German researcher found a way to exploit the Find My network to transfer data via a connection of another Apple device located nearby.
Fabian Bräunlein, Managing Director and IT security consultant at Positive Security, came up with an interesting proof of concept that tampers with the logic of the Find My network. This technique makes it possible to transmit arbitrary data packets through the connection of any close-by Mac, iPhone, or other Apple device with the above-mentioned service turned on.
For the record, the intended use cases of this feature have recently expanded with the release of AirTag, a small accessory that can be attached to any valuables, such as a purse or keys, and easily pinpointed using the Find My app in case the items are misplaced or stolen. According to the security enthusiast’s findings, the data transmission principles within this broad network can be manipulated to piggyback on other people’s data connection.
The hack workflow in a nutshell
Find My service works by constantly broadcasting a device’s location details in an encrypted form via Bluetooth Low Energy (BLE) technology. Any Apple gadgets in proximity recognize this signaling, fetch the coordinates, encrypt them, and upload the report to the server. The compromise in question tweaks this mechanism by simulating a BLE broadcast and replacing whereabouts details with arbitrary encoded messages. Another trick is that the rogue data travels over the Find My network to the home device. This means that the attacker can parasitize another user’s wireless connection to transmit random information to a specified device.
Limited real-world implications
This exploitation can hardly be labeled as impactful, though. The messages circulating via Find My network are tiny, and therefore the unauthorized consumption of someone else’s traffic is on the order of kilobytes per hour. And yet, the fact that Apple’s popular location feature can be abused despite end-to-end encryption is disconcerting. When it comes to mitigations, the analyst who unveiled this loophole suggests that Apple should enhance the authentication of BLE broadcast to prevent device spoofing.