Security News > 2021 > May > Researchers Abuse Apple’s Find My Network for Data Upload
Security researchers have discovered a way to leverage Apple's Find My's Offline Finding network to upload data from devices, even those that do not have a Wi-Fi or mobile network connection.
Using Bluetooth Low Energy, the data is being sent to nearby Apple devices that do connect to the Internet, and then sent to Apple's servers, from where it can be retrieved at a later date.
The technique could be used to avoid the costs and power usage associated with mobile Internet, or to exfiltrate data from Faraday-shielded sites visited by iPhone users, researchers with Positive Security, a Berlin-based security consulting firm.
Using a March 2021 report from academic researchers with the Technical University of Darmstadt, Germany, which describes vulnerabilities in Apple's Find My network, Positive Security found a way to leverage Find My BLE broadcasts to send data to nearby Apple devices.
Positive Security's researchers explain that, while the connection between an AirTag and an Apple device is secured using an Elliptic Curve key pair, the owner device doesn't know which specific key is used by the AirTag, and instead generates a list of keys that AirTag recently used, while also querying an Apple service to receive their SHA256 hashes.
The technique may be used to upload sensor readings or other data from IoT devices or to exfiltrate information from air-gapped systems, and even for depleting nearby iPhone's mobile data plans.