Apple's Find My Network Can be Abused to Exfiltrate Data From Nearby Devices
May 17, 2021
Latest research has demonstrated a new exploit that enables arbitrary data to be uploaded from devices that are not connected to the Internet by simply sending "Find My" Bluetooth broadcasts to nearby Apple devices. "It's possible to upload arbitrary data from non-internet-connected devices by sending Find My [Bluetooth Low Energy] broadcasts to nearby Apple devices that then upload the data for you," Positive Security researcher Fabian Bräunlein said in a technical write-up disclosed last week. The study builds on a previous analysis by TU Darmstadt published in March 2021, which disclosed two distinct design and implementation flaws in Apple's crowdsourced Bluetooth location tracking system that could lead to a location correlation attack and unauthorized access to a user's location history of the past seven days. The investigation was augmented by the release of a framework called OpenHaystack that's designed to let any user create an ...
