Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Find My Network Exploit Turns Any Bluetooth Device Into a Tracker

The attack does require fairly hefty computing resources – the research team used hundreds of graphics processing units to quickly find matching cryptographic keys. However, they note that this could be achieved relatively inexpensively by renting GPUs, which has become a common practice in the crypto-mining community.
Click to expand...

I'll take my chances.

What is more likely, someone pulling this off or someone just hiding an AirTag on their target?

For all the "oh nos" people on here, I'll happily share all my Bluetooth info with you, just send me a message. Would love to see you track me.
 
  • Like
  • Love
  • Haha
Reactions: iLuddite, amartinez1660 and Slix
Seems like there are multiple steps to march through to get this to be exploited.

#1 is getting whatever computer you want to track to run the malicious Trojan code the researchers developed. This computer would obviously need a Bluetooth stack.
#2 would be getting that computer in range of an Apple device with software versions prior to the updates released in December 2024 when this was patched.

Their overview site explains a bit more: https://nroottag.github.io/
 
  • Like
  • Love
Reactions: amartinez1660, koil and shamino
alchemistmuffin said:
If Apple was notified in 2024 but still hasn’t fixed it, I’m afraid it may be hardware vulnerability that may not be fixable. Most likely the iPhone 16 lineup and late 2024 Mac may have gotten a fix with change in hardware but others are basically screwed.
Click to expand...
They’re brute forcing keys, hence the need for a ton of GPU compute. That has nothing to do with hardware.
 
  • Like
Reactions: amartinez1660, Mr. Rod and jhfenton
From https://nroottag.github.io

> The Trojan code runs on the computer to be tracked.

So IIUC it requires a malicious app to be installed on the victim device first.

Combined with the compute power required for the cryptography bypass this limits the exploitation a bit and maybe why Apple has not provided a solution for it yet.
 
  • Like
Reactions: koil
MacRumors said:


George Mason University researchers claim to have uncovered a serious vulnerability in Apple's Find My network that allows hackers to track virtually any Bluetooth-enabled device without the owner's knowledge.

find-my-friends-precision-finding.jpg

Called "nRootTag," the exploit tricks the Find My network into treating ordinary Bluetooth devices as if they were AirTags, allowing hackers to turn laptops, smartphones, game controllers, VR headsets, and even e-bikes into unwitting tracking beacons.

Find My works by having AirTags and other Find My-compatible items send Bluetooth signals to nearby Apple devices, which then anonymously relay location data to Apple's servers. The researchers discovered they could manipulate cryptographic keys to make the network believe any Bluetooth device was a legitimate AirTag.

The research team found that the attack has a 90% success rate and can pinpoint a device's location within minutes. "While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location," said one of the researchers.

What makes the exploit even more concerning is that it doesn't require physical access or administrator privileges on the target device – it can actually be executed remotely. In their experiments, the team successfully tracked a stationary computer with 10-foot accuracy and even reconstructed the exact flight path of a gaming console brought onboard an airplane.

The attack does require fairly hefty computing resources – the research team used hundreds of graphics processing units to quickly find matching cryptographic keys. However, they note that this could be achieved relatively inexpensively by renting GPUs, which has become a common practice in the crypto-mining community.

The team said they notified Apple about the vulnerability in July 2024, and Apple has since acknowledged the issue in security updates, but the company hasn't yet revealed how it's going to resolve the issue.

Even after Apple implements a fix, the researchers warn the vulnerability could persist for years as many users delay updating their devices. "The vulnerable Find My network will continue to exist until those devices slowly 'die out,' and this process will take years," said one researcher.

The research will be formally presented at the USENIX Security Symposium in August. Meantime, the team recommends users be cautious about apps requesting Bluetooth permissions, keep their devices updated, and consider privacy-focused operating systems for better protection.

Article Link: Find My Network Exploit Turns Any Bluetooth Device Into a Tracker
Click to expand...
Congratulations, 🍎
 
klasma said:
Website: https://nroottag.github.io/

How it works (from the link above):
  1. Through pairing, an AirTag shares the public / private key information with the owner’s device.
  2. When the AirTag is separated from the paired device, it advertises its public key via BLE advertisements, known as lost messages.
  3. Nearby Apple devices, referred to as finders, generate encrypted location reports and send them, along with the hashed public key, to the Apple Cloud.
  4. The Apple Cloud allows anyone to use a hashed public key to retrieve the associated location reports, which can only be decrypted using the correct private key. To ensure anonymity, finders do not authenticate whether a lost message is sent from an Apple device.
IIUC, any program that can send BLE advertisements can make the device it’s running on trackable via Apple’s Find My network.
Click to expand...
Right, and how does that happen on my desktop computer again?

Right, a hack or phish.

But it’s pretty easy to locate a desktop computer via IP address combined other information on the computer, so how is this a new magical threat? If your machine is pwned, it’s pwned.

The doorbell thing is different. But again, how is the doorbell being hacked? It’s not like it’s just there for the picking directly. There needs to be some kind of actual access.
 
  • Like
Reactions: amartinez1660, koil and Slix
HazeAndHahmahneez said:
This is massive. This should be on the news to aware ppl…I mean iPhone is the biggest cellphone in the US, no?
Click to expand...
How many bad actors are after you with clusters of GPUs?

It’s theoretically a big problem, but in practice you have to be important enough that a nation state or a *very* well funded hacking (for hire) group is interested in you personally.
 
  • Like
  • Wow
Reactions: amartinez1660, Xade, HazeAndHahmahneez and 1 other person
Oh no, now the hackers will know that my smart lock never moves from my door!

Obviously Apple should fix this, but man, every time there's a "bad exploit!!!11!" it's always like "they used ten thousand dollars of equipment to break things".
 
  • Like
Reactions: amartinez1660 and Xade
Somehow I’m not surprised. It actually sounds like old news a while back someone else was talking about the same behaviour with Alexa devices. And maybe we all should ask ourselves why Wi-Fi and Bluetooth are actually never really turned off but just disconnected until the next day.
 
  • Like
Reactions: amartinez1660
growlf said:
I'll take my chances.

What is more likely, someone pulling this off or someone just hiding an AirTag on their target?

For all the "oh nos" people on here, I'll happily share all my Bluetooth info with you, just send me a message. Would love to see you track me.
Click to expand...
Exactly right.
 
  • Like
Reactions: Xade
" find matching cryptographic keys"

Can someone explain the above statement? I was under the impression that aes-256 encryption is unbreakable
 
The headlines are pure clickbait.

If you didn't drill-down into a description of the actual exploit, you'd think that someone could remotely turn any of your Bluetooth devices into a tracker without your knowing. OMG, my smart toothbrush is now a tracker.

And then after reading the details, you find that someone needs to install software onto that target device in order to get it to start advertising "lost device" packets.

So what? The "Find My" protocol is open and anybody can make a device advertise itself to the network. So why should it be surprising that some malware could start advertising a device without the owner's knowledge? Bluetooth advertisements aren't exactly secret technology. And malware has been phoning home with tracking information through all kinds of different mechanisms for a long long time.

So what's the actual story here? And how is this anything that Apple could (or should) do anything about? I don't think it is possible to track someone else's tag, which would be a serious breach in the Find My network.
 
  • Wow
Reactions: gusmula
ATmahe said:
Solution: Buy new Apple Devices and throw away the old ones!
:D:D:D
Click to expand...

alchemistmuffin said:
If Apple was notified in 2024 but still hasn’t fixed it, I’m afraid it may be hardware vulnerability that may not be fixable. Most likely the iPhone 16 lineup and late 2024 Mac may have gotten a fix with change in hardware but others are basically screwed.
Click to expand...
Hold your horses… we all now Apple isn’t working on lightspeed. Look at Siri, it’s fifteen years old and still understands you like a newborn.

Apple will definitely solve this issue in 2026 or 2027 😜
 
shamino said:
The headlines are pure clickbait.

If you didn't drill-down into a description of the actual exploit, you'd think that someone could remotely turn any of your Bluetooth devices into a tracker without your knowing. OMG, my smart toothbrush is now a tracker.

And then after reading the details, you find that someone needs to install software onto that target device in order to get it to start advertising "lost device" packets.

So what? The "Find My" protocol is open and anybody can make a device advertise itself to the network. So why should it be surprising that some malware could start advertising a device without the owner's knowledge? Bluetooth advertisements aren't exactly secret technology. And malware has been phoning home with tracking information through all kinds of different mechanisms for a long long time.

So what's the actual story here? And how is this anything that Apple could (or should) do anything about? I don't think it is possible to track someone else's tag, which would be a serious breach in the Find My network.
Click to expand...
Looks like this is the case.

You have to install or be tricked into installing their software on your computer with the ability to communicate with Bluetooth devices undetected.

A hack if the users is dumb enough to install their hack, but it’s unable to do this without the user.
 
  • Like
Reactions: Xade
klasma said:
Website: https://nroottag.github.io/

How it works (from the link above):
  1. Through pairing, an AirTag shares the public / private key information with the owner’s device.
  2. When the AirTag is separated from the paired device, it advertises its public key via BLE advertisements, known as lost messages.
  3. Nearby Apple devices, referred to as finders, generate encrypted location reports and send them, along with the hashed public key, to the Apple Cloud.
  4. The Apple Cloud allows anyone to use a hashed public key to retrieve the associated location reports, which can only be decrypted using the correct private key. To ensure anonymity, finders do not authenticate whether a lost message is sent from an Apple device.
IIUC, any program that can send BLE advertisements can make the device it’s running on trackable via Apple’s Find My network.
Click to expand...
Wouldn't that require physical access to the device if it's a IoT device, or some other form of access if it's a phone or laptop? And if you're able to maliciously gain access to a device remotely, isn't that already game over? I feel like I'm missing something.
 
  • Like
Reactions: shamino
I7guy said:
Interesting vulnerability. How easy or hard to deploy? What is the actual threat level? And I presume one can’t be tracked if Bluetooth is off.
Click to expand...
Edit: MitM attack and Trojan. It's complicated I started reading the method. Clever
 
  • Like
Reactions: I7guy
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back