Researchers from the Technical University of Darmstadt, Germany, identified two vulnerabilities in Apple’s crowd-sourced Offline Finding feature that could leak the user’s location.
The vulnerabilities could expose the identity of users even when they’re offline, researchers claim.
Offline Finding is a proprietary feature introduced by Apple in 2019 for its iOS, macOS, and watchOS platforms. Its crowdsourced location-tracking technology helps users to find the location of Apple devices even if they aren’t connected to the Internet.
While Apple promised that the technology would work in a way that preserves user privacy, the researchers from the Technical University of Darmstadt showed it has flaws that “can lead to a location correlation attack and unauthorized access to the location history of the past seven days, which could deanonymize users”
The research team comprised of Alexander Heinrich, Milan Stute, Tim Kornhuber, and Matthias Hollick from the Technical University of Darmstadt, Germany, presented its findings in a paper published online [PDF].
Researchers have notified Apple of their findings, and the tech giant has already issued a hotfix for the most serious flaw.
Offline Finding depends on a network of hundreds of millions of devices, which makes it the largest crowd-sourced location tracking system out there. And it will grow even larger when the feature is rolled out to non-Apple devices, researchers noted.
Offline Finding works by using its network of so-called “finder” devices. Such devices locate the “lost” unconnected device using the Bluetooth Low Energy (BLE) technology. The finder devices are connected to the Internet, so they can relay the location to the owner of the lost device.
While overall, the technology delivers on Apple’s promise for privacy, researchers discovered two vulnerabilities “that can have severe consequences for the users.”
One flaw allows Apple to discover which users have been in close proximity to each other because the finder and owner devices reveal their identity to Apple. Apple then can correlate different owners’ locations if their locations are reported by the same finder, “effectively allowing Apple to construct a social graph.” This can violate user privacy, researchers say.
Another issue with this is that the company can store the data for potential exploitability. This, however, would work only if the owner requested the location of their device via the Find My application.
A second vulnerability, tracked as CVE-2020-9986, is more serious. It could allow someone to build “malicious macOS applications to retrieve and decrypt the OF location reports of the last seven days for all its users and for all of their devices,” the researchers explain.
The problem stems from the fact that macOS stores the cached keys that devices communicate on a directory disk. A local user or any app that runs with user privileges can read data on this disk. A hacker can circumvent Apple’s restricted location API and without user consent access the geolocation of all owner devices which can allow them to identify the user “with high accuracy,” researchers said.
Apple addressed this flaw with improved access restrictions in macOS Catalina 10.15.7.