We previously heard that the new Apple AirTag had been hacked and now it looks like a security researcher may be able to exploit Apple’s Find My network.
According to Security researcher Fabian Bräunlein, he has been able to use Apple’s Find My network to send messages.
With the recent release of Apple’s AirTags, I was curious whether Find My’s Offline Finding network could be (ab)used to upload arbitrary data to the Internet, from devices that are not connected to WiFi or mobile internet. The data would be broadcasted via Bluetooth Low Energy and picked up by nearby Apple devices, that, once they are connected to the Internet, forward the data to Apple servers where it could later be retrieved from. Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power-consumption of mobile internet. It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users.
Understanding the Exploit
The exploit leverages the Bluetooth Low Energy (BLE) technology, which is a key component of the Find My network. BLE allows devices to communicate with each other over short distances without consuming much power. This is particularly useful for devices like AirTags, which are designed to be low-maintenance and long-lasting. By broadcasting data via BLE, Bräunlein demonstrated that it is possible to send information to nearby Apple devices. These devices, once connected to the internet, relay the data to Apple servers. This method could be used to send messages or even upload data from devices that are not connected to WiFi or mobile networks.
This technique could have various applications. For instance, it could be used in remote sensors deployed in areas without internet connectivity. These sensors could collect data and broadcast it via BLE, which would then be picked up by passing iPhones and forwarded to the internet. This could save costs and reduce the power consumption associated with mobile internet connections. Additionally, this method could be used to exfiltrate data from secure environments, such as Faraday-shielded sites, which are occasionally visited by iPhone users.
Implications and Concerns
The ability to exploit the Find My network in this manner raises several security and privacy concerns. While the primary intention behind the Find My network is to help users locate their lost devices, the potential for misuse cannot be ignored. For example, malicious actors could use this technique to send unauthorized data or messages, potentially leading to data breaches or other security incidents.
Moreover, the exploit highlights the need for robust security measures in IoT (Internet of Things) devices. As more devices become interconnected, ensuring their security becomes increasingly important. Manufacturers need to be aware of potential vulnerabilities and take proactive steps to mitigate them.
Apple has a strong track record of prioritizing user privacy and security. However, this exploit serves as a reminder that even the most secure systems can have vulnerabilities. It will be interesting to see how Apple responds to this discovery and what measures they implement to prevent such exploits in the future.
You can find out more details over at Fabian Bräunlein’s website at the link below. It is not clear as yet on whether this exploit has been addressed by Apple, but it certainly raises important questions about the security of interconnected devices and networks.
Source Positive Security, MacRumors
Latest Geeky Gadgets Deals
Disclosure: Some of our articles include affiliate links. If you buy something through one of these links, Geeky Gadgets may earn an affiliate commission. Learn about our Disclosure Policy.