Researchers at George Mason University say they have discovered a technique that can exploit Apple’s Find My network to track almost any device. The technique involves tricking Apple’s location network into thinking the targeted device is a lost AirTag that needs to be geolocated.
The Find My network is, in my opinion, one of Apple’s best inventions. As a reminder, it allows you to find a lost device or object (such as an AirTag), without using GPS or an internet connection. Indeed, instead of relying on traditional means of location, devices compatible with this network emit a Bluetooth signal that can be picked up by Apple products, which then send the position of this device to the company’s servers (so that this position is transmitted to the owner).
This system is very effective, but it also has a flaw, apparently. Researchers at George Mason University (USA) have found a way to exploit this network to locate almost any computer or mobile device. According to a press release, the attack involves tricking Apple’s systems into believing that the targeted device is a lost AirTag that needs to be located. “This is like turning any laptop, phone, or even game console into an Apple AirTag, without the owner realizing it,” explains Junming Chen, lead author of the study. “And the hacker can do all this remotely, thousands of miles away, for just a few dollars.”
During the tests of this technique, the researchers were able to track the route of an electric bicycle, and the route of a video game console that was on an airplane. “What makes nRootTag (editor’s note: the name they gave to the attack) particularly worrisome is its 90% success rate and its ability to track devices in a matter of minutes. This technique does not require escalation of privileges to administrator, which is usually the case for such deep access to the system, ” reads the university’s press release.
Apple has already been warned
To fool Apple’s systems, researchers at George Mason University would use thousands of graphics cards to find a cryptographic key that would allow the attack to be carried out. And according to the university, renting GPUs to perform these mathematical calculations would be affordable today. In addition, cryptographic keys that do not work could be stored in a database, which can be used for the next attack.
In any case, according to the university, Apple has already been informed of this problem. “The team informed Apple of the problem in July 2024 and Apple has officially acknowledged it in subsequent security updates,” it says.
Apple has not, however, revealed how it is fixing the problem. For their part, the authors of this discovery plan to present their technique at the USENIX Security Symposium in Seattle in August.
George Mason University researchers recommend that Apple update the Find My network to improve device verification. In the meantime, they advise users to be wary of apps that ask for unwarranted Bluetooth permissions, to always update their devices, and to use “privacy-focused” operating systems.
▪ Researchers claim to have found a technique to trick Apple’s Find My network into exploiting it to find the geolocation of almost any device
▪ The attack tricks the network into thinking the targeted device is a lost AirTag that needs to be located.
▪ The researchers have already informed Apple of the issue, but the company has not yet indicated how it plans to fix it.
ALSO READ: 200 times Elon Musk’s fortune: Bank Mistakenly Pays Nearly $81 Trillion to Client