Researcher uncovers Find My security flaw through AirTag - TechnW3
"It's possible to upload arbitrary data from non-internet-connected devices by sending Find My BLE broadcasts to nearby Apple devices that then upload the data for you"
What you need to know
- A security researcher has reportedly uncovered a flaw in Apple's Find My network.
- Fabian Bräunlein says a loophole can be used to send messages to nearby devices.
- The flaw was found through Apple's new AirTag tracking device.
A security researcher claims to have found a flaw in the security of Apple's Find My network, uncovered through its new AirTag.
In a new blog researcher Fabian Bräunlein states:
With the recent release of Apple's AirTags, I was curious whether Find My's Offline Finding network could be (ab)used to upload arbitrary data to the Internet, from devices that are not connected to WiFi or mobile internet. The data would be broadcasted via Bluetooth Low Energy and picked up by nearby Apple devices, that, once they are connected to the Internet, forward the data to Apple servers where it could later be retrieved from. Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power-consumption of mobile internet. It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users.
The concept and findings are explained in plainer terms by Gadgets 360, who note the flaw "could be exploited to broadcast arbitrary messages to nearby Apple devices". The flaw reportedly allows exploitation of Apple's Find My Network "to send normal text messages to nearby devices":
The researcher was able to transmit text messages by replicating the way an AirTag communicates over the crowdsourced network and sends its GPS coordinates as an encrypted message.
As the research explains:
In theory this should be possible: If you can emulate two AirTags, you can encode data by activating only one of the two AirTags at a specific point in time. The receiving device could then check which AirTag is active at what time and decode this back to the original data.
Bräunlein created a custom device to emulate an AirTag and a custom Mac app, arriving at the following case for misuse:
While I was mostly just curious about whether it would be possible, I would imagine the most common use case to be uploading sensor readings or any data from IoT devices without a broadband modem, SIM card, data plan or Wifi connectivity. With Amazon running a similar network called Sidewalk that uses Echo devices there might very well be demand for it. Since the Finding devices cache received broadcasts until they have an Internet connection, the sensors can even send out data from areas without mobile coverage as long as people pass the area.
The report says it "would be hard for Apple to defend against this kind of misuse in case they wanted to" but offers a couple of solutions for "further hardening of the system." You can read the full report here.
Apple released its AirTag recently, along with a slew of accessories, the best of which you can find in our Best Accessories for AirTags 2021 roundup.
from iMore - Learn more. Be more.
via TechnW3
No comments: