The Find My network from Apple is a potent resource for tracking the whereabouts of your devices. However, it currently has a significant security flaw that remains unaddressed. Researchers from George Mason University found that this network can be manipulated to trace nearly any Bluetooth device—not just AirTags or iPhones—by leveraging both Apple’s system and a device’s Bluetooth address.
“It’s akin to turning any laptop, smartphone, or even gaming console into an Apple AirTag without the owner’s knowledge,” explained lead researcher Junming Chen. “And the hacker can execute this from thousands of miles away with a modest investment.”
To grasp the nature of the exploit, one must understand the inner workings of the Find My network. For instance, an AirTag emits a Bluetooth signal to nearby Apple devices, which then sends that information anonymously to the Apple Cloud. The crux of the exploit is rooted in this anonymity.
The researchers, capitalizing on the cryptographic nature of the data, managed to create a key that adapts dynamically, which they termed “nRootTag.” Alarmingly, this key boasts a 90% success rate.
The team conducted tests on a diverse array of devices, achieving disconcerting results. They managed to locate a computer within a 10-foot radius and even traced an airplane’s flight path and number by monitoring a gaming console that a passenger brought aboard.
This experiment underscores the capabilities of Apple’s Find My network but also raises concerns about how easily malicious individuals could access private data. There have been instances where AirTags were used for unauthorized tracking, prompting Apple to enhance security measures in upcoming AirTag iterations. However, nRootTag extends beyond just AirTags, enabling the tracking of VR headsets, smart TVs, and various other devices with alarming ease.
Qiang Zeng, another researcher involved in the study, pointed out a particularly troubling aspect of the exploit: “While it’s concerning if someone hacks into your smart lock, it becomes even more alarming if they can simultaneously pinpoint its location. The method we’ve developed enables this.”
In July 2024, the research team notified Apple about the vulnerability, which the company has acknowledged in its update notes. However, a fix has yet to be released. Addressing this flaw, which is integral to the Find My network’s fundamental operation, may require time—potentially years, according to the researchers.
In the meantime, Chen suggests ensuring all devices and software are updated regularly and being vigilant about any applications requesting Bluetooth access, particularly those that don’t necessitate it.
