Apple's Find My network, used to locate iOS and macOS devices – and more recently AirTags and other kit – also turns out to be a potential espionage tool.
In short, it's possible to use passing Apple devices to sneak out portions of information from one place to another, such as a computer on the other side of the world, over the air without any other network connectivity.
Fabian Bräunlein, co-founder of Positive Security, devised a way to send a limited amount of arbitrary data to Apple's iCloud servers from devices without an internet connection using Bluetooth Low Energy (BLE) broadcasts and a microcontroller programmed to function as a modem. That data can then be retrieved from the cloud by a Mac application. In a blog post on Wednesday, he dubbed his proof-of-concept service Send My.
Apple's Find My network, when enabled in Apple devices, functions as a crowdsourced location-tracking system. Participating devices broadcast over BLE to other nearby attentive Apple devices, which in turn relay data back over their network connection to Cupertino's servers. Authorized device owners can then get location reports on enrolled hardware through the company's iCloud-based Find My iPhone or iOS/macOS Find My app.
Back in March, researchers with Technical University of Darmstadt in Germany – Alexander Heinrich, Milan Stute, Tim Kornhuber, and Matthias Hollick – published an analysis of the security and privacy of Apple's Find My network [PDF], uncovering a few issues along the way. Bräunlein said their work developing a tool called OpenHaystack, for creating one's own Find My trackable items, made his Send My research possible.
Bräunlein said his goal was to see whether the Find My network could be abused to carry arbitrary data from devices without an internet connection.
"Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power-consumption of mobile internet," he explains. "It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users."
He also theorizes that his technique could be used to deplete mobile users' data plans because he didn't encounter any rate limiting mechanism for the number of location reports devices can send over the Find My network. Broadcasting a large number of unique public encryption keys as part of the Find My protocol would increase the amount of mobile traffic sent, with each report being more than 100 bytes.
However, ads on websites and streaming data seem like far greater data consumers and battery life killers if that's the goal.
Software in a haystack
For his data exfiltration scheme, Bräunlein employed an ESP32 microcontroller running OpenHaystack-based firmware to broadcast a hardcoded default message and to listen on its serial interface for new data. Nearby Apple devices with Find My broadcasting enabled will pick up these signals and relay them to Apple's servers.
Fetching the data from a macOS device requires using an Apple Mail plugin that runs with elevated privileges, in order to satisfy Apple's authentication requirements for accessing location data. The user must also install OpenHaystack and run DataFetcher, a macOS app created by Bräunlein to view the unsanctioned transmission.
- Tech tracker Tile testifies in Congress: Apple's geolocation nagging is so not fair
- Apple supplier Quanta Computer confirms it's fallen victim to ransomware attack
- Apple extends Find My support to third-party vendors including Belkin, Dutch bike maker VanMoof, and Chipolo
- Jailbreaking app gets update to support iOS 14.3 and iPhone 12
Send My is not exactly a high-speed attack. With the microcontroller sending at ~3/bytes per second and retrieving 16 bytes taking ~5 seconds, not to mention latency ranging from 1 to 60 minutes depending on the number of nearby devices, there are certainly faster data transmission side channels.
Nonetheless, it's not inconceivable that a sophisticated adversary could find a use for Send My.
Asked about the plausibility of conducting a real attack that involves reprogramming an existing microcontroller to transmit BLE beacons, Bräunlein in an email to The Register said, "This is quite a long attack chain, but the same [as] Stuxnet. I think the biggest hurdle would be finding a device with a Bluetooth modem in such a network."
"If there were any consumer-grade IoT devices, their compromise would probably be the lowest hurdle," he said. "However when malware is installed e.g. via dropped USB sticks, the USB sticks could already include the Bluetooth microcontroller."
Bräunlein said Send My essentially creates Amazon Sidewalk – Amazon's network for IoT devices – out of Apple's network infrastructure. It's not a new threat, he said, pointing to existing global mobile and satellite networks that can be used to carry data. But in scenarios like intentionally shielded sites where those networks aren't accessible, Send My might prove useful.
Because Apple designed Find My with privacy in mind – the network aspires to keep finders anonymous, to prevent the tracking of owner devices, and to maintain the confidentiality of location reports – Bräunlein believes it will be difficult for Apple to protect against this sort of abuse.
Meanwhile, other security researchers are testing the limits of Apple's privacy protections in other ways. Security firm Intego on Tuesday demonstrated that AirTags have some potential as covert tracking devices, despite Apple's efforts to preclude this possibility. And German security researcher stacksmashing has managed to hack and reflash AirTags.
Apple, seldom chatty about anything and particularly tight-lipped on matters of security, did not respond to a request for comment. ®