Apple’s ‘Find My’ Network Exploited via Bluetooth

2021-05-13 13:39

Apple's "Find My device" function for helping people track their iOS and macOS devices can be exploited to transfer data to and from random passing devices without using the internet, a security researcher has demonstrated.

Security researcher Fabian Bräunlein with Positive Security developed a proof of concept, using a microcontroller and a custom MacOS app, that can broadcast data from one device to another via Bluetooth Low Energy.

The misuse of Find My in this way seems nearly impossible for Apple to prevent, he said, given that the capability is "Inherent to the privacy and security-focused design of the Find My offline finding system," Bräunlein observed.

When used over Bluetooth, Apple's Find My feature basically crowdsources the ability to find someone's device or item over BLE - devices communicate among themselves using location beacons.

The owner of the device can then receive location reports about devices enrolled in Apple's iCloud-based Find My iPhone or iOS/MacOS Find My app.

Nearby Apple devices with the Find My service enabled can then pick up these signals and send them to Apple's servers.

News URL

https://threatpost.com/apple-find-my-exploited-bluetooth/166121/

#apple #bluetooth

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Bluetooth		4	3	10	3	0	16