Security Researcher Exploits Find My Network in Order to Send Messages
Apple's Find My Network offers tight integration with the company's products. It is essential if you have lost your iPhone, iPad, and even your Mac. While the network is quite secure, a security researcher was successfully able to exploit the system and used it to send messages as well as other data. Scroll down to see more details on the scenario.
A Security Researcher Used the Find My Network Exploit to Send Messages and Other Data
A security researcher by the name of Fabian Bräunlein has found an exploit in Apple's Find My network and used it as a transfer medium. The exploit allows devices with no internet connection to upload arbitrary data using nearby Apple devices in order to send messages and upload data. Since Find My network uses other active iOS devices to act as nodes to transfer location data, the security researcher was able to send messages.
The security researcher, Fabian Bräunlein explains in the blog post that it is possible to manipulate how the AirTag connects to the Find My network and shows location data. The AirTag connects to the Find My network via encrypted broadcasts, and when the data is swapped with a message, it is hidden with a broadcast's message.
The practical demonstration of the art is performed:
- When paring an AirTag with an Apple Device, an Elliptic Curve key pair is generated and the public key is pushed to the AirTag (and a shared secret to generate rolling public keys)
- Every 2 seconds, the AirTag sends a Bluetooth Low Energy broadcast with the public key as content (changes every 15 minute deterministically using the previously shared secret)
- Nearby iPhones, Macbooks, etc. recognize the Find My broadcast, retrieve their current location, encrypt the location with the broadcasted public key (using ECIES) and upload the encrypted location report
- During device search, the paired Owner Device generates the list of the rolling public keys that the AirTag would have used in the last days and queries an Apple service for their SHA256 hashes. The Apple backend returns the encrypted location reports for the requested key ids
- The Owner Device decrypts the location reports and shows an approximate location
We are not sure if the Find My network exploit can be used maliciously or in a way to hard devices. What we do know so far is that it can be used to send messages and other data. We will update you guys as soon as we have a word from the company and if it is looking to fix it.
You can check out the entire blog post from the security researcher for more details on the scenario. What are your views on the Find My network exploit? Share your insights in the comments.