Two vulnerabilities in a crowdsourced location-tracking system that helps users find Apple devices even when they’re offline could expose the identity of users, research claim.
Offline Finding, a proprietary app introduced by Apple in 2019 for its iOS, macOS and watchOS platforms, enables the location of Apple devices even if they aren’t connected to the internet. While this capability in and of itself is not unique to the company, Apple promised that the technology could conduct its task in a way that preserves user privacy.
While for the most part the technology lives up to its privacy goals, it does have flaws that “can lead to a location correlation attack and unauthorized access to the location history of the past seven days, which could de anonymize users,” a research team from the Technical University of Darmstadt, Germany, wrote in a paper published online (PDF).
Researchers Alexander Heinrich, Milan Stute, Tim Kornhuber and Matthias Hollick set out to discover if Apple’s claims that OF ensures finder anonymity, does not track owner devices, and keeps location reports confidential actually hold up under scrutiny. They have notified Apple of their findings, and the company has responded with a fix for the more serious flaw.
Of depends on a network of hundreds of millions of devices, which makes it the largest crowd-sourced location tracking system in existence. Moreover, it’s poised to grow even larger when OF rolls out future support for non-Apple devices, researchers observed.
The system works by using its network of so-called “finder” devices to locate “lost,” unconnected devices using Bluetooth Low Energy (BLE). The finder devices that are connected to the internet can then relay location info back to the owner of the lost device.
Peering Under the Hood
To conduct their research, the Darmstadt team reverse-engineered the technology to recover the specifications of the closed-source OF protocols that are involved in the losing, searching and finding of devices, uncovering a system of encryption and decryption for how the technology works, researchers explained.
“In short, devices of one owner agree on a set of so-called rolling public–private keypairs,” they wrote. “Devices without an Internet connection, i.e., without cellular or WiFi connectivity, emit BLE advertisements that encode one of the rolling public keys. Finder devices overhearing the advertisements encrypt their current location under the rolling public key and send the location report to a central Apple-run server.”
When searching for a lost device, another owner device queries the central server for location reports with a set of known rolling public keys of the lost device, researchers explained. The owner can decrypt the reports using the corresponding private key and retrieve the location.
While “the overall design achieves Apple’s specific goals,” for privacy, researchers did discover two vulnerabilities “that seem to be outside of Apple’s threat model but can have severe consequences for the users,” they said.
Loss of Anonymity
One flaw in the design of OF allows Apple to correlate different owners’ locations if their locations are reported by the same finder, “effectively allowing Apple to construct a social graph,” that can violate user privacy, researchers noted.
Specifically, when uploading and downloading location reports, finder and owner devices reveal their identity to Apple, so the company can discover which users have been in close proximity to each other. Moreover, the company can store the data for potential exploitability. For this flaw to be exploited, however, an owner would have to request the location of their devices via the Find My application, researchers noted.
A second vulnerability poses a more serious problem, researchers found. It could allow someone to build “malicious macOS applications to retrieve and decrypt the OF location reports of the last seven days for all its users and for all of their devices,” they wrote.
The problem with OF that causes this issue is that the location privacy of lost devices is based on the assumption that the private part of the advertisement keys—which change every 15 minutes–is only known to the owner devices. The technology supports retrieving location reports from the last seven days—which means there is a total of 672 advertisement keys per device, for which there exist potential location reports on Apple’s servers, researchers wrote.
In principle, all of these keys could be generated from the master beacon key whenever needed. However, Apple decided to cache the advertisement keys, most likely for performance reasons. Researchers found that macOS stores these cached keys on a directory disk that is readable by the local user or any app that runs with user privileges.
The flaw, then can enable someone to circumvent Apple’s restricted location API and access the geolocation of all owner devices without user consent, abusing historical location reports to generate a unique mobility profile and identify the user “with high accuracy,” researchers said.
The team shared their findings with Apple and in response the company issued a patch in September 2020, tracking the second vulnerability as CVE-2020-9986 and calling it “a file access issue … with certain home folder files.” Nothing that the flaw could allow “a malicious application … to read sensitive location information,” Apple addressed it with “improved access restrictions” in macOS Catalina 10.15.7.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)