Apple Where is itin English “Find My“, is a tracking feature that allows users to locate their lost or stolen devices: iPhone, iPad, Mac, Apple Watch, AirPod and Apple Tags. This tool is based on a network that combines the use of Bluetooth and geolocation services (including GPS) to locate devices reported as no longer under the direct control of the rightful owner, even when they are found offline.
When a device is listed as lost, it starts sending Bluetooth messages regularly. Communications are discoverable by others Apple devices nearby (even if belonging to other users): they act as nodes or relay which anonymously transmit the location of the lost object through the “Where is” network. Apple has created a distributed location network which takes advantage of the widespread presence of Apple devices around the world.
The Apple Find My network can be exploited by malicious users: here’s how
It was the month of May 2021 when the researchers of Positive Security described a mode of aggression that exploited the Where is network as a support for sending arbitrary information, not intended by Apple.
The researchers also published the source code of Send My, an application designed to exploit the Apple network to allow data to be uploaded even from devices that are not connected to the Internet. The presence of Apple devices nearby allowed for forward this data and abuse the mechanism behind Apple Find My. We had dedicated an entire article to the problem, explaining that devices other than AirTags and other Apple devices can still exchange data on the Dove’è network.
The Send My application consists of two parts: the firmware for ESP32 microcontroller and the data fetcher that is, the module used to retrieve, decode and display data uploaded to the network.
A keylogger can abuse the mechanism to send user passwords across the Find My network
Colleagues of Heise c’t have demonstrated that the mechanism still works perfectly today. To make the attack even more noticeable, the technicians used a standard USB keyboard modified with the addition of the keylogger EvilCrow. From a technical point of view, the keyboard – connected to the system from which you want steal passwords and other confidential data – is equipped with a trasmettitore Bluetooth ESP32.
By pivoting on the Apple Find My system, a remote attacker can receive all the information the user types on the modified USB keyboardincluding passwords and login credentials.
This approach, which involves the data transfer via Bluetooth, it is decidedly more stealthy than other attack methodologies. In fact, the activities carried out by devices connected to the company network (for example via WiFi or via Ethernet cable) are easily detectable within well-protected contexts. Conversely, an attack like the one described tends to go unnoticed because the data does not transit on the company network but is transferred to third parties relying on an external network, such as Apple Find.
The attack works because if the message is formatted appropriately, as required by Apple Find My, the receiving Apple device creates a location report of the client and shares it online, together with the additional information received as input. Furthermore, data transfer can potentially take place with any device that does not use chips supported by Apple: the use of a USB keyboard with Custom Bluetooth module.
The only disadvantages have to do with performance
The researchers explain that in their demonstration the attack worked with a transmission speed equal to 26 characters per second. In reception, the detected speed is 7 characters per second, with a latency between 1 and 60 minutes, depending on the presence or absence of Apple devices within the keylogger’s range of action.
The process is obviously poorly performing but if an attacker’s goal was to get hold of valuable information such as passwords, waiting several hours or even days would not be a problem.
The anti-tracking protections by Apple, which alert users to an unknown AirTag nearby, are not triggered by the keylogger inside the modified USB keyboard: the device remains hidden and is therefore highly unlikely to be discovered.
At the moment Apple has not yet released an official statement on the topic. One of the researchers who had shined a light on the problem for the first time, Fabian Bräunleininvites us to raise our guard by underlining that for attackers the attack is also very cheap: the USB keyboard equipped with the keylogger and the ESP32 Bluetooth module costs no more than 50 euros.
We recently featured the story of a well-known manager who urges users to use Apple’s Find My feature to stay in control of their macOS devices.