How to track anyone via the Find My network

[harlan4096]

Apple’s Find My network can be exploited to remotely track other vendors’ Android, Windows, and Linux devices.
 
AirTags are a popular tracking device used by anyone from forgetful key owners to those with malicious intent, such as jealous spouses and car thieves. Using AirTags for spying is simple: a tag is discreetly placed on the target to allow their movements to be conveniently monitored using Apple Find My. We’ve even added protection from AirTag-based tracking to our products for Android.

But a recent study by security researchers has surprisingly found that remote tracking doesn’t even depend on buying an AirTag or ever being physically near the target. If you manage to sneak special malware onto someone’s Windows, Android, or Linux device (like a computer or phone), it could use the device’s Bluetooth to send out a signal that nearby Apple devices would think is coming from an AirTag. Essentially, for Apple devices, the infected phone or computer effectively becomes an oversized AirTag – trackable via the Find My network, which boasts over a billion Apple phones and tablets.

Anatomy of the attack

The attack exploits two features of the Find My technology.

Firstly, this network uses end-to-end encryption – so participants don’t know whose signals they’re relaying. To exchange information, an AirTag and its owner’s phone rely on a pair of cryptographic keys. When a lost AirTag broadcasts its “callsigns” via Bluetooth, Find My network “detectors” (that is, any Apple device with Bluetooth and internet access, regardless of who owns it) simply transmit AirTag’s geolocation data to Apple servers. The data is encrypted with the lost AirTag’s public key.

Then, any device can ask for the encrypted location data from the server. And because it’s encrypted, Apple doesn’t know who the signal belongs to, or which device asked for it. The crucial point here is that one can only decrypt the data and find out both whose AirTag it is and its exact location by having the corresponding private key. Therefore, this data is only useful to the owner of the smartphone paired with this AirTag.

Another feature of Find My is that detectors don’t verify whether the location signal indeed originated with an Apple device. Any devices that support Bluetooth Low Energy (BLE) can broadcast it.

Continue Reading...