Apple’s ‘Find My’ Network Exploited via Bluetooth

apple

The ‘Send My’ exploit can use Apple’s locator service to collect and send information from nearby devices for later upload to iCloud servers.

Apple’s “Find My device” function for helping people track their iOS and macOS devices can be exploited to transfer data to and from random passing devices without using the internet, a security researcher has demonstrated.

Security researcher Fabian Bräunlein with Positive Security developed a proof of concept, using a microcontroller and a custom MacOS app, that can broadcast data from one device to another via Bluetooth Low Energy (BLE). Once connected to the internet, the receiving device can then forward the data to an attacker-controlled Apple iCloud server.

Bräunlein called the method “Send My,” and posited several use cases for the method — including the benign building of a network for internet-of-things (IoT) sensors, or as way to deplete people’s mobile-data plans over time.

The misuse of Find My in this way seems nearly impossible for Apple to prevent, he said, given that the capability is “inherent to the privacy and security-focused design of the Find My offline finding system,” Bräunlein observed.

How It Works

Bräunlein said he was inspired by the release of Apple AirTags — an item tracker that can be attached to something like a backpack or keychain to allow it to be “found” if within Bluetooth range using the Find My service — to see if arbitrary data also could be sent this way.

The researcher leveraged previous research (PDF) from a team with Technical University of Darmstadt in Germany, who had already reverse-engineered Apple’s Find My network to develop a tool called OpenHaystack. OpenHaystack allows people to create their own accessories that can be found and tracked by the locator service. Along the way, the researchers also found flaws with the system that can expose user identities.

When used over Bluetooth, Apple’s Find My feature basically crowdsources the ability to find someone’s device or item over BLE — devices communicate among themselves using location beacons. The owner of the device can then receive location reports about devices enrolled in Apple’s iCloud-based Find My iPhone or iOS/MacOS Find My app.

The researcher laid out the steps:

  1.  When pairing an AirTag with an Apple Device, an Elliptic Curve key pair is generated and the public key is pushed to the AirTag (and a shared secret to generate rolling public keys)
  2. Every 2 seconds, the AirTag sends a Bluetooth Low Energy broadcast with the public key as content (changes every 15 minute deterministically using the previously shared secret)
  3. Nearby iPhones, Macbooks, etc. recognize the Find My broadcast, retrieve their current location, encrypt the location with the broadcasted public key (using ECIES) and upload the encrypted location report
  4. During device search, the paired Owner Device generates the list of the rolling public keys that the AirTag would have used in the last days and queries an Apple service for their SHA256 hashes. The Apple backend returns the encrypted location reports for the requested key ids
  5. The Owner Device decrypts the location reports and shows an approximate location

To use the service in the way Bräunlein outlined requires a number of engineering steps and custom hardware. To send data, he programmed a low-cost ESP32 microcontroller as a modem, using OpenHaystack-based firmware to broadcast a hardcoded default message and then listen on the serial interface for any new data to broadcast in a loop until a new message is received, he explained. Nearby Apple devices with the Find My service enabled can then pick up these signals and send them to Apple’s servers.

To retrieve data, Bräunlein developed a MacOS app also based on OpenHaystack, which uses an Apple Mail plugin with elevated privileges to send properly authenticated location-retrieval requests to the Apple backend.

“The user is prompted for the 4-byte modem ID (can be set when flashing the ESP firmware), after which the application will automatically fetch, decode and display the message,” Bräunlein explained. “Afterwards the user can fetch other messages or change the modem.”

‘SendMy’ Exploit Use Cases

Bräunlein envisioned several uses for the Send My method. One would be to mesh together IoT devices to share an internet connection more efficiently. This is a scenario that has been shown using Amazon’s Sidewalk network and Echo devices; Send My, then, could be used to create the same, using iOS devices.

“Since the Finding devices cache received broadcasts until they have an internet connection, the sensors can even send out data from areas without mobile coverage as long as people pass the area,” Bräunlein explained.

For people with more sinister intent, the method could be used to exfiltrate data from certain air-gapped systems or high-security Faraday-caged rooms, he said. A Faraday cage is an enclosure made of conductive materials that’s used to block electromagnetic fields and prevent communication signals from penetrating it.

It also is plausible that nefarious-minded actors might use Send My to deplete nearby iPhone’s mobile data plans — although, the data capacity of broadcast messages sent on the system is not very large (in the kilobytes range), so this depletion could take a while.

“With the number of location reports from a Finder device being limited (to 255 reports per submission due to a 1-byte count value) and each report being over 100 bytes, broadcasting many unique public keys should result in an amplified amount of mobile traffic sent by the phone,” Bräunlein said.

Full technical details are available in the researcher’s blog post, published this week.

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles