Apple Find My network could be abused to siphon data from nearby devices

News
By published

New proof-of-concept exploit highlights security weakness in Apple’s Find My service

GPS
(Image credit: Shutterstock / Ekaphon maneechot)

Apple’s device location tracking service, Find My, can be abused to siphon data from nearby devices and deliver it across the globe, a new report claims.

In a blog post, cybersecurity company Positive Security sets out a proof-of-concept exploit, called Send My. The exploit demonstrates that the Bluetooth Low Energy (BLE) broadcasts on which the Find My network is built can be manipulated to lift small quantities of arbitrary data, without even the need for an internet connection.

Made possible by special ESP32 firmware that turns a microcontroller into a modem that taps into the network of devices, the exploit could also in theory be used to rinse mobile data plans, the post suggests.

Apple Find My network

The Apple Find My network is dependent on a crowdsource information system, rather than GPS, to locate iOS, macOS and watchOS devices - and now, AirTags too.

If someone opts into the program, their devices will begin to communicate over BLE with other Apple technology in the area. And the volume of Apple products in circulation means these device pings can be used to build an accurate map of the location of each piece of kit.

As part of this process, however, the communications between devices are also relayed to Apple’s servers, from where the information could be later retrieved. In this case, Positive Security developed a macOS app capable of retrieving, decoding and displaying this data.

“Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power consumption of mobile internet,” explained Fabian Bräunlein, co-founder of Positive Security. “It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users.”

While the quantity of data that could be lifted via this method is limited and the latency is poor (up to 60 minutes), it’s thought that advanced threat actors may be able to leverage the exploit to good effect.

According to Positive Security, the privacy-centric way in which the Find My network has been architected means it may be impossible for Apple to block off the attack vector.

Apple did not respond to a request for comment.

  • Here's our list of the best VPN services right now

Via The Register

TOPICS
Joel Khalili
Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Read more
Find My app logo displayed on an iPhone 11 screen
This Find My exploit lets hackers track any Bluetooth device – here’s how you can stay safe
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
Kaspersky Report on Stalkerware
Security flaw in popular stalkerware apps is exposing phone data of millions
Data breach
Privacy of millions worldwide compromised as huge data location broker got hacked
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Apple users facing new security risks after critical USB component hacked
Latest in Pro
Branch office chairs next to a TechRadar-branded badge that reads Big Savings.
This office chair deal wins the Amazon Spring Sale for me and it's so good I don't expect it to last
Saily eSIM by Nord Security
"Much more than just an eSIM service" - I spoke to the CEO of Saily about the future of travel and its impact on secure eSIM technology
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
FlexiSpot office furniture next to a TechRadar-branded badge that reads Big Savings.
Upgrade your home office for under $500 in the Amazon Spring Sale: My top picks and biggest savings
Beelink EQi 12 mini PC
I’ve never seen a PC with an Intel Core i3 CPU, 24GB RAM, 500GB SSD and two Gb LAN ports sell for so cheap
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Latest in News
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
More about pro
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop

One of the richest men in the world castigates the billions of dollars spent on buying laptops for US classrooms with no apparent improvements
Page shows the getting started page on the Notability app.

I enjoyed testing this satisfying note-taking app, but its collaboration skills were weak
Nimo N172 laptop

This obscure laptop brand sells a 64GB AMD Ryzen 9 laptop for just over $700 which is faster than the Apple's M4 CPU
See more latest
Most Popular
Nimo N172 laptop
This obscure laptop brand sells a 64GB AMD Ryzen 9 laptop for just over $700 which is faster than the Apple's M4 CPU
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop
One of the richest men in the world castigates the billions of dollars spent on buying laptops for US classrooms with no apparent improvements
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
Tesla Model Y 2025
Tesla’s EU sales are in freefall as VW races ahead, but the Model Y could change all that
Asus NUC 15 Pro+
Asus unveils its most powerful mini PC to date — but I don't think the Intel-powered NUC 15 Pro+ will compete with Strix Halo models
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event