The most important thing you should know
- According to reports, a security researcher discovered a flaw in Apple’s Find My network.
- According to Fabian Bräunlein, a vulnerability can be exploited to send messages to nearby devices.
- The vulnerability was discovered using Apple’s new AirTag tracking device.
A researcher Fabian Bräunlein unearths AirTag security vulnerability in Find My Network. He in his recent blog stated
“With the recent release of Apple’s AirTags, I was curious whether Find My’s Offline Finding network could be (ab)used to upload arbitrary data to the Internet, from devices that are not connected to WiFi or mobile internet. The data would be broadcasted via Bluetooth Low Energy and picked up by nearby Apple devices, that, once they are connected to the Internet, forward the data to Apple servers where it could later be retrieved from. Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power-consumption of mobile internet. It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users.”
The researcher transmitted text messages by simulating how an AirTag communicates over the crowdsourced network and transmits its GPS coordinates as an encrypted message.
He further said this should theoretically be possible: if two AirTags are emulated, data can be encoded by activating only one of the two AirTags at a specific time. Due to its extremely low bandwidth, this scheme appears to be highly unreliable and probably unusable in real-world situations. As it turns out, security and privacy considerations during the Offline Finding mechanism’s design make our “use case” quite efficient and nearly impossible to defend against.
He further provided potential use cases of this flaw which include uploading sensor readings or any data from IoT devices without a broadband modem, SIM card, data plan or Wifi connectivity. It also seems like the Offline Finding protocol could be used to deplete nearby iPhone’s mobile data plans. Apple cannot read unencrypted locations and do not know which public keys belong to your AirTag. It would be hard for Apple to defend against this kind of misuse in case they wanted to. Further hardening of the system might e.g. be possible in the following two areas: authentication of the BLE advertisement and spoofing of non-existing AirTags.
He concluded “that a firmware and data retrieval application for the ESP32 modem have been implemented and are available on Github for others to experiment with.” The “protocol” is not encrypted or authenticated in any way. While this mitigation is simpler to implement, it can be circumvented by cycling through multiple free Apple IDs. While writing this blog post, I noticed that the BLE advertisement includes a “status” byte that appears to be used as a battery level indicator.
You can read AirTag security vulnerability details here