Latest research has demonstrated a new exploit that enables arbitrary data to be uploaded from devices that are not connected to the Internet by simply sending “Find My Bluetooth” broadcasts to nearby Apple devices.
“It’s possible to upload arbitrary data from non-internet-connected devices by sending Find My [Bluetooth Low Energy] broadcasts to nearby Apple devices that then upload the data for you,” Positive Security researcher Fabian Bräunlein said in a technical write-up disclosed last week.
“Being inherent to the privacy and security-focused design of the Find My Offline Finding system, it seems unlikely that this misuse can be prevented completely.”
The study builds on a previous study by TU Darmstadt published in March 2021, which disclosed two distinct design and implementation flaws in Apple’s crowdsourced Bluetooth location tracking system that could lead to a location correlation attack and unauthorized access to a user’s location history of the past seven days.
The investigation was augmented by the release of a framework called OpenHaystack that’s designed to let any user create an “AirTag,” enabling individuals to track personal Bluetooth devices via Apple’s…