Openhaystack5/16/2023 ![]() The entire security is based on encryption and the latter can only be decrypted with the help of the corresponding private key which is only stored on the paired device and cannot be broken via brute force, Bräunlein explains. The fact that the location is encrypted means that Apple doesn’t know which key belongs to which lost device or which report is intended for a certain user. ![]() Finally, the user whose device got lost can use another Apple device they own to access the approximate location of their lost device. The public key is delivered via the Bluetooth Low Energy advertisement packet.ĭue to this, when an Apple device within Bluetooth range picks up the broadcast, their location is fetched and then encrypted using the public key and then the location (once encrypted) is sent to iCloud. The broadcast would get picked up by any nearby Apple devices and automatically transmitted to Apple’s servers.Ī core element of Find My is the use of a public-private key pair that gets changed once every 15 minutes. The recent release of the OpenHaystack framework that allows users to use AirTags to track their personal belongings via the Find My network further elevated the importance of the investigation into the potential flaws of the network.Īnother thing to be noted here is that, through reverse engineering, it may also be possible to upload arbitrary data to Apple’s servers through broadcasting it to nearby Apple devices using the Find My app. According to that analysis, the reported flaws could be used to gain unauthorized access to the location history of the user for the last seven days. The research is a continuation of an earlier security analysis that was published in March this year, where two flaws were reported in Apple’s crowdsourced-powered Bluetooth location tracking system. A recent research report reveals a newly found exploitable flaw in the Find My network that could allow attackers to upload arbitrary data to targeted user devices.Īccording to Fabian Bräunlein, a researcher at Positive Security, a hacker could even use a device that’s not connected to the Internet to upload arbitrary data to nearby Apple devices by broadcasting through the Find My network.īräunlein explains that it may not be possible to completely prevent such a misuse due to how integral the Find My Offline Finding System is to Apple devices.
0 Comments
Leave a Reply. |