Hackers Exploit Apple’s Find My Network to Track Any Bluetooth Device
Credit: Tada Images / Shutterstock
Toggle Dark Mode
Hackers have developed a way to exploit Apple’s Find My network and track any Bluetooth-enabled device in the same manner as AirTags.
Apple’s Find My network allows users to track their Apple device (using the device’s built-in “Find My” capability) or items using an attached AirTag. The item tracker has helped find lost and stolen baggage, and even stolen cars in the past.
While Apple’s Find My network is considered by most to be secure and trustworthy, researchers have still figured out a way to evade the system’s safeguards. In 2021, security researchers figured out how to send secret messages via the Find My network, and now a new team of experts has figured out how to take this to an entirely new level.
Associate professors Qiang Zeng and Lannan Luo and PhD students Chen and Xiaoyue Ma — all George Mason University researchers — created what they call “nRootTag” as an attack that takes advantage of Bluetooth addresses by tricking the Find My network into believing the Bluetooth device is a missing AirTag.
An AirTag is designed to send out Bluetooth messages, or “pings,” that can be detected by iPhones and other Apple devices that may pass by. The location is then sent anonymously and securely to Apple’s servers, where it can only be viewed by the owner of the AirTag (and only by the owner and those they’ve shared its location with).
However, the researchers conducted experiments in which they were able to make non-AirTag Bluetooth devices — desktop and laptop PCs, smartphones, IoT devices, and more — identify themselves as if they were genuine AirTags, allowing them to be tracked on the network.
The AirTag is designed to change its Bluetooth address based on a cryptographic key, but an attacker could not do this on other hardware without administrator privileges. So, the team did not attempt to modify the Bluetooth address. Instead, they developed key search techniques to find a key compatible with the Bluetooth address, then made the key adapt to the address instead.
In testing, the nRootTag technique proved surprisingly reliable with a 90% success rate, working within minutes.
The hack isn’t limited to smartphones and computers. It works on nearly any Bluetooth device, including VR headsets and smart TVs. Researchers were able to track an e-bike across an entire city.
“While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location,” explains Zeng. “With the attack method we introduced, the attacker can achieve this.”
“Time is essential in an actual attack, and we don’t have a year to do the cracking,” said Chen. Researchers rented hundreds of graphics processing units (GPUs) owned by others to help find a match quickly. Chen explained that mismatches can be saved to a database for future use, making it a handy tool for targeting thousands of devices simultaneously.
The process could be used for several things, such as advertisers building user profiles without the need for traditional GPS tracking. Unfortunately, the technique could also be used to track individuals of interest, lending itself to espionage and security activities.
Apple is aware of the issue, as researchers contacted the Cupertino firm in July 2024. Apple has acknowledged Prof. Qiang Zeng of George Mason University for assisting with issues related to proximity in recent security update notes. However, this could be for an unrelated security fix. Apple has not yet disclosed how it will fix the problem.
The team is expected to present their findings to the USENIX Security Symposium in August.
