Hackers have worked out how to exploit Apple's Find My network, by abusing Bluetooth on a device to effectively turn anything into a trackable AirTag.
The Find My network is considered to be an extremely useful service, allowing users to track down a mislaid iPhone, lost luggage, or even a stolen car adorned with an AirTag. However, while Apple has done what it can to make the network as secure and as trustworthy as possible, security researchers have apparently managed to work around some of the protections.
George Mason University researchers, associate professors Qiang Zeng and Lannan Luo and PhD students Chen and Xiaoyue Ma, created "nRootTag" as an attack that takes advantage of Bluetooth addresses. It does so by tricking the Find My network into thinking a device is a missing AirTag.
AirTag functions by sending out Bluetooth messages in the hope they are detected by iPhones and Apple hardware that happens to pass by. The location of the ping is then relayed through the Find My network to Apple's servers anonymously, and is provided to the designated owner of the device.
In experiments, the team were able to make compromised non-Apple hardware with Bluetooth behave as if it's an AirTag, and be trackable on the network. No Apple hardware products are affected by this attack, according to Apple.
The company does change a Bluetooth address for an AirTag that's based on a cryptographic key, but an attacker couldn't do this on other hardware without needing administration privileges beforehand.
To work around this, the team's idea was to create efficient key search techniques that can create a key compatible with the Bluetooth address. Rather than changing the Bluetooth address to match the key in Apple's technique, the team made the key fit the Bluetooth address.
Since the Find My network trusts device signals implicitly, Find My could have become an unwitting assistive tool. Apple says that it has since hardened the Find My network to resist this type of inappropriate use.
Intensive but reliable
The nRootTag technique is quite reliable, with it having a 90 percent success rate and working within minutes.
It's also able to work on a wide variety of devices and operating systems, such as smart TVs and VR headsets, not just computers and smartphones. An e-bike was able to be tracked across a city, in one test case.
Furthermore without the need to have deep system access of target devices, this becomes something that can be done remotely over the Internet, without the victim's knowledge.
"While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location," explains Zeng. "With the attack method we introduced, the attacker can achieve this."
The reliability and capability of the attack vector can seem quite sinister, but at the same time, the team admits that a lot of work has to be done to accomplish it. "Time is essential in an actual attack, and we don't have a year to do the cracking," said Chen.
To find matches quickly, the team relied on banks of hundreds of graphics processing units to handle the workload. This was achieved by cheaply renting GPUs owned by others to carry out the work.
While this is similar in concept to Bitcoin mining, it differs in that there isn't just one solution kept. Mismatches can be saved to a database, and so can be used in the future.
The processing requirements makes it hard to believe that the attack can be used on a mass of people. However, it could theoretically be used by well-heeled marketing companies building advertising profiles without needing traditional GPS-based location services to be enabled.
On a more malicious level, the amount of resources required means it's a technique that lends itself more to espionage and security agency activities targeting people of interest, not the public at large.
A long time to fix
The researchers contacted Apple of the issue in July 2024, as per the typical responsible disclosure process, with Apple acknowledging it in security updates. Apple has now said that it hardened its Find My network through software updates issued on December 11, 2024.
Even after the recent updates, the team is still expecting the problem to persist for years, due to users not being too willing to update their non-Apple devices. These slow updates could keep the Find My network somewhat vulnerable for quite some time to come.
The team plan to present their findings on the project to the USENIX Security Symposium in August.
Updated at 12:10pm Eastern on 01 March 2025 with clarification on Apple's steps to mitigate the exploit.
3 Comments
On the one hand, this is somewhat horrifying because it means that someone could conceivably track someone’s car by identifying the Bluetooth address of the cars stereo head unit. On the more positive side, this means that someone could track their own car, in the event of theft, without any of the telltale chirps that a AirTag would produce. I think the ideal situation would be where this kind of exploit could be enabled when the authorized user wants to allow it, but is otherwise disabled.
Before anyone else freaks out about this lets have a quick examination of the process required to make this work, in practical terms.
1. capture the BLE mac address (will only work if the mac address is a static mac address and never changes)
2. create a P-224 elliptic curve public/private key pair where the public key uses part of the mac address in correct sequence as part of the 28 byte public key.
3. create firmware to broadcast this public key in the correct sequence with other Fimd-My requirements
4. combine this new firmware with the original firmware
5. upload the firmware onto the device
In the example of the lock, the 'attacker' would need to create a hybrid firmware that still made the lock functional AND broadcast a special Find-My packet.
The firmware would likely need to be installed PHYSICALLY onto the lock, at which point the attacker knows where it is?
Now they can track this bluetooth lock with special hybrid firmware...
Awesome research, but terrible media coverage and explanation.