Interesting Hack of Apple Find My - ThreatWire

By Shannon Morse, ThreatWire 

Find My, Apple’s super handy tool that can help you find your lost iOS and macOS devices, has a security vulnerability. Positive Security researcher Fabian Braunlein is credited for finding and developing a proof of concept, called Send My, showing this problem in action. In it, they show that quote “It's possible to upload arbitrary data from non-internet-connected devices by sending Find My BLE broadcasts to nearby Apple devices that then upload the data for you”. Given the use case, the researcher also noted that Apple is unlikely to be able to prevent this.

They used a microcontroller and a custom designed MacOS app based off OpenHaystack that broadcasts data using BLE. The receiving device would forward any data received once connected to an internet connection onto an attacker’s iCloud server. This attack could potentially be used to make people exceed their data plan or to exfiltrate data from shielded sites when those sites are visited by people with iPhones. Exceeding a data plan would take a while though - this exploit only uses a few bytes - but stealing info from air gapped sites could be an issue.

Braunlein used research that was done by a team at the Technical University of Darmstadt in Germany and some inspiration from AirTags to come up with this POC. It’s sort of like emulating two airtags. Since they’re used to broadcast BLE data that is then picked up by nearby apple devices which then forward that data to apple’s servers where the data could later be retrieved, this technique could also be abused by an attacker.

Braunlein used an ESP32 microcontroller as a modem, broadcasting a hard coded message. They then listened on a serial interface for new data to broadcast in a loop until something was received. Any nearby Apple devices that have Find My enabled would potentially pick up those signals and send them along to Apple’s servers. Braunlein could then retrieve that data using their custom app, which was based on the University’s research.

TLDR someone could encode a message in a broadcasted payload and fetch that data on the other end. Since the Find My Offline packets of data are already encrypted, additional steps to protect this feature would be to add authentication to the BLE broadcasts and apply rate limits on location report retrievals. Any Finder devices can’t differentiate between a real AirTag and a clone, so AirTags can be spoofed. Authenticating those BLE advertisements would be hard to accomplish though since the size of the broadcasts doesn’t allow for additional data, and the keys rotate. For rate limiting, according to Braunlein, Apple could cache the requested key IDs to ensure that only 16 new key ids (16 is the max AirTags allowed per apple ID) are queried per 15 minutes and Apple ID, though someone could still cycle through free Apple IDs to bypass this.

This probably doesn’t pose much of a threat to most users, but its really cool nonetheless and adds to the potential issues related to AirTags.

Support ThreatWire!  https://www.patreon.com/threatwire

Links:
Apple Find My Network:
https://positive.security/blog/send-my
https://github.com/seemoo-lab/openhaystack
https://threatpost.com/apple-find-my-exploited-bluetooth/166121/
https://github.com/positive-security/send-my
https://thehackernews.com/2021/05/apples-find-my-network-can-be-abused-to.html