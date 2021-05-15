



According to German researchers, Apple’s Find My network can be used to steal data from devices that are not connected to the Internet.

Positive Security’s Fabian Brunnlein discovered that he could extract data from devices that only had a Bluetooth connection to create essentially homemade AirTags and use iPhones and Macs to bring the data to Apple’s iCloud server. From there, Brownline was able to access the data from his Mac.

The whole process runs very slowly. Brunlein is getting a transmission rate of about 3 bytes per second, with each chunk of data up to 16 bytes. However, over time, a significant amount of text can be sent. He calls his system “Send My”.

Data theft works because each Bluetooth device on the Find My network sends a public encryption key to all incoming Apple devices nearby. These devices mark their own location, bundle it with the public encryption key of the Bluetooth device, and send the resulting “location report” to Apple’s cloud.

Brunlein found a way to embed the message in the location report’s encryption key, so he sent a very short secret message from his homemade AirTag over Apple’s FindMy network to his Mac.

Spy, chase, messaging

The meaning of Brunlein’s work is not purely theoretical. Millions of computers around the world have safety reasons because they hold sensitive data and perform very important processes such as coordinating train movements and running power plants. You are disconnected from the internet.

“Such technologies could be used in small sensors in uncontrolled environments to avoid the cost and power consumption of mobile internet,” Brunnlein wrote in a blog post, Amazon wrote on Sidewalk Low It reflects what you are already doing with the energy mesh network. “It may also be interesting to steal data from Faraday Shield sites that iPhone users occasionally visit.”

If some of these computers could communicate with an approaching iPhone via Bluetooth, data could sneak out or sneak in from those machines.

Brunlein doesn’t mention that, but it’s already clear that AirTag can be used to secretly track people for up to three days before it issues a chirp to reveal itself. Homemade AirTags have the potential to track someone indefinitely without revealing their existence.

How Homemade AirTag Accessed Find My Network

Apple’s Find My network is a huge mesh network of hundreds of millions of iPhones around the world. Each iPhone listens for Bluetooth connections from other devices on the network, and if a Bluetooth-only device is sending a broadcast message, a nearby iPhone will receive the message and use a cellular or Wi-Fi connection. A server that relays messages to Apple’s cloud.

The system was originally intended to find lost iPhones, iPads and MacBooks, but has since been expanded to include other devices such as Belkin earphones and VanMoof electric bikes.

Earlier this year, many German researchers (except Brunlein) figured out how to bring other Bluetooth devices not approved by Apple into the FindMy network. Basically, I created my own AirTag before it was announced. (The same researcher also showed a privacy flaw in AirDrop, which uses many of the same network protocols as Find My.)

They created a tool called OpenHaystack that piggybacks on the FindMy network. Some are firmware that loads into a small single board computer such as the Raspberry Pi, which makes it a homemade AirTag. The other part is the Mac desktop application and email plugin that everything needs to work.

Brunlein has changed the OpenHaystack board firmware to a small ESP2 single board computer, homemade AirTag, and the corresponding software to a Mac. Using these tools, Brunlein could not only track ESP2 using the Find My network, but could also send messages using the Find My encryption protocol and location reports.

Can Apple stop this?

Curiously, Apple may not be able to stop this kind of use or abuse of the FindMy network. This is because Find My messages are encrypted end-to-end, and Apple can’t see what those messages are or what type of device they’re sending them to.

“Apple doesn’t know which public key belongs to your AirTag, and therefore which location report was targeted at you,” Brunlein wrote in his blog post. “It will be difficult to prevent this kind of misuse, just in case Apple wants it,” he said.

Tom’s Guide asked Apple to comment. We will update this story as soon as we receive a reply.

