You can use Apple's Find My network to steal data from devices that aren't connected to the internet, a German researcher says.
Positive Security's Fabian Bräunlein found he could take data out of a device that had only a Bluetooth connection — essentially a homemade AirTag — and use iPhones and Macs to get the data all the way up into Apple's iCloud servers. From there, Braunlein could access the data from his own Mac.
- The best keyfinders right now
- Apple AirTag's anti-stalking features have a serious loophole
- Plus: Android 12 leak just revealed a complete makeover for Google’s OS
The whole process works very slowly. Bräunlein was getting a transmission rate of about 3 bytes per second, and each chunk of data is a maximum of 16 bytes. But over time, you could get a respectable amount of text transmitted. He's calling his system "Send My."
The data theft works because each Bluetooth device on the Find My network sends out a public encryption key to all nearby receiving Apple devices. Those devices mark their own locations, bundle it with the Bluetooth device's public encryption key, and send the resulting "location report" up to Apple's cloud.
Bräunlein found a way to embed messages in the encryption keys in the location reports and hence communicate very short secret messages from his homemade AirTag through Apple's Find My network to his Mac.
Spying, tracking and messaging
The implications of Bräunlein's research aren't purely theoretical. Millions of computers worldwide are disconnected from the internet for safety reasons because the computers hold highly sensitive data or run critically important processes, such as coordinating the movements of trains or running power plants.
"Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power-consumption of mobile internet," Bräunlein wrote in a blog post, echoing what Amazon is already doing with its Sidewalk low-energy mesh network. "It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users."
If some of those computers could be made to communicate via Bluetooth with iPhones that come near, then data might be snuck out of — or snuck into — those machines.
Bräunlein didn't mention it, but it's already clear that AirTags can be used to secretly track people for up to three days before the AirTags will emit a chirp to reveal themselves. A homemade AirTag might be able to track someone indefinitely without revealing its existence.
How a homemade AirTag got onto Find My network
Apple's Find My network is a giant mesh network made up of hundreds of millions of iPhones worldwide. Each iPhone listens for Bluetooth connections from other devices on the network, and if a Bluetooth-only device is sending out a broadcast message, nearby iPhones will pick up the message and use their cellular or Wi-Fi connections to relay the message to Apple's cloud servers.
This system was originally meant to locate lost iPhones, iPads and MacBooks, but it's since been expanded to include other devices such as Belkin earbuds and VanMoof electric bikes.
Earlier this year, a bunch of German researchers (not including Bräunlein) figured out how to get other Bluetooth devices — ones not approved by Apple — onto the Find My network.
Basically, they created their own AirTags before AirTags were announced. (The same researchers also demonstrated privacy flaws in AirDrop, which uses many of the same network protocols as Find My, and have created an Android app called AirGuard, which has been recommended by women concerned about AirTag-based stalking.)
They created a tool called OpenHaystack that piggybacks on the Find My network. One part is firmware that is loaded onto a tiny single-board computer such as a Raspberry Pi or something similar, which becomes the homemade AirTag. The other part is a Mac desktop application and a Mail plugin that's necessary for the whole thing to work.
Bräunlein modified the OpenHaystack board firmware onto an ESP2 tiny single-board computer — his homemade AirTag — and the corresponding software onto his Mac. Using those tools, Bräunlein was able to not only track the ESP2 using the Find My network, but also use the Find My encryption protocol and location reports to transmit messages.
Can Apple stop this?
Oddly enough, Apple may not be able to stop this kind of use, or abuse, of its Find My network. That's because Find My messages are encrypted end-to-end, and Apple can neither see what's in those messages or what kind of devices are sending them.
"Apple does not know which public keys belong to your AirTag, and therefore which location reports were intended for you," Bräunlein wrote in his blog post. "It would be hard for Apple to defend against this kind of misuse in case they wanted to."
Tom's Guide has reached out to Apple for comment, and we will update this story when we get a response.
- More: iPhone 13 release date, specs, price and leaks