nRootTag

Nathan Kahl (post, Hacker News, MacRumors):

George Mason University researchers recently uncovered a way for hackers to track the location of nearly any computer or mobile device. Named “nRootTag” by the team, the attack uses a device’s Bluetooth address combined with Apple’s Find My network to essentially turn target devices into unwitting homing beacons.

“It’s like transforming any laptop, phone, or even gaming console into an Apple AirTag - without the owner ever realizing it,” said Junming Chen, lead author of the study. “And the hacker can do it all remotely, from thousands of miles away, with just a few dollars.”

The team of Qiang Zeng and Lannan Luo—both associate professors in the Department of Computer Science—and PhD students Chen and Xiaoyue Ma found the attack works by tricking Apple’s Find My network into thinking the target device is a lost AirTag. AirTag sends Bluetooth messages to nearby Apple devices, which then anonymously relay its location via Apple Cloud to the owner for tracking. Their attack method can turn a device—whether it’s a desktop, smartphone, or IoT device—into an “AirTag” without Apple’s permission, at which point the network begins tracking.

Via Filipe Espósito:

The researchers informed Apple about the exploit in July 2024 and recommended that the company update its Find My network to better verify Bluetooth devices. Although the company has publicly acknowledged the support of the George Mason team in discovering the exploit, Apple is yet to fix it (and hasn’t provided details of how it will do so).

The researchers warn that a true fix “may take years to roll out,” since even after Apple releases a new software update that fixes the exploit, not everyone will update their devices immediately. For now, they advise users to never allow unnecessary access to the device’s Bluetooth when requested by apps, and of course, always keep their device’s software updated.

Previously:

• iOS 18.2 and iPadOS 18.2
• “Find My” Privacy
• Unwanted Tracking Alerts in iOS and Android
• How “Find My” Works

AirTag Bluetooth Exploit Find My iOS iOS 18 Privacy

Comments RSS · Twitter · Mastodon

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ