Thursday, April 18, 2024

Apple’s “Find My Network” Can be Abused to Exfiltrate Data From Nearby Apple Devices

The security experts at Positive Security have recently detected a new exploit known as Send My in Apple’s Find My network for data transfer. 

Apple’s Find My network is a crowdsourced location tracking system, and it works via Bluetooth Low Energy (BLE), so, it works even if the device is not connected to the internet and if there is no data connection.

To keep it active it broadcast a special Bluetooth signal outside, that can be detected and recognized by other nearby Apple devices. Such signals are sent even in sleep mode and then transmitted by other users to Apple servers.

Send My exploit

The cybersecurity researchers experts from the Darmstadt University of Technology in Germany published a research paper in March of this year that scattered light on several vulnerabilities.

While the specialists at Positive Security firm were able to develop an idea after analyzing the research paper of the Technical University of Darmstadt to exploit Apple’s Find My network. 

As a result, they manage to develop an exploit, “Send My,” to perform an attack on Apple’s Find My network to transfer arbitrary data from the nearby Apple devices.

Fabian Bräunlein, the co-founder of Positive Security has claimed that the connection between the AirTag and the Apple device is always secured with an Elliptic Curve key pair, but, the twist comes here is that the owner’s device isn’t able to identify which key AirTag is using.

For this, a whole list of keys that have recently been used by AirTag is generated, and their SHA256 hashes are also requested from Apple’s Find My network.

Here, the mentioned location reports can only be decrypted with the correct private key, however, the researchers found that they can check if reports exist for a specific SHA256 hash in principle.

To support this proof-of-concept the analysts have used ESP32 microcontroller firmware-based tool, “OpenHaystack” and macOS application designed to retrieve, decode and display transmitted data.

And here to retrieve the data from a macOS device, you need to use the Apple Mail plugin, which works with elevated privileges. Not only that, even the user must install the OpenHaystack tool and run the DataFetcher for the macOS app created by BRÄUNLEIN to view such unauthorized broadcasts.

Apart from this, the Send My attack can hardly be called high-speed arbitrary data transmission exploit, as the average data transfer rate of this attack is about 3 bytes per second. 

While the data transfer occurs with a delay of 1 to 60 minutes, depending on the number of nearby Apple devices.


The co-founder of the Positive Security, FABIAN BRÄUNLEIN believes that with the help of the Send My attack, it is possible to create an analogue of the  Amazon Sidewalk based on Apple’s network infrastructure. 

However, the Send My exploit can be exceptionally useful for retrieving the data from closed systems and networks.

So, to protect against such attacks, the cybersecurity analysts have recommended some mitigations, and here they are mentioned below:-

  • Authentication of the BLE advertisement
  • Rate limiting of the location report retrieval

These are only recommendations that are provided by the researchers to remain protected against these types of attacks.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles