Apple’s “Find My Network” Can be Abused to Exfiltrate Data From Nearby Apple Devices

The security experts at Positive Security have recently detected a new exploit known as Send My in Apple’s Find My network for data transfer. 

Apple’s Find My network is a crowdsourced location tracking system, and it works via Bluetooth Low Energy (BLE), so, it works even if the device is not connected to the internet and if there is no data connection.

To keep it active it broadcast a special Bluetooth signal outside, that can be detected and recognized by other nearby Apple devices. Such signals are sent even in sleep mode and then transmitted by other users to Apple servers.

Send My exploit

The cybersecurity researchers experts from the Darmstadt University of Technology in Germany published a research paper in March of this year that scattered light on several vulnerabilities.

While the specialists at Positive Security firm were able to develop an idea after analyzing the research paper of the Technical University of Darmstadt to exploit Apple’s Find My network. 

As a result, they manage to develop an exploit, “Send My,” to perform an attack on Apple’s Find My network to transfer arbitrary data from the nearby Apple devices.

Fabian Bräunlein, the co-founder of Positive Security has claimed that the connection between the AirTag and the Apple device is always secured with an Elliptic Curve key pair, but, the twist comes here is that the owner’s device isn’t able to identify which key AirTag is using.

For this, a whole list of keys that have recently been used by AirTag is generated, and their SHA256 hashes are also requested from Apple’s Find My network.

Here, the mentioned location reports can only be decrypted with the correct private key, however, the researchers found that they can check if reports exist for a specific SHA256 hash in principle.

To support this proof-of-concept the analysts have used ESP32 microcontroller firmware-based tool, “OpenHaystack” and macOS application designed to retrieve, decode and display transmitted data.

And here to retrieve the data from a macOS device, you need to use the Apple Mail plugin, which works with elevated privileges. Not only that, even the user must install the OpenHaystack tool and run the DataFetcher for the macOS app created by BRÄUNLEIN to view such unauthorized broadcasts.

Apart from this, the Send My attack can hardly be called high-speed arbitrary data transmission exploit, as the average data transfer rate of this attack is about 3 bytes per second. 

While the data transfer occurs with a delay of 1 to 60 minutes, depending on the number of nearby Apple devices.

Mitigation

The co-founder of the Positive Security, FABIAN BRÄUNLEIN believes that with the help of the Send My attack, it is possible to create an analogue of the  Amazon Sidewalk based on Apple’s network infrastructure. 

However, the Send My exploit can be exceptionally useful for retrieving the data from closed systems and networks.

So, to protect against such attacks, the cybersecurity analysts have recommended some mitigations, and here they are mentioned below:-

• Authentication of the BLE advertisement
• Rate limiting of the location report retrieval

These are only recommendations that are provided by the researchers to remain protected against these types of attacks.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.