Security researchers investigating the Find My network used by Apple's AirTags, have been able to piggyback on the system to send data that Apple can neither monitor nor, apparently, prevent.
It's not something that can be easily replicated, nor is it something that could mean AirTags users face any issues of malware. However, it is reportedly possible for the Find My network to be subverted to send encoded messages between devices, albeit very short messages.
According to Berlin-based IT security consultancy Positive Security, "it's possible to upload arbitrary data from non-internet-connected devices" by sending Find My-style broadcasts. These are then picked up by Apple devices, in just the way that a lost AirTag uses passing iPhones to report it location.
"While I was mostly just curious about whether it would be possible," wrote consultant Fabian Braunlein in a blog post, "I would imagine the most common use case to be uploading sensor readings or any data from IoT devices without a broadband modem, SIM card, data plan or Wi-Fi connectivity."
So in theory, a correctly configured device could broadcast a Bluetooth LE signal just as AirTags do. Then when an Apple device is nearby, that device will register the signal and relay it.
"With Amazon running a similar network called Sidewalk that uses Echo devices there might very well be demand for it," continues Braunlein. "Since the Finding devices cache received broadcasts until they have an Internet connection, the sensors can even send out data from areas without mobile coverage as long as people pass the area."
More sinisterly, Braunlein posits that this could be used to "exfiltrate data from certain airgapped systems or Faraday caged rooms." Devices within such spaces might be insulated from the internet, but they could conceivably pass data to an iPhone belonging to a visitor walking by.
One more generally-useful finding is that, according to Positive Security, there doesn't appear to be a technical reason why users can only have a limited number of AirTags.
"In this light, the stated restriction of 16 AirTags per Apple ID seems interesting, as to me it does not seem that Apple can currently enforce this," says Braunlein.
Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.
7 Comments
I'm waiting for someone to rip me on my comment so here goes.
Isn't this something the researcher should have contacted Apple about first? This sounds like a bug or at least something that shouldn't be possible. Now that it's known, I can see all sorts of hackers using it as a means to hack all sorts of devices. Is this really research or is it reverse engineering and/or hacking?
Researchers? I think of them as professional spoil sports.
If the article is correct, and Apple doesn't find a way to fix it, this will be a great solution to a difficult problem. As the article states, "I would imagine the most common use case to be uploading sensor readings or any data from IoT devices without a broadband modem, SIM card, data plan or Wi-Fi connectivity."
Any device which needs a small amount of data send to your iPhone without building it with a SIM, WIFI or MODEM. So for example someone could build a garage door opener which tells me whether it's opened or closed using the FIND MY network by talking to anyone's nearby iOS device using Bluetooth. (My garage door is out of range of my home, several flights downwards, but it's in range of other people's homes, cars and garages.)
However as I've said before, once people realize that strangers are using their paid bandwidth to transmit data for free, using Apple's FIND MY network on their iOS device, there will be some pushback towards Apple from the public. Apple will be unlikely to want to make third party signalling a "supported feature" because it opens up this free piggybacking making people more likely to object to paying for someone else's data on their own data plan.