Find My Network Exploit Turns Any Bluetooth Device Into a Tracker

[MacRumors]

George Mason University researchers claim to have uncovered a serious vulnerability in Apple's Find My network that allows hackers to track virtually any Bluetooth-enabled device without the owner's knowledge.

Called "nRootTag," the exploit tricks the Find My network into treating ordinary Bluetooth devices as if they were AirTags, allowing hackers to turn laptops, smartphones, game controllers, VR headsets, and even e-bikes into unwitting tracking beacons.

Find My works by having AirTags and other Find My-compatible items send Bluetooth signals to nearby Apple devices, which then anonymously relay location data to Apple's servers. The researchers discovered they could manipulate cryptographic keys to make the network believe any Bluetooth device was a legitimate AirTag.

The research team found that the attack has a 90% success rate and can pinpoint a device's location within minutes. "While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location," said one of the researchers.

What makes the exploit even more concerning is that it doesn't require physical access or administrator privileges on the target device – it can actually be executed remotely. In their experiments, the team successfully tracked a stationary computer with 10-foot accuracy and even reconstructed the exact flight path of a gaming console brought onboard an airplane.

The attack does require fairly hefty computing resources – the research team used hundreds of graphics processing units to quickly find matching cryptographic keys. However, they note that this could be achieved relatively inexpensively by renting GPUs, which has become a common practice in the crypto-mining community.

The team said they notified Apple about the vulnerability in July 2024, and Apple says that it protected against the vulnerability in December software updates.

Even after Apple implements a fix, the researchers warn the vulnerability could persist for years as many users delay updating their devices. "The vulnerable Find My network will continue to exist until those devices slowly 'die out,' and this process will take years," said one researcher.

The research will be formally presented at the USENIX Security Symposium in August. The team recommends users be cautious about apps requesting Bluetooth permissions, keep their devices updated, and consider privacy-focused operating systems for better protection.

Update: This article has been updated to clarify that Apple bolstered the Find My network in December 2024 to protect against this type of attack.

Article Link: Find My Network Exploit Turns Any Bluetooth Device Into a Tracker

 

[I7guy]

Interesting vulnerability. How easy or hard to deploy? What is the actual threat level? And I presume one can’t be tracked if Bluetooth is off.

 

[JuicyGoomba]

But but but Timmy told me that the real threat was letting people install those pesky 3rd party app stores!

angrybabyfistshake.gif

 

[klasma]

Website: https://nroottag.github.io/

How it works (from the link above):

1. Through pairing, an AirTag shares the public / private key information with the owner’s device.
2. When the AirTag is separated from the paired device, it advertises its public key via BLE advertisements, known as lost messages.
3. Nearby Apple devices, referred to as finders, generate encrypted location reports and send them, along with the hashed public key, to the Apple Cloud.
4. The Apple Cloud allows anyone to use a hashed public key to retrieve the associated location reports, which can only be decrypted using the correct private key. To ensure anonymity, finders do not authenticate whether a lost message is sent from an Apple device.

IIUC, any program that can send BLE advertisements can make the device it’s running on trackable via Apple’s Find My network.

 

[NMBob]

Finally! Something that just works!

 

[I7guy]

But but but Timmy told me that the real threat was letting people install those pesky 3rd party app stores!

angrybabyfistshake.gif

Timmy told you directly? WOW!

 

[grantishere]

Let's make sure stalkers don't learn how to hack

 

[theolderoldcoot]

Doesn't Local Network act like Bluetooth on a Mac as well as on a iPhone and iPad or is Local Network just used on WiFi?

 

[ATmahe]

Solution: Buy new Apple Devices and throw away the old ones!

 

[alchemistmuffin]

The team said they notified Apple about the vulnerability in July 2024, and Apple has since acknowledged the issue in security updates, but the company hasn't yet revealed how it's going to resolve the issue.

Even after Apple implements a fix, the researchers warn the vulnerability could persist for years as many users delay updating their devices. "The vulnerable Find My network will continue to exist until those devices slowly 'die out,' and this process will take years," said one researcher.

If Apple was notified in 2024 but still hasn’t fixed it, I’m afraid it may be hardware vulnerability that may not be fixable. Most likely the iPhone 16 lineup and late 2024 Mac may have gotten a fix with change in hardware but others are basically screwed.

 

[HazeAndHahmahneez]

This is massive. This should be on the news to aware ppl…I mean iPhone is the biggest cellphone in the US, no?

 

[jimbobb24]

This is pretty cool and innovative. I know people are stressing about the potential bad cases but most the uses are awesome. I sure it will have to be patched for safety but turning any bluetooth device into an AirTag is very cool.

 

[ikramerica]

The author does a poor job if explaining how the hack works.

How did they locate the desktop computer remotely without hacking it and:

A. and finding out it exists
B. Knowing it’s Bluetooth information
C. Broadcasting the BT to Find My as an Airtag

Also, if the Find My network sees it as an Airtag, aren’t nearby iPhone users going to get an alert that an AirTag has been near them that doesn’t belong to you?

 

[t0rqx]

This is already being exploited for 25 years just by walking around the mall.

 

[WarmWinterHat]

This is already being exploited for 25 years just by walking around the mall.

If you're talking about BT and wi-fi tracking, that has mostly been eliminated by rotating mac addresses.

 

[I7guy]

This is massive. This should be on the news to aware ppl…I mean iPhone is the biggest cellphone in the US, no?

I turn off WiFi when I leave the house. Will now start turning off Bluetooth.

 

[turbineseaplane]

I turn off WiFi when I leave the house. Will now start turning off Bluetooth.

What about your Apple Watch to iPhone connection?

 

[0049190]

I’m ok. Whenever I login to my Apple account it sends me a verification message saying I am 200 miles away from where I actually am.

 

[I7guy]

What about your Apple Watch to iPhone connection?

I guess say bye bye Apple Watch to being paired with an iPhone.

 

[WarmWinterHat]

I’m ok. Whenever I login to my Apple account it sends me a verification message saying I am 200 miles away from where I actually am.

Mine does too.

 

[nt5672]

I’m ok. Whenever I login to my Apple account it sends me a verification message saying I am 200 miles away from where I actually am.

That is a feature, it is to protect the children. Apple always knows best, but maybe they didn't tell you. 🤣

 

[rpe33]

This is massive. This should be on the news to aware ppl…I mean iPhone is the biggest cellphone in the US, no?

Is it though?

 

[klasma]

The author does a poor job if explaining how the hack works.

How did they locate the desktop computer remotely without hacking it and:

A. and finding out it exists
B. Knowing it’s Bluetooth information
C. Broadcasting the BT to Find My as an Airtag

Also, if the Find My network sees it as an Airtag, aren’t nearby iPhone users going to get an alert that an AirTag has been near them that doesn’t belong to you?

It can be a malicious application on your laptop, and now the attacker knows how to locate your laptop to steal it. Or if a malware manages to infect some IoT device like a “smart” door lock, now the attacker also knows the physical location of the compromised door.

Getting an alert doesn’t necessarily help, since you’d be searching for an AirTag, especially if you don’t know about this attack vector.

 

[klasma]

If Apple was notified in 2024 but still hasn’t fixed it, I’m afraid it may be hardware vulnerability that may not be fixable.

From the website: “Apple recently released patches in iOS 18.2, visionOS 2.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, Sonoma 14.7.2, Sequoia 15.2 to fix the vulnerability. However, the attack remains effective as long as unpatched iPhones or Apple Watches are in the proximity of the computer running our trojan.”

 

[mannyvel]

With rotating Bluetooth MAC addresses this goes away. Of course, it's unclear who actually does that.

It's probably a bigger deal as a potential DoS vector for the Find My network.

Edit: according to documentation, Find My requires a BLE advertisement with a public key. Does this exploit bypass that requirement? There are no actual details about the exploit, so it's hard to say.

Edit 2: requires the device to broadcast the BLE advertisement, which means the device has already been pwnd.

nRootTag - Tracking You from a Thousand Miles Away!

SOCIAL MEDIA DESCRIPTION TAG TAG

nroottag.github.io