Apple’s device location tracking service, Find My, could be misused to spread and deliver information to nearby devices around the world, the new report claims.
Inside something blog post, cybersecurity company Positive Security introduces the use of a certificate concept called Send My. Exploitation shows that Bluetooth Low Energy (BLE) broadcasts, on which the Find My network is built, can be manipulated to retrieve small amounts of arbitrary data without even the need for an Internet connection.
Enabling the use of special ESP32 firmware that converts a microcontroller into a modem that moves to a device network, in theory, it can also be used to flush mobile data plans, the post suggests.
Apple Find My Network
The Apple Find My network relies on a crowd information system instead of GPS to find iOS, macOS, and watchOS devices – and now AirTags.
If someone selects a program, their devices will begin communicating through BLE with Apple technology in the rest of the area. And the number of Apple products in circulation means these machine benches can be used to build an accurate map of the location of each package.
However, as part of this process, communication between devices is also forwarded to Apple’s servers, from which data can later be retrieved. In this case, Positive Security developed a macOS application that can retrieve, decode, and display this information.
“Small sensors can use this technology in uncontrolled environments to avoid the cost and power consumption of mobile internet,” said Fabian Bräunlein, founder of Positive Security. “It can also be interesting when filtering data from Faraday-protected sites that iPhone users visit from time to time.”
Although the amount of data that can be retrieved by this method is limited and the delay is small (up to 60 minutes), it is believed that advanced threat actors may be able to make good use of exploitation.
According to positive security, the privacy-centric way in which the Find My network is built means that it may be impossible for Apple to block the attack vector.
Apple did not respond to the request for comment.
- Here is the list best VPN services right now