Tuesday, April 29, 2025
HomeAppleNew "nRootTag" Attack Turns 1.5 Billion iPhones into Free Tracking Tools

New “nRootTag” Attack Turns 1.5 Billion iPhones into Free Tracking Tools

Published on

SIEM as a Service

Follow Us on Google News

Security researchers have uncovered a novel Bluetooth tracking vulnerability in Apple’s Find My network – the system powering AirTags and device-finding capabilities across iPhones, iPads, and Macs.

Dubbed “nRootTag,” the attack transforms nearly any Bluetooth-enabled computer or smartphone into an invisible tracking beacon using Apple’s infrastructure.

With over 1.5 billion active Apple devices globally, this exploit threatens to weaponize the world’s largest device-locating network for unauthorized surveillance.

- Advertisement - Google News

Exploiting Find My’s Offline Finding Protocol

The attack exploits foundational design choices in Apple’s Find My offline finding system, originally developed to help recover lost devices anonymously.

Overview of Find My Offline Finding
Overview of Find My Offline Finding

When an AirTag separates from its owner, it broadcasts encrypted Bluetooth Low Energy (BLE) “lost messages” containing public key hashes.

Nearby Apple devices automatically relay these signals to Apple’s servers along with location data, creating a crowd-sourced tracking network.

Researchers discovered that Apple does not authenticate whether lost messages originate from genuine Apple devices.

This oversight allows malicious actors to inject spoofed BLE advertisements into the network.

“Any device broadcasting these signals becomes trackable through Find My, regardless of manufacturer,” explains the research team behind nRootTag.

How nRootTag Bypasses Security Measures

The attack architecture operates through three stages compromised devices, server infrastructure, and cryptographic brute-forcing.

 attack architecture
attack architecture

First, malware running on a target computer (requiring no special permissions) harvests its Bluetooth MAC address and requests a matching public/private key pair from an attacker-controlled server.

This server either precomputes possible combinations using rainbow tables or performs on-the-fly brute-force searches at scale.

Once paired, the compromised device broadcasts spoofed Apple-compatible BLE signals. Nearby iPhones then unwittingly relay its location to Apple’s servers.

Attackers retrieve this data by querying Apple’s API with the public key hash and decrypting reports using their held private key.

Testing showed a 90% success rate in pinpointing devices within minutes at an operational cost under $5.

Cross-Platform Vulnerability and Computational Power

nRootTag’s danger stems from its platform-agnostic nature. While demonstrated on Linux, Windows, and Android systems, researchers warn that smart appliances, medical devices, and other IoT products with Bluetooth capabilities could also be co-opted.

The team benchmarked GPU clusters to determine attack feasibility, finding consumer-grade hardware like NVIDIA’s RTX 3080 sufficient for rapid key generation.

However, data center-grade A100 and H100 GPUs reduced search times from hours to minutes.

Apple addressed the vulnerability in recent iOS, macOS, and watchOS updates (versions 15.2–18.2). Patches now validate device signatures in Find My network relays.

Nevertheless, researchers emphasize that billions of unpatched devices remain vulnerable. “As long as one outdated iPhone exists near a tracked device, the attack succeeds,” the paper notes.

They urge enterprises to audit Bluetooth-enabled assets and implement network monitoring for anomalous BLE traffic.

The researchers credited Apple’s security team for their collaborative response but warn that third-party tracking networks could replicate similar exploits.

Funded by NSF and cybersecurity initiatives, the study underscores growing privacy risks in crowd-sourced location services.

With Bluetooth permeating modern tech, nRootTag highlights how convenience-focused designs can inadvertently enable mass surveillance.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Cyber Espionage Campaign Targets Uyghur Exiles with Trojanized Language Software

A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Cyber Espionage Campaign Targets Uyghur Exiles with Trojanized Language Software

A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...