Vulnerabilities identified in offline finding (OF) — Apple’s proprietary crowd-sourced location tracking system — could be abused for user identification, researchers said in a report released this month.
Introduced in 2019, the system relies on the Bluetooth Low Energy (BLE) technology for the detection of ‘lost’ devices, and on the Internet connection of so-called ‘finder’ devices to report on their location back to the owner.
With “hundreds of millions” of devices part of Apple’s OF network, this represents the largest crowd-sourced location tracking system in the world, one that is expected to grow even further, as support for non-Apple devices is added to it.
Apple claims anonymity of finders, says that device owners can’t be tracked, and that location reports are confidential, but a group of academic researchers with the Technical University of Darmstadt, Germany, identified vulnerabilities that could potentially lead to user identification.
Overall, they say, the system delivers on its promise for security and privacy, but two design and implementation flaws could allow for location correlation attacks, as well as for unauthorized access to the past seven days’ location history, thus essentially resulting in user deanonymization.
“We find that the overall design achieves Apple’s specific goals. However, we discovered two distinct design and implementation vulnerabilities that seem to be outside of Apple’s threat model but can have severe consequences for the users,” the academics note in their research paper.
The researchers found that different owners’ locations could be correlated, provided that they are reported by the same ‘finder,’ which would essentially allow Apple to construct a social graph.
Furthermore, they discovered that, because “cached rolling advertisement keys are stored on the file system in clear text,” it was possible for a malicious macOS application to retrieve and decrypt location reports for the past seven days for all users and devices.
“Apple as the service provider (could infer that two or more owners have been in close proximity to each other as OF uses identifiable information in both up-load and download requests. Law enforcement agencies could exploit this issue to deanonymize participants of (political) demonstrations even when participants put their phones in flight mode,” the researchers note.
Exploitation of this vulnerability, however, is only possible if the victims have requested the location of their devices using the Find My application. The issue is that the identity of the finder and owner devices are revealed when location reports are downloaded or uploaded, the researchers explain.
Additionally, the researchers discovered a security flaw in the OF implementation on macOS, which could allow a malicious application to access the location of all owner devices, without consent, completely circumventing Apple’s restricted location API. Furthermore, location history can be abused to generate profiles and identify users.
The system, the researchers explain, assumes that the private part of a device’s advertisement keys is known to the user alone, and these keys change every 15 minutes. With OF allowing for the retrieval of location reports for a week, potential location reports for a total of 672 advertisement keys exist on Apple’s servers.
These advertisement keys are cached, likely for performance reasons, and on macOS they are stored in a directory accessible by the local user and any application running with user privileges. The cache files are inaccessible on iOS.
The researchers explain that a malicious application that runs with user privileges could access the key cache directory and read advertisement keys or exfiltrate them to the attacker, without additional user interaction other than launching the app.
Armed with the owner’s keys, the attacker could download the victim’s location reports on their machine, and use the same keys to decrypt these reports.
“The attack essentially allows any third-party application to bypass Apple’s Core Location API that enforces user consent before an application can access the device’s location. Moreover, the attacker can access the location history of the past seven days of all the owner’s devices,” the researchers explain.
The identified flaws were responsible disclosed to Apple, which released a patch in September 2020. Apple refers to the bug as CVE-2020-9986, describing it as “a file access issue” that was addressed with improved access restrictions.