Security News > 2021 > March > Bug in Apple's Find My Feature Could've Exposed Users' Location Histories
Cybersecurity researchers on Thursday disclosed two distinct design and implementation flaws in Apple's crowdsourced Bluetooth location tracking system that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, thereby deanonymizing users.
Apple devices come with a feature called Find My that makes it easy for users to locate other Apple devices, including iPhone, iPad, iPod touch, Apple Watch, Mac, or AirPods.
What's more interesting is the technology that undergirds Find My. Called offline finding and introduced in 2019, the location tracking feature broadcasts Bluetooth Low Energy signals from Apple devices, allowing other Apple devices in close proximity to relay their location to Apple's servers.
In the final step, Apple sends this encrypted location of the lost device to a second Apple device signed in with the same Apple ID, from where the owner can use the Find My app to decrypt the reports using the corresponding private key and retrieve the last known location, with the companion device uploading the same hash of the public key to find a match in Apple's servers.
OWL researchers said the design allows Apple - in lieu of being the service provider - to correlate different owners' locations if their locations are reported by the same finder devices, effectively allowing Apple to construct what they call a social graph.
A second outcome of the investigation is an app that's designed to let any user create an "AirTag." Called OpenHaystack, the framework allows for tracking personal Bluetooth devices via Apple's massive Find My network, enabling users to create their own tracking tags that can be appended to physical objects or integrated into other Bluetooth-capable devices.