Data breach

Apple’s “Find My” Network Leaks Passwords from Keylogger Keyboards

Apple’s “Find My” service, which was designed to help users in tracking down forgotten or lost Apple gadgets including iPhones, iPads, Macs, Apple Watches, AirPods, and Apple Tags, has sadly been open to possible misuse by threat actors.

These threat actors can now use the “Find My” network to send data collected through keyloggers, which are often installed on keyboards.

The programme uses GPS and Bluetooth data collected from millions of Apple devices worldwide to find gadgets reported as lost or stolen, even if they are offline. When a gadget is lost, it generates Bluetooth signals that are picked up by adjacent Apple devices. Through Apple’s “Find My” network, these gadgets soon after send the user with an anonymous location check.

This service is useful to users of Apple since it uses a global network of Apple devices for recovery objectives. However, its vast capability and reach have prompted serious concerns.

Research has revealed certain vulnerabilities in the system, raising concerns about potential exploitation by malicious actors. To safeguard user information and privacy, it is necessary for extra precautions.

Researchers from Positive Security, notably Fabian Bräunlein and his colleagues, discovered the risk of using Find My for sharing not just device position but also arbitrary data more than two years ago. However, it appears that Apple has subsequently solved this issue.

The analysts have released their implementation, dubbed ‘Send My,’ on GitHub. Users may use this programme to upload data to Apple’s Find My network and access it from any internet-enabled device across the globe.

Random Failures Keylogger Exploits in Apple’s “Find My” Network

The researchers updated their proof-of-concept to emphasise the importance of the issues. They showed the hidden transfer of passwords and other data over Bluetooth signals via the Apple’s “Find My” network.

This resulted from the integration of a USB keyboard with an ESP32 Bluetooth transmitter and keylogger. The use of Bluetooth connection offers an extra degree of caution when compared to standard WLAN keyloggers or Raspberry Pi devices, making it more difficult to detect in restricted settings.

Attack Diagram in a General Context
Attack Diagram in a General Context (Positive Security)

The keylogger in the experiment connects to adjacent Apple devices over Bluetooth without the need of an AirTag or an officially approved chip. It successfully pushes recipients’ Apple devices to create location data, which it then secretly uploads to the Find My network by efficiently phrasing messages.

Unlike WLAN keyloggers or Raspberry Pi devices, which may draw attention, Bluetooth communication is more discrete. The Find My platform may use widespread Apple devices as relays invisibly, making it an anonymous activity.

Keyloggers do not always require an AirTag or an officially approved chip. Apple products are built to respond to any Bluetooth transmission. If set up correctly, the receiving Apple device produces and uploads a location report to the Find My network.

The sender generates a number of slightly different public encryption keys in order to clone several AirTags. These keys encrypt a variety of data, such as keylogger captures, by carefully arranging bits. Recovering the transmitted data at the receiving end entails decoding and concatenating numerous reports obtained from the cloud.

Effectively Encrypt Data and Message Bits for Find My Transmissions
Effectively Encrypt Data and Message Bits for Find My Transmissions (Positive Security)

The receiving app creates identical 28-byte arrays (one for each bit, 0 and 1) when snatching data. In the Apple api research, these arrays become SHA256 hashes and function as “public keys”. The underlying mystery is that just one of the key IDs has the interesting location reports.

At the receiving end, concatenate and decode multiple cloud-retrieved reports to extract specific data—such as captures from the keylogger.

Efficient Data Retrieval and Decoding on macOS
Efficient Data Retrieval and Decoding on macOS (Positive Security)

The researchers used a $50 USB keyboard and a Bluetooth-capable “EvilCrow” keylogger to create a data-siphoning gadget. In a proof-of-concept attack, data transfer speeds reached up to 26 characters per second when Apple devices were in range and 7 characters per second otherwise. The broadcast delay ranged from one to sixty minutes.

This speed is enough for attackers looking for sensitive information, such passwords, even if it is not lightning-fast. As a result, waiting time becomes a fair trade-off for malicious actors.

Keyloggers that are stable within keyboards are hidden by Apple’s anti-tracking systems. It is difficult to detect and mitigate because of the hidden design.

The tracking network’s design makes it difficult to prevent attacks. As a security measure, Apple may think about identifying and preventing unusual activity. In places with high levels of security, a strict policy can require staff members and guests to turn in their MacBooks, iPads, and iPhones or, at the absolute least, turn off tracking features.

Apple may store these requested key IDs in a cache even if they are unable to verify whether they match the user’s AirTag. To keep things secure, it generates only 16 new key IDs every 15 minutes per Apple ID. This simpler technique is prone to exploitation through cycling multiple free Apple IDs for data access.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts