Turning a Bluetooth device into an Apple AirTag without root privileges
55 comments
·February 27, 2025hackernudes
Here is my quick summary:
Apple devices listen for BLE advertisements of a certain form to indicate a "Find My" network lost device.
The lost device advertisements mainly contain the public key part of a key pair.
The public key does not fit in the in payload of the advertisements, so it is stuffed into the address field. Edit: Only 46 bits of the full 224 bit public key is stored in the address field.
In general anyone can make a "lost device" advertisement as demonstrated by OpenHayStack[1]. The requirement is the address field needs to be fully controllable.
BLE advertisements have a header that indicates what kind of address is present (specified by 3 bits: Public, NRPA, RPA, Random Static). The lost device advertisements are supposed to be "Random Static", but the researchers found that Apple "Find My" listeners ("finders") will accept advertisements for any address type.
They use this fact to generate the private key part of a public key that matches an existing host adapter BLE address. The host adapter BLE address cannot generally be changed unless user has root/superuser privileges. This step is computationally expensive. However, private keys can be precomputed (rainbow tables) because a large chunk of the address is a manufacturer code (OUI).
fsckboy
could Android users in a place like NYC/LA/London create a mesh network of "virtual airtags" that virtually follow all the iPhones around the city advertising to each that it is mysteriously being followed endlessly? I would switch to Android to participate. (ok, that's my opsec, i'm already on Android. haha gotcha! that's my opsec, i actually have...)
swores
Even better opsec would be to avoid posting comments that reveal you to be someone who would take pleasure in tricking strangers into believing they're being stalked
bluGill
At this point the best thing is mave sure this is well known. If he has the idea you can bet evil [china, north korea, russia... should come to mind] will too. If I do it I'm harmless but it forces apple to react. If evil does that they will also hide their tracks and so we are less likely to find out while they do their harm.
neilv
It's not something I'd do, but there are a number of reasons people might do something like this, including:
1. To demonstrate technical flaws, on a purely technical basis.
2. As political action in opposition to surveillance or inadequate security measures.
3. Interest in loose-knit collaborative systems with emergent effects that people can assemble together.
4. As a fun prank, not thinking enough about how it would affect other people.
5. The point being to hurt other people, and/or to feel power over them. (This is a thing, including by organized groups/clubs on the Internet, but I think it's a small minority, and doesn't apply to the commenter.)
Incidentally, when I started skimming that comment, I thought it might be about organizing a non-proprietary, open network, for the same benefits as Apple users get, which could be great.
krupan
Hold up, how are they generating a private key from a public key? That's supposed to be very difficult.
Are you saying that a large chunk of the key (private key or public key?) is a manufacturer code? That's insane
avidiax
> Hold up, how are they generating a private key from a public key?
They are not. They are generating a private/public key pair where the first 46 bits of the public key happen to match the victim's BLE address.
The find-my network then accepts beacons (encrypted with the attacker's private key) from this address, and stores it in iCloud to be retrieved by the attacker via the 46-bit prefix.
rahimnathwani
They pregenerate the key pairs. The trojan sends the MAC to the server, and the server looks in its (precomputed) stash of key pairs, to find a public key that matches.
lelandbatey
They're brute-forcing the generation of a public key using random private keys. The exact private key doesn't matter. The full length of the generated public key doesn't even matter, only the first 46 bits. Since they only need to find a public key matching those 46 bits instead of the full 226 bits, that makes a brute force search possible.
helsinki
Hm, interesting. 2^46 is only 70 trillion, so yeah, totally computationally feasible. So, if i understand correctly, they only need a GPU to generate a database of 70 trillion private / public keys? Damn, not bad.
sodality2
An interesting thing to note from the article is that this isn't just a garden variety jailbreak/adversarial interoperability with a BLE protocol. It lets you turn someone else's device into an airtag, then track its location.
> In addition, we appreciate the help from the Apple Security Team for their prompt responses and acknowledgement. Apple recently released patches in iOS 18.2, visionOS 2.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, Sonoma 14.7.2, Sequoia 15.2 to fix the vulnerability. However, the attack remains effective as long as unpatched iPhones or Apple Watches are in the proximity of the computer running our trojan.
Seems like a pretty bad vulnerability to just hope 1.5B iPhones alone update soon enough. I know people still on iOS 17/16... All of them are now complicit.
But I'm happy to see my state represented in security research :)
rahimnathwani
It lets you turn someone else's device into an airtag, then track its location.
Limeray
[dead]
jeroenhd
Seems like a good way to physically pin down where a hacked computer may be located. Could be useful for people like ransomware authors who infect devices all over the world.
Nothing new, really. Apple created a worldwide network of location scanning devices and this is just leveraging the power Apple already has. The genie is out of the bottle now, and live location tracking has become almost trivial.
So, seeing how this is able to allow a device to be tracked without an alternative bluetooth stack: could the Find My network be (ab)used to geolocate devices without a GPS receiver? If a device broadcasts BLE packets and then queries its own location, that should give a pretty accurate location, shouldn't it? Might save some power if the 5G antenna is active already anyway, assuming there's an Apple user nearby.
ctkhn
I get that this is an attack, but if I could get this on my own non-apple bluetooth devices that would be really convenient.
1024core
This was posted a month ago: https://news.ycombinator.com/item?id=42835772
mannyv
The problem with this exploit is it needs something on the device that sends out BLE packets.
This is hardly the problem that it's made out to be.
Excellent PR team - every other site reporting makes it sound like they broke FmF. but with a process on the device the device has already been pwnd.
jeroenhd
It's a matter of time before advertising SDKs within any ad-supported apps will start leveraging this to geolocate users without additional permissions. Especially for apps that already have location permissions (something as simple as a weather app) this will hardly be noticed.
gruez
>It's a matter of time before advertising SDKs within any ad-supported apps will start leveraging this to geolocate users without additional permissions.
They still need bluetooth permissions, which is going to be sus for your average flashlight/weather/game app.
>Especially for apps that already have location permissions (something as simple as a weather app) this will hardly be noticed.
If the app already has location permissions, why would they need to pull off this attack? They get the user's location directly.
dmitrygr
Won't work on iOS. An app cannot simply get the local MAC address on iOS. Privacy reasons. And trying all the (2^8)^3 options will also not work - for power reasons you'll be quickly throttled.
jimiasty
You don't need MAC address - you just need the iPhone to broadcast specific BLE advertising packet/payload.
Using Core Bluetooth API it is trivial, but you need to either: a) create an app that does it and user has to download it b) modify SDKs existing in apps (e.g. Ad SDKs)
Also turning app/phone into a "BLE beacon" is only possible when app running in the foreground (on iOS).
internetter
How does this differ from https://github.com/seemoo-lab/openhaystack
Edit: It works without root. Follow up question: Can these discoveries improve openhaystack?
layer8
It doesn’t require installing a custom Bluetooth firmware.
saagarjha
Well they copied the diagrams from there for one
Rebelgecko
Nice. I have some Chipolo trackers but the tracking is pretty bad compared to air tags. Would this approach let me make them trackable via Apple's network too?
prepend
I wonder if Apple will keep this open out of the kindness of their heart. Or all these unintended uses will result in them locking down their network.
I guess all my Apple devices are looking for this and sharing it to Apple and wonder how much that data adds up.
layer8
They already fixed it in recent updates, but many non-updated devices will remain around for quite a while. It’s not fixable server-side.
ww520
I never knew Apple let anyone access the lost announcement messages from the AirTags sent through iCloud.
layer8
You need the private key associated with the AirTag in order to decrypt the result.
octoberfranklin
... and an Apple Account with an SMS-verified telephone number.
And of course by requesting a result, you're letting Apple know that your Apple Account cares about a particular Airtag.
All the FindMy anonymity claims go out the window as soon as you actually lose something and want to find it. It's only anonymous if you don't query the network.
devmor
Does anyone know if the fix for this vulnerability removes the ability to use your own arbitrary BLE devices on the FindMy network? I haven't personally looked through the technical details of how that has been accomplished in the past, but it sounds up front like it might.
rahimnathwani
It does not remove that ability.
ck2
um, can't this be abused to flood the system like a ddos?
I wonder if it would make it easier to generate a non-true RSA key that had p or q not prime. There are some signs that this might work[1]. If constructing such key with a specific prefix could be done fast, then a server with precomputed keys wouldn't be needed. Of course, this would make the encryption insecure, but the attacker might not care about someone else potentially decrypting victim's location.
[1]: https://crypto.stackexchange.com/q/52240