117
make.co
such trackers, or for logistics companies to put
one such tracker in every shipment for live-
tracking of all their goods across various delivery
subcontractors.
When considering the possibility of arbitrary
data transmission, even more possibilities
emerge:
• Low-cost, low-power distributed sensors:
Using one of the approaches outlined above, it’s
possible to upload sensor readings or any data
from IoT devices without a broadband modem,
SIM card, data plan, or Wi-Fi connectivity.
Considering the fact that Amazon is running
a network called Sidewalk, connecting Echo
devices to achieve exactly this, there seems to be
some demand for it.
One such implementation is the previously
mentioned FakeTag mailbox sensor, which uses
a vibration sensor glued to the flap to detect new
mail and continuously transmits the current mail
count via the Find My network (Figure
K
).
I heard from one person who considered using
the technique for gathering sensor readings from
a boat out in a harbor (e.g., for its bilge pump)
and got contacted by a nonprofit organization that
sees a “use for it in environmental, air quality,
and microclimate modeling, collecting data from
remote sensors.”
Since the Finding devices cache received
broadcasts until they have an internet connection,
the sensors can even transmit data from areas
without mobile coverage as long as iPhone users,
even just briefly, pass through Bluetooth range —
about 50 meters depending on the environment,
hardware, and transmission power.
• Data exfiltration: In the world of high-security
networks, visitors’ Apple devices might become
feasible intermediaries to exfiltrate data from
certain air-gapped systems or Faraday-caged
rooms. Even where another connection to
the outside exists, Find My can act as a covert
channel that is less likely monitored than for
instance a normal IP connection. Also note that
newer iPhones at least remain findable — with
Bluetooth, NFC, and UWB radios still running —
even when the device is powered off.
Conclusion
We’ve shown how to create AirTag clones that
are compatible with Apple’s Find My network and
how those clones’ capabilities can even surpass
the original AirTag’s. In particular, it’s possible
to send arbitrary data over the network and to
bypass all of Apple’s “anti-stalking features,”
making the technology also appealing again in
anti-theft (or anti-kidnapping) scenarios.
Both the possibility to use the Find My
network with “unauthorized trackers” as well
as the described weaknesses are inherent to
the privacy-focused design of the system. One
interesting trade-off lies in Apple wanting AirTags
to be untrackable via Bluetooth (to prevent a
network of distributed Bluetooth receivers from
tracking devices over a longer period) while
relying exactly on this trackability for triggering
reliable stalking warnings.
As in the current Find My design, Apple can’t
limit its usage to only genuine AirTags (and official
partners’ devices), they need to take into account
threats of custom-made beacons (or AirTags with
modified firmware) that might implement the
Find My protocol in weird or malicious ways.
For hackers and makers, however, unless
there’s is a major redesign of the Find My offline
finding protocol, this ecosystem will likely stay
open to be explored and tinkered with.
FABIAN BRÄUNLEIN
is an IT
security researcher and co-founder
of Positive Security (positive.security).
He has a thing for explotng protocols
and has uncovered weaknesses in
systems from payment and booking
to IP cameras and smart speakers.
Fabian Bräunlein, Daniel Dakhno
Learn more about Find My and
AirTags: arxiv.org/pdf/2103.02282.pdf
and adamcatley.com/AirTag.html
K
M83_110-17_SB_AirTags_F1.indd 117M83_110-17_SB_AirTags_F1.indd 117 10/11/22 12:08 PM10/11/22 12:08 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.