Security News > 2021 > May > Apple's Find My Network Can be Abused to Exfiltrate Data From Nearby Devices
Latest research has demonstrated a new exploit that enables arbitrary data to be uploaded from devices that are not connected to the Internet by simply sending "Find My" Bluetooth broadcasts to nearby Apple devices.
"It's possible to upload arbitrary data from non-internet-connected devices by sending Find My broadcasts to nearby Apple devices that then upload the data for you," Positive Security researcher Fabian Bräunlein said in a technical write-up disclosed last week.
The reverse engineering of Apple's Find My offline finding system also left the door open to the possibility that the protocol could be emulated to upload arbitrary data to the Internet by broadcasting the information via Bluetooth beacons that would get picked up by Apple devices in close physical proximity, and then subsequently relay the encrypted data to Apple's servers, from where a macOS application can retrieve, decode, and display the uploaded data.
"When sending, the data is encoded in the public keys that are broadcasted by the microcontroller. Nearby Apple devices will pick up those broadcasts and forward the data to an Apple backend as part of their location reporting. Those reports can later be retrieved by any Mac device to decode the sent data," Bräunlein explained.
While malicious real-world implications of such an exploit may seem moot, it's also difficult for Apple to defend against an attack of this kind due to the inherent end-to-end encrypted nature of the Find My network.
To counter any potential misuse, the researcher suggests hardening the system in two possible ways, including authenticating the BLE advertisement and applying rate limits on-location report retrievals by caching the hashes and ensuring that the only "16 new key ids are queried per 15 minutes and Apple ID." It's worth noting that there is a limit of 16 AirTags per Apple ID. "In the world of high-security networks, where combining lasers and scanners seems to be a noteworthy technique to bridge the air gap, the visitor's Apple devices might also become feasible intermediaries to exfiltrate data from certain air gapped systems or Faraday caged rooms," Bräunlein said.