Apple's Find My Network Exploit Lets Hackers Silently Track Any Bluetooth Device

Researchers at George Mason University discovered a vulnerability in Apple's Find My network that allows hackers to silently track any Bluetooth device as if it were an AirTag, without the owner's knowledge. 9to5Mac reports: Although AirTag was designed to change its Bluetooth address based on a cryptographic key, the attackers developed a system that could quickly find keys for Bluetooth addresses. This was made possible by using "hundreds" of GPUs to find a key match. The exploit called "nRootTag" has a frightening success rate of 90% and doesn't require "sophisticated administrator privilege escalation."

In one of the experiments, the researchers were able to track the location of a computer with an accuracy of 10 feet, which allowed them to trace a bicycle moving through the city. In another experiment, they reconstructed a person's flight path by tracking their game console. "While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location. With the attack method we introduced, the attacker can achieve this," said one of the researchers. Apple has acknowledged the George Mason researchers for discovering a Bluetooth exploit in its Find My network but has yet to issue a fix. "For now, they advise users to never allow unnecessary access to the device's Bluetooth when requested by apps, and of course, always keep their device's software updated," reports 9to5Mac.

Turn off your Bluetooth

[DrMrLordX]

Might suck for people actually using it for something like earbuds but turn off your Bluetooth on everything.

Re:

[mjwx]

Might suck for people actually using it for something like earbuds but turn off your Bluetooth on everything.

I've always kept it off for battery life. That and bluetooth audio usually makes Dave Mustaine's voice sound as tinny as Gen. Bernard Montgomery's.

Re:

[buss_error]

turn off your Bluetooth on everything

A bit difficult to do with your pacemaker.

Re:

[DrMrLordX]

Didn't know anyone was crazy enough to make those but:

https://www.medtronic.com/en-u... [medtronic.com]

"BlueSync technology within certain implantable cardiac devices enables secure, wireless communication via Bluetooth®* low energy without compromising longevity."

Huh.

I needed another reason

[Slashythenkilly]

So pathetic that Apple wont open up its network to help you find lost or stolen equipment but theives can. Its all about future sales, not thd customer's security or safety.

Re:

[angel'o'sphere]

What is that supposed to mean?
Obviously you can search for your lost items your self.
That is the whole point of it!

Re:

[Mushur]

You misunderstand what he is saying (BTW, "yourself" is 1 word).

The article states that *any* bluetooth item can be tracked using their network, by pretending to be an Airtag.
While Apple obviously only has functionality to track Airtags, not any bluetooth item.
Therefore, malcreants have more power & functionality than actual users.

Re:

[tlhIngan]

The article states that *any* bluetooth item can be tracked using their network, by pretending to be an Airtag.
While Apple obviously only has functionality to track Airtags, not any bluetooth item.
Therefore, malcreants have more power & functionality than actual users.

"Any" meaning any *hacked* Bluetooth device. The issue is it has to register with Apple first to be tracked (Apple doesn't have a database of every Bluetooth device out there and their current location - it just has a database of "AirTag"

Re:

[phayes]

Be honest. You don’t need any “reasons” to hate & criticize Apple, jealousy is more than enough.

sounds useful!

[Gravis Zero]

Apple's Find My Network Exploit...

I would pay top dollar for that product. Of course it's an Apple product so I would be paying top dollar for that product. ;)

How surprising!

[Teun]

Not really surprising.

Nobody is hacking smart locks

[Powercntrl]

"While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location. With the attack method we introduced, the attacker can achieve this," said one of the researchers.

It's amazing how many otherwise intelligent people immediately assume the "smart" aspect of a smart lock is the weakest link in the security. Most smart locks still have a physical keyway as a backup, and those can be easily defeated with a bump key [youtube.com].

Of course, the reason we can get away with having such abysmally bad security on homes is that burglarizing a residence is very high risk, low reward crime.

Exploitability?

[cmseagle]

The exploit called "nRootTag" has a frightening success rate of 90% and doesn't require "sophisticated administrator privilege escalation."

I suppose we won't know more until the researchers present their findings in August, but if not "admin privilege escalation" on the device you're trying to track, what does it require? Presumably the installation of some kind of malware that can access the Bluetooth stack and make it communicate with Apple devices as if it were an Airtag.

This seems bad, but I read it as far from the nightmare scenario of being able to sniff an identifier of a Bluetooth device and then track it on an ongoing basis through Find My.

Re:

[mjwx]

I'm shocked, shocked that something that seems so easily exploitable is being so easily exploited, shocked I tell you.

Re: Exploitability?

[PsychoSlashDot]

The whole scenario is vague. I'm not entirely sure if someone just needs to know the BT address of the target device in order to search for it in Apple's system or if they need to trick the device into "registering" with Apple. I kind of suspect the former from the mention of smart locks.

Re:

[cmseagle]

I was trying to parse their wording to make that exact determination. They certainly didn't make it obvious. But this language:

While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location.

Leads me to believe that "hacking" the smart lock is a prerequisite for then exploiting the Find My network to determine its location.

Re:

[PsychoSlashDot]

I was trying to parse their wording to make that exact determination. They certainly didn't make it obvious. But this language:

While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location.

Leads me to believe that "hacking" the smart lock is a prerequisite for then exploiting the Find My network to determine its location.

I hear you, and maybe. Or even probably. But... if your smart lock is not hacked, it is not horrifying for the attacker to know its location. I don't know the one causes the other. It may be that the location of a non-hacked lock is... irrelevant. Dunno.

Maybe the strongest argument is in the advice to be cautious about programs asking to use Bluetooth. I'm guessing maybe those programs are doing so to register the phone with Apple. Maybe.

Re:Exploitability?

[CoolCash]

Exactly. After reading the whitepaper on how it works, the device that needs to be tracked has to be compromised with their client software. The "lost" device then hashes their Bluetooth id, sends it to the malware server and then broadcasts it out to the Find My network as a lost device. Using the server or another device that has decoded the hash with a GPU, you can then get that information from the network and track that device.

Re:

[bill_mcgonigle]

Thank you for an excellent summary.

A design so good some of the greybeards at NSA may have come up with it.

Unfortunately for cyberwarfare the next generation there seems literally insane. But at least we now know how all the target lists of normal people were developed.

The trouble is now we also know that with a zeroday arsenal the political opponents can be tracked in Airplane Mode away from cell service.

Yoiks.

Re:

[cmseagle]

Link to the whitepaper, please? I may be blind but couldn't find it linked anywhere.

wrong tag-line

[irving47]

"From the NSA-is-furious department"