Wednesday, December 6, 2023

Apple’s “Find My Network” Can be Abused to Exfiltrate Data From Nearby Apple Devices

The security experts at Positive Security have recently detected a new exploit known as Send My in Apple’s Find My network for data transfer. 

Apple’s Find My network is a crowdsourced location tracking system, and it works via Bluetooth Low Energy (BLE), so, it works even if the device is not connected to the internet and if there is no data connection.

To keep it active it broadcast a special Bluetooth signal outside, that can be detected and recognized by other nearby Apple devices. Such signals are sent even in sleep mode and then transmitted by other users to Apple servers.

Send My exploit

The cybersecurity researchers experts from the Darmstadt University of Technology in Germany published a research paper in March of this year that scattered light on several vulnerabilities.

While the specialists at Positive Security firm were able to develop an idea after analyzing the research paper of the Technical University of Darmstadt to exploit Apple’s Find My network. 

As a result, they manage to develop an exploit, “Send My,” to perform an attack on Apple’s Find My network to transfer arbitrary data from the nearby Apple devices.

Fabian Bräunlein, the co-founder of Positive Security has claimed that the connection between the AirTag and the Apple device is always secured with an Elliptic Curve key pair, but, the twist comes here is that the owner’s device isn’t able to identify which key AirTag is using.

For this, a whole list of keys that have recently been used by AirTag is generated, and their SHA256 hashes are also requested from Apple’s Find My network.

Here, the mentioned location reports can only be decrypted with the correct private key, however, the researchers found that they can check if reports exist for a specific SHA256 hash in principle.

To support this proof-of-concept the analysts have used ESP32 microcontroller firmware-based tool, “OpenHaystack” and macOS application designed to retrieve, decode and display transmitted data.

And here to retrieve the data from a macOS device, you need to use the Apple Mail plugin, which works with elevated privileges. Not only that, even the user must install the OpenHaystack tool and run the DataFetcher for the macOS app created by BRÄUNLEIN to view such unauthorized broadcasts.

Apart from this, the Send My attack can hardly be called high-speed arbitrary data transmission exploit, as the average data transfer rate of this attack is about 3 bytes per second. 

While the data transfer occurs with a delay of 1 to 60 minutes, depending on the number of nearby Apple devices.


The co-founder of the Positive Security, FABIAN BRÄUNLEIN believes that with the help of the Send My attack, it is possible to create an analogue of the  Amazon Sidewalk based on Apple’s network infrastructure. 

However, the Send My exploit can be exceptionally useful for retrieving the data from closed systems and networks.

So, to protect against such attacks, the cybersecurity analysts have recommended some mitigations, and here they are mentioned below:-

  • Authentication of the BLE advertisement
  • Rate limiting of the location report retrieval

These are only recommendations that are provided by the researchers to remain protected against these types of attacks.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision...

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit...

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been...

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware....

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's-DNSIP address...

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles