You can use Apple’s Find My network to steal data from devices that are not connected to the web, a German researcher says.
Positive Security’s Fabian Bräunlein found he could take data out of a tool that had only a Bluetooth connection — essentially a homemade AirTag — and use iPhones and Macs to urge the info all the high into Apple’s iCloud servers. From there, Braunlein could access the info from his own Mac.
The whole process works very slowly. Bräunlein was getting a transmission rate of about 3 bytes per second, and every chunk of knowledge may be a maximum of 16 bytes. But over time, you’ll get a good amount of text transmitted. So he’s calling his system “Send My.”
The data theft works because each Bluetooth device on the Find My network sends out a public encryption key to all or any nearby receiving Apple devices. Those devices mark their locations, bundle it with the Bluetooth device’s public encryption key, and send the resulting “location report” up to Apple’s cloud.
Bräunlein found how to embed messages within the encryption keys within the location reports and communicate very short secret messages from his homemade AirTag through Apple’s Find My network to his Mac.
Spying, tracking, and messaging.
The implications of Bräunlein’s research aren’t purely theoretical. For example, many computers worldwide are disconnected from the web for safety reasons because the computers hold sensitive data or run critically important processes, like coordinating the movements of trains or running power plants.
“Such a way might be employed by small sensors in uncontrolled environments to avoid the value and power-consumption of mobile internet,” Bräunlein wrote during a blog post, echoing what Amazon is already doing with its Sidewalk low-energy mesh network. “It could even be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users.”
If a number of those computers might be made to speak via Bluetooth with iPhones that come near, data could be snuck out of or snuck into those machines.
Bräunlein didn’t mention it, but it’s already clear that AirTags are often wont to secretly track people for up to 3 days before the AirTags will emit a chirp to reveal themselves. So a homemade AirTag could be ready to track someone indefinitely without revealing its existence.
How a homemade AirTag got onto Find My network
Apple’s Find My network may be a giant mesh network made from many many iPhones worldwide. Each iPhone listens for Bluetooth connections from other devices on the network. If a Bluetooth-only device is sending out a broadcast message, nearby iPhones will devour the message and use their cellular or Wi-Fi connections to relay the message to Apple’s cloud servers.
This system was originally meant to locate lost iPhones, iPads, and MacBooks, but it’s since been expanded to incorporate other devices like Belkin earbuds and VanMoof electric bikes.
Earlier this year, many German researchers (not including Bräunlein) found out the way to get other Bluetooth devices — ones not approved by Apple — onto the Find My network. But, unfortunately, they created their AirTags before AirTags were announced. (The same researchers also demonstrated privacy flaws in AirDrop, which uses many equivalent network protocols as Find My.)
They created a tool called OpenHaystack that piggybacks on the Find My network. One part is firmware loaded onto a small single-board computer like a Raspberry Pi or something similar, which becomes the homemade AirTag. the opposite party may be a Mac desktop application and a Mail plugin necessary for the entire thing to figure.
Bräunlein modified the OpenHaystack board firmware onto an ESP2 tiny single-board computer — his homemade AirTag — and the corresponding software onto his Mac. Using those tools, Bräunlein was ready to track the ESP2 using the Find My network and use the Find My encryption protocol and site reports to transmit messages.
Can Apple stop this?
Oddly enough, Apple might not be ready to stop this type of use, or abuse, of its Find My network. That’s because Find My messages are encrypted end-to-end, and Apple can neither see what’s in those messages or what quiet devices are sending them.
“Apple doesn’t know which public keys belong to your AirTag, and thus which location reports were intended for you,” Bräunlein wrote in his blog post. “It would be hard for Apple to defend against this type of misuse just in case they wanted to.”