Keylogger keyboard leaks passwords via Apple's "Find My" location network
Originally, it is supposed to help track down lost things. However, our keylogger keyboard uses Apple's "Find My" location network to send sensitive data.
(Hier finden Sie die deutschsprachige Version des Beitrags)
Apple's "Find My" tracking network is useful for tracking down lost items with an AirTag attached. However, malicious actors can misuse it to leak data. A keyboard with a keystroke logger built by IT security expert Fabian Bräunlein now demonstrates that this actually works on a larger scale. Using such a device, malicious attackers could spy out passwords and send them to themselves - unnoticed, bypassing all security measures in the local network, via the iPhones and other Apple devices of uninvolved persons in the vicinity - a clearly punishable act under criminal law in many countries.
The "Find My" location network is based on millions and millions of iPhones, iPads and Macs. These receive Bluetooth signals from Apple AirTags, other Apple devices and compatible products and automatically report their location to the Apple cloud. Home-built devices can also participate in the location network, as researchers at TU Darmstadt discovered some time ago. However, this is a double-edged sword: While hobbyists use it to build compatible trackers based on a microcontroller like the ESP32, attackers can employ it to transmit arbitrary data that goes far beyond location - for example, passwords recorded by a keylogger.
Bräunlein discovered and criticized the fact that "Find My" harbors a certain potential for abuse as early as spring 2021. The problem still exists now, almost three years later, as Bräunlein proves with a recent experiment for which he integrated a keylogger into a USB keyboard. Everything typed into the keyboard is sent through Apple's "Find My" network to the attacker's computer, which can be located anywhere in the world. Passwords, confidential e-mails and much more would fall into the hands of the attacker.
Keyloggers have been a serious security threat for years. There are various hardware keyloggers that are plugged in between the USB keyboard and the computer and are invisible to virus protection programs. Such devices store keyboard records in their internal memory and could in many cases also transmit the tapped data to the attacker via Wi-Fi – at least in theory. However, in practice, this could be quickly detected, for example if a company monitors Wi-Fi activities on site with a monitoring solution.
Data leakage through Bluetooth
Using Bräunlein's method instead, attackers can act largely invisibly: It only sends Bluetooth low-energy packets with a short range to transmit the data, which are hardly noticeable. The packets are similar to the Bluetooth advertisements that Apple AirTags send in order to be found. When Apple devices within range receive such packets, they automatically respond by uploading location reports to Apple's "Find My" network. Based on these location reports, the attacker can reconstruct the sent data. This attack is particularly insidious because it employs the victim's own Apple devices or those of completely uninvolved persons to sneak the keylogger's data onto the Internet.
Ironically, the data transfer is possible because the "Find My" network has been strongly trimmed for data protection. The cryptography used means that neither the Apple devices nor Apple itself can determine from which AirTags the Bluetooth packets originate - and whether they are real devices at all or an attacker. The attacker cannot manipulate the content of the location report, but he can specify the hash that is used to store the location report in the Apple network, cleverly encode the bits and bytes he wishes to transmit within the hash, and retrieve it. By retrieving the location reports, he can find out what data his keylogger has sent. Since the retrieval is effecte via the Internet, the attacker can be in any location at the time.
Countermeasures?
Attacks cannot be prevented in principle due to the architecture of the tracking network. Apple could try to detect and block unusual activities. However, this could lead to a game of cat-and-mouse with the attackers. High-security areas can be enforced by requiring employees and visitors to hand over iPhones, iPads and MacBooks or at least to turn off the tracking functions. Additionally, any use of other Apple devices with activated "Find My" could be prohibited in such areas. Under iOS and iPadOS, for example, transmission is disabled via the "Find My" network switch under "Settings/[Your name]/Find My/Search for my [device]". Of course, anyone in the vicinity would also have to follow these steps.
c’t has asked Apple to comment on this vulnerability. However, we have not received a response at the time of publication.
For more information about this vulnerability, read Keylogger takes advantage of Apple's location network from c’t issue 25/23 (German language).
(dmk)
