Researchers successfully use AirTag network to send messages

AppleInsider

Security researchers investigating the Find My network used by Apple's AirTags, have been able to piggyback on the system to send data that Apple can neither monitor nor, apparently, prevent.

Apple's Find My network could be used to relay short messages

It's not something that can be easily replicated, nor is it something that could mean AirTags users face any issues of malware. However, it is reportedly possible for the Find My network to be subverted to send encoded messages between devices, albeit very short messages.

According to Berlin-based IT security consultancy Positive Security, "it's possible to upload arbitrary data from non-internet-connected devices" by sending Find My-style broadcasts. These are then picked up by Apple devices, in just the way that a lost AirTag uses passing iPhones to report it location.

"While I was mostly just curious about whether it would be possible," wrote consultant Fabian Braunlein in a blog post, "I would imagine the most common use case to be uploading sensor readings or any data from IoT devices without a broadband modem, SIM card, data plan or Wi-Fi connectivity."

So in theory, a correctly configured device could broadcast a Bluetooth LE signal just as AirTags do. Then when an Apple device is nearby, that device will register the signal and relay it.

"With Amazon running a similar network called Sidewalk that uses Echo devices there might very well be demand for it," continues Braunlein. "Since the Finding devices cache received broadcasts until they have an Internet connection, the sensors can even send out data from areas without mobile coverage as long as people pass the area."

More sinisterly, Braunlein posits that this could be used to "exfiltrate data from certain airgapped systems or Faraday caged rooms." Devices within such spaces might be insulated from the internet, but they could conceivably pass data to an iPhone belonging to a visitor walking by.

One more generally-useful finding is that, according to Positive Security, there doesn't appear to be a technical reason why users can only have a limited number of AirTags.

"In this light, the stated restriction of 16 AirTags per Apple ID seems interesting, as to me it does not seem that Apple can currently enforce this," says Braunlein.

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.

rob53

I'm waiting for someone to rip me on my comment so here goes.

Isn't this something the researcher should have contacted Apple about first? This sounds like a bug or at least something that shouldn't be possible. Now that it's known, I can see all sorts of hackers using it as a means to hack all sorts of devices. Is this really research or is it reverse engineering and/or hacking? 

dysamoria

rob53 said:

I'm waiting for someone to rip me on my comment so here goes.

Isn't this something the researcher should have contacted Apple about first? This sounds like a bug or at least something that shouldn't be possible. Now that it's known, I can see all sorts of hackers using it as a means to hack all sorts of devices. Is this really research or is it reverse engineering and/or hacking? 

Not a lot of info on the actual issue in the article, but what they’re doing (if I understood correctly) is putting unexpected passengers into the pipeline, not hacking its security, and it requires a lot of tracking messages to go back and forth in order to send anything of interest. Short strings, after quite a lot of back & forth. The bandwidth for this tactic is pretty narrow.

But check my understanding with your own reading. Follow the link to the researcher entity: 

https://positive.security/blog/send-my

shamino

This has very little to do with Air Tags.  Apple already announced that they've opened the Find-My network to third party products.

As such, anyone implementing the protocol can drop a message on the network, which can be received by any device connected to the corresponding Apple ID.

I don't see this as a way to break into anything, but it could be an interesting kind of dead drop.

As for using it to exfiltrate data from an air-gapped system, that would be a very poorly implemented air-gap.  If you're shielding equipment in a Faraday cage, then you shouldn't be allowing people to bring personal electronic devices into the cage.

robin huber

Researchers? I think of them as professional spoil sports. 

22july2013

If the article is correct, and Apple doesn't find a way to fix it, this will be a great solution to a difficult problem. As the article states, "I would imagine the most common use case to be uploading sensor readings or any data from IoT devices without a broadband modem, SIM card, data plan or Wi-Fi connectivity."

Any device which needs a small amount of data send to your iPhone without building it with a SIM, WIFI or MODEM. So for example someone could build a garage door opener which tells me whether it's opened or closed using the FIND MY network by talking to anyone's nearby iOS device using Bluetooth. (My garage door is out of range of my home, several flights downwards, but it's in range of other people's homes, cars and garages.)

However as I've said before, once people realize that strangers are using their paid bandwidth to transmit data for free, using Apple's FIND MY network on their iOS device, there will be some pushback towards Apple from the public. Apple will be unlikely to want to make third party signalling a "supported feature" because it opens up this free piggybacking making people more likely to object to paying for someone else's data on their own data plan.

Spencer314

22july2013 said:

If the article is correct, and Apple doesn't find a way to fix it, this will be a great solution to a difficult problem. As the article states, "I would imagine the most common use case to be uploading sensor readings or any data from IoT devices without a broadband modem, SIM card, data plan or Wi-Fi connectivity."

Any device which needs a small amount of data send to your iPhone without building it with a SIM, WIFI or MODEM. So for example someone could build a garage door opener which tells me whether it's opened or closed using the FIND MY network by talking to anyone's nearby iOS device using Bluetooth. (My garage door is out of range of my home, several flights downwards, but it's in range of other people's homes, cars and garages.)

However as I've said before, once people realize that strangers are using their paid bandwidth to transmit data for free, using Apple's FIND MY network on their iOS device, there will be some pushback towards Apple from the public. Apple will be unlikely to want to make third party signalling a "supported feature" because it opens up this free piggybacking making people more likely to object to paying for someone else's data on their own data plan.

The supported bandwidth is so low that this seems a silly concern. 

This kind of thing is inevitable if the Find My network is opened up, it doesn't seem like either a security risk (outside of possible use for covert channels for obscurely placed sensors, which doesn't seem like a big deal), and it is highly unlikely to become anything remotely like a bandwidth hog. 

So this is interesting, but not surprising, and not scary. 

Centris660avUser

Spencer314 said:

22july2013 said:

If the article is correct, and Apple doesn't find a way to fix it, this will be a great solution to a difficult problem. As the article states, "I would imagine the most common use case to be uploading sensor readings or any data from IoT devices without a broadband modem, SIM card, data plan or Wi-Fi connectivity."

Any device which needs a small amount of data send to your iPhone without building it with a SIM, WIFI or MODEM. So for example someone could build a garage door opener which tells me whether it's opened or closed using the FIND MY network by talking to anyone's nearby iOS device using Bluetooth. (My garage door is out of range of my home, several flights downwards, but it's in range of other people's homes, cars and garages.)

However as I've said before, once people realize that strangers are using their paid bandwidth to transmit data for free, using Apple's FIND MY network on their iOS device, there will be some pushback towards Apple from the public. Apple will be unlikely to want to make third party signalling a "supported feature" because it opens up this free piggybacking making people more likely to object to paying for someone else's data on their own data plan.

The supported bandwidth is so low that this seems a silly concern. 

This kind of thing is inevitable if the Find My network is opened up, it doesn't seem like either a security risk (outside of possible use for covert channels for obscurely placed sensors, which doesn't seem like a big deal), and it is highly unlikely to become anything remotely like a bandwidth hog. 

So this is interesting, but not surprising, and not scary. 

"once people realize that strangers are using their paid bandwidth to transmit data for free"

I worked at a large telco when the iPhone was launched and when the iPad was launched. At that time, a condition of being a launch partner for each iPhone model was enabling an unrated APN which allowed data connectivity for the device even before/without a paid data allowance. This was required for the iPad use case of having an online sign up experience on the device for a data plan (it solved the chicken and egg problem). It may have changed since then but I can't imagine Apple have given up that amazing beachhead into telco land. I expect the telemetry data for the Find My network is routed over this APN so wouldn't be using a consumers paid bandwidth.