Researchers Abuse Apple’s Find My Network for Data Upload
Security researchers have discovered a way to leverage Apple’s Find My’s Offline Finding network to upload data from devices, even those that do not have a Wi-Fi or mobile network connection.
Using Bluetooth Low Energy, the data is being sent to nearby Apple devices that do connect to the Internet, and then sent to Apple’s servers, from where it can be retrieved at a later date.
The technique could be used to avoid the costs and power usage associated with mobile Internet, or to exfiltrate data from Faraday-shielded sites visited by iPhone users, researchers with Positive Security, a Berlin-based security consulting firm.
Usinga March 2021 report from academic researchers with the Technical University of Darmstadt, Germany, which describes vulnerabilities in Apple’s Find My network, Positive Security found a way to leverage Find My BLE broadcasts to send data to nearby Apple devices.
Positive Security’s researchers explain that, while the connection between an AirTag and an Apple device is secured using an Elliptic Curve key pair, the owner device doesn’t know which specific key is used by the AirTag, and instead generates a list of keys that AirTag recently used, while also querying an Apple service to receive their SHA256 hashes.
“Apple does not know which public keys belong to your AirTag, and therefore which location reports were intended for you,” the researchersexplained.
The location reports, however, can only be decrypted with the correct private key, but the researchers discovered they could check whether such reports do exist for a specific SHA256 hash, and even add reports to a specific SHA256 hash.
“We can set arbitrary bits in the shared key-value store and query them again. If both the sender and receiver agree on an encoding scheme, we can transfer arbitrary data,” the researchers explain.
For their setup, the researchers, whopublished proof-of-concept code on GitHub, used the ESP32 microcontroller, an OpenHaystack-based firmware, and a macOS application designed to retrieve, decode, and display the transmitted data.
The sending rate is of roughly 3 bytes/second, but higher speeds could be achieved as well. A latency of 1 to 60 minutes was registered, depending on the number of nearby devices.
The technique may be used to upload sensor readings or other data from IoT devices or to exfiltrate information from air-gapped systems, and even for depleting nearby iPhone’s mobile data plans (through broadcasting many unique public keys).
To mitigate such an attack, Apple could implement authentication of the BLE advertisement (the current setup doesn’t differentiate between real and spoofed AirTags), and rate limit the location report retrieval.