Apple’s Find My Network Could be Used to Collect User Location Data
A recent research report reveals a newly found exploitable flaw in the Find My network that could allow attackers to upload arbitrary data to targeted user devices.
According to Fabian Bräunlein, a researcher at Positive Security, a hacker could even use a device that’s not connected to the Internet to upload arbitrary data to nearby Apple devices by broadcasting through the Find My network.
Bräunlein explains that it may not be possible to completely prevent such a misuse due to how integral the Find My Offline Finding System is to Apple devices.
The research is a continuation of an earlier security analysis that was published in March this year, where two flaws were reported in Apple’s crowdsourced-powered Bluetooth location tracking system. According to that analysis, the reported flaws could be used to gain unauthorized access to the location history of the user for the last seven days.
The recent release of the OpenHaystack framework that allows users to use AirTags to track their personal belongings via the Find My network further elevated the importance of the investigation into the potential flaws of the network.
Another thing to be noted here is that, through reverse engineering, it may also be possible to upload arbitrary data to Apple’s servers through broadcasting it to nearby Apple devices using the Find My app. The broadcast would get picked up by any nearby Apple devices and automatically transmitted to Apple’s servers.
A core element of Find My is the use of a public-private key pair that gets changed once every 15 minutes. The public key is delivered via the Bluetooth Low Energy advertisement packet.
Due to this, when an Apple device within Bluetooth range picks up the broadcast, their location is fetched and then encrypted using the public key and then the location (once encrypted) is sent to iCloud. Finally, the user whose device got lost can use another Apple device they own to access the approximate location of their lost device.
The fact that the location is encrypted means that Apple doesn’t know which key belongs to which lost device or which report is intended for a certain user. The entire security is based on encryption and the latter can only be decrypted with the help of the corresponding private key which is only stored on the paired device and cannot be broken via brute force, Bräunlein explains.
The exploit technique, however, relies on encoding a message and obtaining the broadcast payloads via an OpenHaystack-based data-fetcher. This can be used to decrypt the encrypted information that the sender device transmits.
While the data is being transmitted by the microcontroller, it is in an encoded state. Apple devices within Bluetooth range pick up that data and automatically send it to Apple’s backend from where the lost device’s approximate location gets sent to the device’s owner. At a later time, the report can be acquired by any Mac computer in order to decrypt the transmitted data.
For the time being, the real-life application of such an exploit doesn’t seem particularly practical or useful. However, at the same time, it has to be noted that, at the moment, Apple doesn’t have a fully effective way to mitigate this weakness and the reason for this lies in the very nature of the Find My network’s encryption.
According to Bräunlein, there are two possible ways to make exploiting this weakness in the wild less likely. The first one is to implement BLE advertisement authentication and the second one is to add rate limits for report retrievals.