or iOS/macOS Find My application.
Here’s how the system works:
1.When paring an AirTag with an Apple Device, an Elliptic Curve key pair is generated and the public key is pushed to the AirTag (and a shared secret to generate rolling public keys);
2.Every 2 seconds, the AirTag sends a Bluetooth Low Energy broadcast with the public key as content (changes every 15 minute deterministically using the previously shared secret);
Nearby iPhones, Macbooks, etc. recognize the Find My broadcast, retrieve their current location, encrypt the location with the broadcasted public key (using ECIES) and upload the encrypted location report;
3.During device search, the paired Owner Device generates the list of the rolling public keys that the AirTag would have used in the last days and queries an Apple service for their SHA256 hashes. The Apple backend returns the encrypted location reports for the requested key ids;
4.The Owner Device decrypts the location reports and shows an approximate location.
It should be noted that, to be used in the way described above, the service requires several engineering steps and custom hardware. Further technical details and use cases of the outlined vulnerability are available in the original report.
Last year, Samsung’s Find My Mobile service was also found to include several security vulnerabilities. According to researcher Pedro Umreblino, these multiple weak spots could be abused by hackers in order to lead to the execution of malicious actions. The four security weaknesses were part of the Find My Mobile components, and could easily be exploited by a rogue application. The only needed permissions included access to the SD card, required to trigger the first security bug which would start the execution chain.