Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Flaws in Apple Location Tracking System Could Lead to User Identification

Vulnerabilities identified in offline finding (OF) — Apple’s proprietary crowd-sourced location tracking system — could be abused for user identification, researchers said in a report released this month.

Vulnerabilities identified in offline finding (OF) — Apple’s proprietary crowd-sourced location tracking system — could be abused for user identification, researchers said in a report released this month.

Introduced in 2019, the system relies on the Bluetooth Low Energy (BLE) technology for the detection of ‘lost’ devices, and on the Internet connection of so-called ‘finder’ devices to report on their location back to the owner.

With “hundreds of millions” of devices part of Apple’s OF network, this represents the largest crowd-sourced location tracking system in the world, one that is expected to grow even further, as support for non-Apple devices is added to it.

Apple claims anonymity of finders, says that device owners can’t be tracked, and that location reports are confidential, but a group of academic researchers with the Technical University of Darmstadt, Germany, identified vulnerabilities that could potentially lead to user identification.

Overall, they say, the system delivers on its promise for security and privacy, but two design and implementation flaws could allow for location correlation attacks, as well as for unauthorized access to the past seven days’ location history, thus essentially resulting in user deanonymization.

“We find that the overall design achieves Apple’s specific goals. However, we discovered two distinct design and implementation vulnerabilities that seem to be outside of Apple’s threat model but can have severe consequences for the users,” the academics note in their research paper.

The researchers found that different owners’ locations could be correlated, provided that they are reported by the same ‘finder,’ which would essentially allow Apple to construct a social graph.

Furthermore, they discovered that, because “cached rolling advertisement keys are stored on the file system in clear text,” it was possible for a malicious macOS application to retrieve and decrypt location reports for the past seven days for all users and devices.

Advertisement. Scroll to continue reading.

“Apple as the service provider (could infer that two or more owners have been in close proximity to each other as OF uses identifiable information in both up-load and download requests. Law enforcement agencies could exploit this issue to deanonymize participants of (political) demonstrations even when participants put their phones in flight mode,” the researchers note.

Exploitation of this vulnerability, however, is only possible if the victims have requested the location of their devices using the Find My application. The issue is that the identity of the finder and owner devices are revealed when location reports are downloaded or uploaded, the researchers explain.

Additionally, the researchers discovered a security flaw in the OF implementation on macOS, which could allow a malicious application to access the location of all owner devices, without consent, completely circumventing Apple’s restricted location API. Furthermore, location history can be abused to generate profiles and identify users.

The system, the researchers explain, assumes that the private part of a device’s advertisement keys is known to the user alone, and these keys change every 15 minutes. With OF allowing for the retrieval of location reports for a week, potential location reports for a total of 672 advertisement keys exist on Apple’s servers.

These advertisement keys are cached, likely for performance reasons, and on macOS they are stored in a directory accessible by the local user and any application running with user privileges. The cache files are inaccessible on iOS.

The researchers explain that a malicious application that runs with user privileges could access the key cache directory and read advertisement keys or exfiltrate them to the attacker, without additional user interaction other than launching the app.

Armed with the owner’s keys, the attacker could download the victim’s location reports on their machine, and use the same keys to decrypt these reports.

“The attack essentially allows any third-party application to bypass Apple’s Core Location API that enforces user consent before an application can access the device’s location. Moreover, the attacker can access the location history of the past seven days of all the owner’s devices,” the researchers explain.

The identified flaws were responsible disclosed to Apple, which released a patch in September 2020. Apple refers to the bug as CVE-2020-9986, describing it as “a file access issue” that was addressed with improved access restrictions.

Related: Apple Patches Recent Sudo Vulnerability in macOS

Related: Apple Patches Three Actively Exploited Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.