Security researchers use Apple's "Where is?" to track all Bluetooth devices

Apple's "Where is?" network, which can transmit the location of Apple devices such as iPhones and MacBooks, AirTags and other compatible devices via Bluetooth and ultra-wideband radio, is actually considered safe and secure. In the past, there have already been methods of using the network to transmit other data that was not actually intended.

However, a team of security researchers from George Mason University in the US state of Virginia has now shown that the Apple service, which is called "Find My" in English, can also be misused to track other Bluetooth devices in the vicinity that are not integrated into the Find network. According to researchers Qiang Zeng and Lisa Luo in their paper entitled "Find My Hacker", they have found a way to track "the location of almost every computer and mobile device". This involves combining a device's Bluetooth address with "Where is?""to turn target devices into unwanted beacons".

Passing on location data via "Where is?" without Apple's permission

The exploit is called "nRootTag" and is supposed to make it possible to turn conventional Bluetooth devices into AirTag-like devices. The success rate is said to be "90 percent". The central element of the attack is the fact that it should be possible to manipulate the crypto keys used as part of "Where is?" in such a way that the network believes that a conventional Bluetooth device is a genuine AirTag. "It's scary if your smart lock is hacked, but it's even scarier if the attacker also knows the location," say the researchers.

This should also be possible completely remotely – from a distance of thousands of kilometers if necessary. The costs would only be "a few dollars". Luo and Zeng, who are both associate professors at GMU's Department of Computer Science, have developed an efficient key search method that makes it possible to find a suitable "Where is?" key for a given Bluetooth address – that is unique worldwide –. This requires neither administrator rights nor privilege escalation. Instead, the trust of the "Where is?" network in device signals is abused. It is true that the network changes the Bluetooth address of an AirTag or another device integrated in "Where is?" based on a cryptographic key. However, the attackers do not have to do this. Instead, they simply look for the key that matches the Bluetooth address – and, as mentioned, this method works in 90 percent of cases.

Patch could take years if users do not update

This has been proven with devices running Linux, Windows and Android as well as with various smart TV devices and VR headsets. To find the key, however, cloud-based GPUs – hundreds of them, to be precise – were used to find the key as quickly as possible. Faulty keys can be stored in a rainbow table so that thousands of devices can ultimately be attacked simultaneously. In addition to hackers, advertising companies could also come up with the idea of tracking Bluetooth devices over long distances in future, according to Junming Chen, PhD student and lead author of the study. The group plans to present the exact details of the hack at the USENIX Security Symposium in Seattle in August.

The hack can be fixed by Apple improving the device verification process. The GMU researchers provided the company with information on this back in the summer of 2024. However, no details of a patch have yet been provided. Another problem is that a large number of users would not update their devices – for various reasons, according to Chen. "The vulnerable "Where is?" network will therefore continue to exist and these devices will only die out slowly. The process will take years." Apple's location network is just as widespread as the AirTags because the devices are very inexpensive. Macs, iPhones, iPads and other Apple devices are used to share data, including the location of devices, without the user specifically acknowledging this.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.

Preisvergleiche immer laden Preisvergleich jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

(bsc)