Geeky Gadgets
9:26 am
We previously heard that the new Apple AirTag had been hacked and now it looks like a security researcher may be able to exploit Apple’s Find My network.
According to Security researcher Fabian Bräunlein he has been able to use Apple’s Find My network to send messages.
With the recent release of Apple’s AirTags, I was curious whether Find My’s Offline Finding network could be (ab)used to upload arbitrary data to the Internet, from devices that are not connected to WiFi or mobile internet. The data would be broadcasted via Bluetooth Low Energy and picked up by nearby Apple devices, that, once they are connected to the Internet, forward the data to Apple servers where it could later be retrieved from. Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power-consumption of mobile internet. It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by i
By Ionut Arghire on May 13, 2021
Security researchers have discovered a way to leverage Apple’s Find My s Offline Finding network to upload data from devices, even those that do not have a Wi-Fi or mobile network connection.
Using Bluetooth Low Energy, the data is being sent to nearby Apple devices that do connect to the Internet, and then sent to Apple’s servers, from where it can be retrieved at a later date.
The technique could be used to avoid the costs and power usage associated with mobile Internet, or to exfiltrate data from Faraday-shielded sites visited by iPhone users, researchers with Positive Security, a Berlin-based security consulting firm.
broadcasts to nearby Apple devices that then
upload the data for you
We released an
macOS application to retrieve, decode and display the uploaded data: https://github.com/positive-security/send-my
Being inherent to the privacy and security-focused design of the Find My Offline Finding system, it seems
unlikely that this misuse can be prevented completely
Introduction
With the recent release of Apple s AirTags, I was curious whether Find My s Offline Finding network could be (ab)used to upload arbitrary data to the Internet, from devices that are not connected to WiFi or mobile internet. The data would be broadcasted via Bluetooth Low Energy and picked up by nearby Apple devices, that, once they are connected to the Internet, forward the data to Apple servers where it could later be retrieved from. Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power-consumption of mobile internet. It could also be interesting for exfi
Someone has been able to send arbitrary text via the Find My network.
They created a fake AirTag to send the messages.
Find My, the network of iOS and macOS devices that is used by AirTag and others for location tracking, can be used to send arbitrary text to other devices. That s the discovery of one security researcher who published their findings in a new blog post.
Researcher Fabian Bräunlein essentially created a fake AirTag to send text across the Find My network, receiving it on a remote Mac. It s notable that it isn t thought that the process used by Bräunlein is something Apple can easily work to block.