Apple's "Find My" location network can be abused by malicious actors to stealthily transmit sensitive information captured by keyloggers installed in keyboards. The Find My network and application is designed to help users locate lost or misplaced Apple devices, including iPhones, iPads, Macs, Apple Watches, AirPods, and Apple Tags. The service relies on GPS and Bluetooth data crowd-sourced from millions of Apple devices worldwide to find devices reported as lost or stolen, even if those are offline. Lost devices send Bluetooth signals in a constant loop detected by nearby Apple devices, which then anonymously relay their location to the owner through the Find My network. The potential to abuse Find My to transmit arbitrary data besides just device location was first discovered by Positive Security researchers Fabian Bräunlein and his team over two years ago, but apparently, Apple addressed this problem. The analysts have even published their implementation on GitHub, called 'Send My,' which others can leverage for uploading arbitrary data onto Apple's Find My network and retrieving it from any internet-enabled device anywhere in the world. As first reported on Heise, the researchers created a proof-of-concept hardware device to better highlight the risk to the public. They integrated a keylogger with an ESP32 Bluetooth transmitter into a USB keyboard to show that it's possible to relay passwords and other sensitive data typed on the keyboard through the Find My network via Bluetooth. Bluetooth transmission is far stealthier than WLAN keyloggers or Raspberry Pi devices that can be easily noticed in well-guarded environments, and the Find My platform can covertly leverage omnipresent Apple devices for the relay. The keylogger doesn't have to use an AirTag or an officially supported chip, as Apple devices are tuned to respond to any Bluetooth message. If that message is appropriately formatted, the receiving Apple device will create a location report and upload it to the Find My network. The sender needs to create many slightly different public encryption keys simulating multiple AirTags and encode arbitrary data into the keys by assigning specific bits at predetermined positions in the keys. The PoC attack achieved a transmission rate of 26 characters per second and a reception rate of 7 characters/sec, with a latency of between 1 and 60 minutes, depending on the presence of Apple devices at the keylogger's range. The best part is that Apple's anti-tracking protections that notify users Air Tags might be tracking them are not activated by the stationary keylogger inside the keyboard, so the device remains hidden and unlikely to be discovered. BleepingComputer has asked Apple for a statement on the abuse of Find My, but we have not received a response by publication time. Flipper Zero can be used to launch iOS Bluetooth spam attacks. Flipper Zero Bluetooth spam attacks ported to new Android app. Flipper Zero can now spam Android, Windows users with Bluetooth alerts. France says Russian state hackers breached numerous critical networks. New iLeakage attack steals emails, passwords from Apple Safari.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000