- A new exploit can track any Bluetooth device using Apple’s Find My network
- The attack can be done remotely in just a few minutes
- Apple has been notified, but it’s unknown when a fix will come
Apple’s Find My app is a handy way to keep track of your important items, whether that’s one of the best iPhones or an AirTag attached to a set of keys, and while there have been concerns surrounding the privacy implications of devices like Apple’s AirTag, the Find My concept itself has remained relatively impervious to attack – until now.
That’s because researchers from George Mason University in Virginia say they’ve discovered a serious flaw in the Find My network that could allow hackers to track almost any Bluetooth-enabled device’s location without its owner knowing.
On the face of it, it’s a deviously clever exploit. Dubbed “nRootTag,” it manipulates Find My’s cryptographic keys to trick the network into believing that a regular Bluetooth device is actually a trackable AirTag. That means that any Bluetooth device could feasibly be located by a person with access to the exploit.
The researchers found that their method had a 90% success rate. What’s more, it only took them a few minutes to locate a targeted device. It’s a scary combination when those kinds of capabilities are in the wrong hands.
Remote access
People have worried about the nefarious tracking potential of AirTags and the Find My network before, but in past cases, a stalker has had to physically place an AirTag close to their victim. In the case of the George Mason University exploit, that’s not necessary because it can be triggered remotely. For instance, the university team was able to track a games console that had been placed on an airplane throughout its entire journey, all from many miles away.
The only small comfort is that this method requires a lot of power behind it, as the researchers had to deploy hundreds of powerful GPUs in order to swiftly find cryptographic keys to exploit. Still, they noted that it would be possible to do using rented GPU banks, which do not necessarily require significant funds.
The researchers say they notified Apple about the vulnerability in July 2024. While Apple has acknowledged the issue, we don’t yet know if or how it will be fixed – and it could take years to end the threat if people don’t update their devices right away.
If you want to stay safe, the best advice for now is to regularly update your devices and be cautious about granting apps access to Bluetooth. If you don’t know why an app needs Bluetooth, do further research before simply opening the door.
Read the full article here
