Apple’s Find My network, used to locate iOS, macOS devices, and AirTags, can be abused as an espionage tool.
A researcher demonstrated how one can use nearby Apple devices to send out snippets of information as far as a computer on the other side of the world – and do this without any network connectivity, using Bluetooth Low Energy (BLE) technology.
In a blog post on Wednesday, Fabian Bräunlein, a co-founder of Positive Security, described his proof-of-concept service he dubbed as Send My.
The researcher used Bluetooth Low Energy (BLE) and a microcontroller as a modem to send arbitrary data to Apple’s iCloud servers from devices without an internet connection. He could then retrieve the data from the cloud using a Mac app.
Apple’s Find My network is essentially a crowdsourced location-tracking system used to find participating devices that communicate over BLE.
Bräunlein said he based his method on the work done by Technical University of Darmstadt researchers Alexander Heinrich, Milan Stute, Tim Kornhuber, and Matthias Hollick, specifically their analysis of the security and privacy of Apple’s Find My network [PDF].
Bräunlein said the Find My network hack could be useful for several applications:
“Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power-consumption of mobile internet,” he explains. “It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users.”
He also said a hacker using his method could try to deplete mobile users’ data plans because there are no rate-limiting mechanism for the number of Find My network location reports.
In his scheme, Bräunlein used an ESP32 microcontroller running OpenHaystack-based firmware to broadcast a hardcoded message and to listen on its serial interface for new data. Apple devices nearby participating in the Find My network will pick up these messages and relay them to Apple’s cloud.
He says the microcontroller sends ~3/bytes per second and retrieves 16 bytes which takes ~5 seconds. Plus, there’s latency ranging from 1 to 60 minutes. There are faster data transmission side channels but a sophisticated hacker may still be interested in using the Send My hack. The researcher commented on the possibility of the above scenario:
“This is quite a long attack chain, but the same [as] Stuxnet. I think the biggest hurdle would be finding a device with a Bluetooth modem in such a network.”
“If there were any consumer-grade IoT devices, their compromise would probably be the lowest hurdle,” he said. “However when malware is installed e.g. via dropped USB sticks, the USB sticks could already include the Bluetooth microcontroller.”
Additionally, Bräunlein says it would be difficult for Apple to protect its users against this sort of attacks.