Find My, the network of iOS and macOS devices that is used by AirTag and others for location tracking, can be used to send arbitrary text to other devices. That’s the discovery of one security researcher who published their findings in a new blog post.
Researcher Fabian Bräunlein essentially created a fake AirTag to send text across the Find My network, receiving it on a remote Mac. It’s notable that it isn’t thought that the process used by Bräunlein is something Apple can easily work to block.
With the recent release of Apple’s AirTags, I was curious whether Find My’s Offline Finding network could be (ab)used to upload arbitrary data to the Internet, from devices that are not connected to WiFi or mobile internet. The data would be broadcasted via Bluetooth Low Energy and picked up by nearby Apple devices, that, once they are connected to the Internet, forward the data to Apple servers where it could later be retrieved from. Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power-consumption of mobile internet. It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users.
The good news is that the text that can be sent is so small it’s unlikely anyone will be able to get up to no good. But the fact still remains – arbitrary text can be transmitted via the Find My network of millions of devices, all without their owners knowing.
There’s a ton of technical information about what exactly went down over in the blog post and it’s a fascinating read if you’re so inclined.
This is all caused by the Find My network so the best Bluetooth trackers out here won’t be susceptible. Something to keep in mind if you’re at all concerned.