George Mason University researchers found a critical vulnerability in Apple’s Find My service that can transform any Bluetooth device into a tracker without the device owner’s knowledge or consent. While many exploited vulnerabilities require physical access, this can be performed remotely, adding an extra layer of concern.
According to the researchers (via MacRumors), the “nRootTag” attack uses a Bluetooth address combined with the Find My network to turn other devices into homing beacons.
“It’s like transforming any laptop, phone, or even gaming console into an Apple AirTag – without the owner ever realizing it,” said Junming Chen, lead author of the study. “And the hacker can do it all remotely, from thousands of miles away, with just a few dollars.”
As explained in the paper, Apple’s AirTags send Bluetooth signals anonymously to nearby Apple devices. Hackers can turn any device into an AirTag so they can track the user. To replicate this attack, the researchers were able to map a computer’s location to within 10 feet, track a moving e-bike route, as well as reconstruct a flight path and identify a flight number thanks to a gaming console brought on an airplane.
“While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location. With the attack method we introduced, the attacker can achieve this,” says one researcher.
They explain that the hackers were able to develop “efficient key search techniques to find a key that is compatible with a Bluetooth address, making the key adapt to the address” instead of modifying the AirTag’s Bluetooth address.
With a 90% success rate and the ability to track devices within minutes, the real issue is that this could be used to stalk people or even by advertising companies that want to profile users without using the phone’s GPS functionality.
The paper says Apple has been aware of the issue for almost a year, but the company has not patched it yet. Even when it can fix this issue, the researchers believe it might continue to be an issue, as many users take weeks or months to update their phones.
BGR will let you know once the company fixes this Find My vulnerability.
The post Critical Find My vulnerability transforms any Bluetooth device into tracker appeared first on BGR.
