Apple Lets Stalkers Find YOU — ‘nRootTag’ Team Breaks AirTag Crypto
It’s been seven months, but Tim’s crew is yet to fix the bugs.
Academic researchers discovered a vuln chain in Apple’s ‘Find My’ network. Dubbed nRootTag, it allows hackers to track any Bluetooth device without the owner’s knowledge.
Breaking news: Apple has finally begun to partially patch the flaws, but only in some OS versions. Researchers warn a full fix “will take years,” in part because you can’t update the AirTags themselves. In today’s SB Blogwatch, we disable dental protocols.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Sweet but Sucker.
Dumb Design + Crud Code = Privacy Panic
What’s the craic? Vlad Cherevko broke the story: Vulnerability in Apple’s Find My network allows hackers to track your Bluetooth devices
“Has yet to fix it”
The Find My network, designed to track devices and accessories such as AirTag, can now be used to track people. Hackers can turn any device, such as a phone or laptop, into an AirTag without the owner’s knowledge. This allows the device’s location to be tracked remotely.
…
Nearby Apple devices … anonymously transmit location information to the owner via Apple’s servers. The researchers found a way to make the Find My network track any Bluetooth device [using an] exploit called nRootTag. [They] reported the vulnerability to Apple in July 2024. … Apple has acknowledged the problem, but has yet to fix it.
How bad is it? Nick Farrell chooses the F word: Apple’s Find My fiasco
“Has done nothing to fix”
Unsuspecting users are unwittingly broadcasting their every move to potential stalkers and cybercriminals. … Despite Jobs’ Mob’s claims of superior security, [the] boffins at George Mason University … cracked the system using “hundreds” of GPUs to swiftly unearth the cryptographic keys
…
This vulnerability allows hackers to transform any Bluetooth-enabled device into a covert tracking tool, all without the owner’s slightest inkling. [The] exploit hoodwinks the Find My network into recognising ordinary gadgets—be it your laptop, smartphone, or even your child’s gaming console—as if they were Apple’s own AirTags. [But] the Fruity Cargo Cult has done nothing to fix … this invasive threat.
Horse’s mouth? Nathan Kahl blogs one for the team: Find my hacker
“Stalking, harassment, corporate espionage”
nRootTag … cleverly manipulates the Find My network’s trust in device signals, essentially turning Apple’s helpful lost-device feature into an unwitting accomplice. The researchers demonstrated that the attack works broadly on computers and mobile devices running Linux, Android, and Windows, as well as several Smart TVs and VR Headsets.
…
Most concerning are the privacy implications, as bad actors could easily abuse this technique for stalking, harassment, corporate espionage, or threats to national security. [And it] could be attractive to advertising companies looking to profile users.
…
“It’s like transforming any laptop, phone, or even gaming console into an Apple AirTag – without the owner ever realizing it,” said Junming Chen, lead author of the study. “And the hacker can do it all remotely, from thousands of miles away, with just a few dollars.” … The team will present these findings this August in Seattle at the USENIX Security Symposium.
ELI5? hackernudes explains like we’re five:
Here is my quick summary:
— Apple devices listen for BLE advertisements of a certain form to indicate a “Find My” network lost device.
— The lost device advertisements mainly contain the public key part of a key pair.
— The public key does not fit in the in payload of the advertisements, so … 46 bits of the full 224 bit public key is stored in the address field.
— In general anyone can make a “lost device” advertisement as demonstrated by OpenHayStack. The requirement is the address field needs to be fully controllable.
— BLE advertisements have a header that indicates what kind of address is present. … The lost device advertisements are supposed to be “Random Static,” but the researchers found that Apple “Find My” listeners (“finders”) will accept advertisements for any address type.
— They use this fact to generate the private key part of a public key that matches an existing host adapter BLE address. … Private keys can be precomputed (rainbow tables) because a large chunk of the address is a manufacturer code.
Clear as mud? alexkli cuts to the chase:
It requires a malicious app to be installed on the victim device first. Combined with the compute power required for the cryptography bypass, this limits the exploitation a bit and is maybe why Apple has not provided a solution for it yet.
Those Devilish details, eh? Here’s the money shot, from CoolCash:
Exactly. … The device that needs to be tracked has to be compromised.
…
The “lost” device then hashes their Bluetooth ID, sends it to the malware server and then broadcasts it out to the Find My network as a lost device. Using the server or another device that has decoded the hash with a GPU, you can then get that information from the network and track that device.
But still, it’s yet another thing to worry about. Carol Danvers is tired of all this:
Yawnnn. Privacy and security are already a pipe dream. … All something like this does is instill more paranoia into individuals who are already on the edge of mental instability. … Researchers are constantly warning us about something that rarely, if ever, happens in the real world.
…
I refuse to live in fear of a hacker hiding behind every shrub.
Wait, so we shouldn’t fear being tracked? shamino sounds exasperated:
The headlines are pure clickbait. … You’d think that someone could remotely turn any of your Bluetooth devices into a tracker without you knowing. OMG, my smart toothbrush is now a tracker.
…
So what? The “Find My” protocol is open and anybody can make a device advertise itself to the network. So why should it be surprising that some malware could start advertising a device without the owner’s knowledge? Bluetooth advertisements aren’t exactly secret technology.
Meanwhile, mjwx drives the point home, Captain Renault style: [You’re fired—Ed.]
I’m shocked—shocked—that something that seems so easily exploitable is being so easily exploited.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Jonas Elia (via Unsplash; leveled and cropped)
