Apple's "Find My" network vulnerabilities pose a keylogging threat

The “Find My” Network and its vulnerabilities

Researchers found a way to abuse "Find My" network to steal keylogged passwords

Users trying to find lost or stolen Apple devices have found great success with Apple's inventive “Find My” network and application. This program uses GPS and Bluetooth data collected from millions of Apple products across the world to determine the whereabouts of lost or stolen gadgets, even when they're offline, whether they're an iPhone, iPad, Mac, Apple Watch, AirPods, or Apple Tags.

This service is incredibly helpful to Apple users since it can employ a global network of Apple devices to help with recovery, but because of its extensive capability and reach, it has also raised concerns. The system's inherent weaknesses have been brought to light by recent research, which raises concerns about the possibility that hostile actors will take advantage of these security flaws and the necessity of heightened caution to safeguard user data and privacy.

The unintended pitfalls of Apple's “Find My” Network

Two years ago,^[1] researchers at Positive Security under the direction of Fabian Bräunlein discovered that it was possible to use Apple's Find My network for purposes other than tracking device whereabouts. Apple purportedly fixed the vulnerability, despite the research team's first identification of it. However, the researchers went one step further and developed an implementation known as “Send My,” which can be found on GitHub.^[2] With the use of an internet-enabled device, users can upload any kind of data onto Apple's Find My network and recover it from any location in the world using this open-source utility.

To highlight the concerns, the researchers went beyond their proof-of-concept.^[3] They showed how passwords and other private data may be covertly sent via the Find My network via Bluetooth signals by integrating a keylogger with an ESP32 Bluetooth transmitter onto a USB keyboard. Bluetooth communication is far more covert than traditional WLAN keyloggers or Raspberry Pi devices, making it more difficult to find in secure settings.

How the keylogger exploits the “Find My” Network

The keylogger used in this experiment can connect to adjacent Apple devices via Bluetooth using any message; it doesn't require an AirTag or an officially certified chip to function. The keylogger coaxes recipient Apple devices into producing location data and uploads them to the Find My network by suitably structuring messages. In order to imitate many AirTags, the sender can generate a number of slightly different public encryption keys. These keys are used to encrypt arbitrary data, such as the keylogger's captures, by allocating certain bits to predefined places. The sent data can be recovered at the receiving end by concatenating and decoding several reports that were downloaded from the cloud.

The researchers used a conventional USB keyboard and an “EvilCrow” keylogger that was Bluetooth enabled to develop this data-siphoning device, estimating the cost to be around $50. Depending on whether Apple devices are in range, the proof-of-concept attack can transmit and receive data at speeds of up to 26 characters per second and 7 characters per second, respectively. The delay can range from 1 to 60 minutes. Although not extremely quick, this pace is adequate for attackers looking for sensitive data, such as passwords, therefore the waiting period is a reasonable trade-off for bad actors.

Moreover, Apple's anti-tracking safeguards do not apply to stationary keyloggers inside keyboards, therefore the keylogger's existence stays undetected. The device's covert nature makes identification and mitigation extremely difficult. In regards to the misuse of the “Find My” network, Apple has not yet released a statement. How Apple resolves these vulnerabilities and the possible risks they provide to user security is still to be seen.