Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Researchers Abuse Apple’s Find My Network for Data Upload

Security researchers have discovered a way to leverage Apple’s Find My’s Offline Finding network to upload data from devices, even those that do not have a Wi-Fi or mobile network connection.

Security researchers have discovered a way to leverage Apple’s Find My’s Offline Finding network to upload data from devices, even those that do not have a Wi-Fi or mobile network connection.

Using Bluetooth Low Energy, the data is being sent to nearby Apple devices that do connect to the Internet, and then sent to Apple’s servers, from where it can be retrieved at a later date.

The technique could be used to avoid the costs and power usage associated with mobile Internet, or to exfiltrate data from Faraday-shielded sites visited by iPhone users, researchers with Positive Security, a Berlin-based security consulting firm.

Using a March 2021 report from academic researchers with the Technical University of Darmstadt, Germany, which describes vulnerabilities in Apple’s Find My network, Positive Security found a way to leverage Find My BLE broadcasts to send data to nearby Apple devices.

[ SEE: Apple Location Tracking Flaw Could Lead to User Identification ]

Positive Security’s researchers explain that, while the connection between an AirTag and an Apple device is secured using an Elliptic Curve key pair, the owner device doesn’t know which specific key is used by the AirTag, and instead generates a list of keys that AirTag recently used, while also querying an Apple service to receive their SHA256 hashes.

“Apple does not know which public keys belong to your AirTag, and therefore which location reports were intended for you,” the researchers explained.

The location reports, however, can only be decrypted with the correct private key, but the researchers discovered they could check whether such reports do exist for a specific SHA256 hash, and even add reports to a specific SHA256 hash.

“We can set arbitrary bits in the shared key-value store and query them again. If both the sender and receiver agree on an encoding scheme, we can transfer arbitrary data,” the researchers explain.

For their setup, the researchers, who published proof-of-concept code on GitHub, used the ESP32 microcontroller, an OpenHaystack-based firmware, and a macOS application designed to retrieve, decode, and display the transmitted data.

The sending rate is of roughly 3 bytes/second, but higher speeds could be achieved as well. A latency of 1 to 60 minutes was registered, depending on the number of nearby devices.

The technique may be used to upload sensor readings or other data from IoT devices or to exfiltrate information from air-gapped systems, and even for depleting nearby iPhone’s mobile data plans (through broadcasting many unique public keys).

To mitigate such an attack, Apple could implement authentication of the BLE advertisement (the current setup doesn’t differentiate between real and spoofed AirTags), and rate limit the location report retrieval.

Related: Flaws in Apple Location Tracking System Could Lead to User Identification

Related: ‘Find My Mobile’ Vulnerabilities in Samsung Galaxy Phones 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.