This post is also available in:
עברית (Hebrew)
Researchers from George Mason University have uncovered a serious security flaw in Apple’s Find My network, potentially allowing attackers to turn any Bluetooth-enabled device into a location tracker. This vulnerability takes advantage of the network’s ability to track devices based on encrypted location data, creating significant privacy and safety concerns for users.
Apple’s Find My network, a massive system designed to locate lost devices and AirTags, relies on Apple devices to anonymously report the location of nearby devices. However, the researchers have found a way to hijack this system and use non-Apple devices—such as desktops, smartphones, and even IoT devices—to send location reports to Apple’s servers. The attack, named nRootTag, allows an attacker to track a device without needing root access or advanced hacking skills, making it accessible to a wide range of attackers.
The process begins when an attacker convinces a user to install malicious software or an app that requests Bluetooth permissions—permissions that many legitimate apps commonly ask for. Once granted, the attacker can exploit the vulnerability in Apple’s Find My network, which allows any Bluetooth device to send “lost message” advertisements, just like an AirTag would.
The researchers discovered that attackers could generate public/private key pairs matching a Bluetooth address, effectively creating a system where the attacker could decrypt location data sent through the network. This could be achieved using modern GPUs and a precomputed “rainbow table” of keys, which can be built for as little as a few dollars in cloud computing costs.
Once an infected device sends its “lost message,” any nearby Apple device that picks it up will send its location data to Apple’s servers. This location can then be accessed and decrypted by the attacker. In tests, the researchers found that the attack was successful within 5-10 minutes, working on various operating systems, including Linux, Windows, and Android.
Although Apple has released patches for several of its platforms, the vulnerability remains a concern for users with unpatched devices, according to the researchers. If these devices are within proximity of a compromised system, the attack can still succeed. Users are urged to update their devices to ensure their privacy and security.
