Security researchers investigating the Find My network used by Apple’s AirTags, have been able to piggyback on the system to send data that Apple can neither monitor nor, apparently, prevent.
It’s not something that can be easily replicated, nor is it something that could mean AirTags users face any issues of malware. However, it is reportedly possible for the Find My network to be subverted to send encoded messages between devices, albeit very short messages.
According to Berlin-based IT security consultancy Positive Security, “it’s possible to upload arbitrary data from non-internet-connected devices” by sending Find My-style broadcasts. These are then picked up by Apple devices, in just the way that a lost AirTag uses passing iPhones to report it location.
“While I was mostly just curious about whether it would be possible,” wrote consultant Fabian Braunlein in a blog post, “I would imagine the most common use case to be uploading sensor readings or any data from IoT devices without a broadband modem, SIM card, data plan or Wi-Fi connectivity.”
So in theory, a correctly configured device could broadcast a Bluetooth LE signal just as AirTags do. Then when an Apple device is nearby, that device will register the signal and relay it.
“With Amazon running a similar network called Sidewalk that uses Echo devices there might very well be demand for it,” continues Braunlein. “Since the Finding devices cache received broadcasts until they have an Internet connection, the sensors can even send out data from areas without mobile coverage as long as people pass the area.”
More sinisterly, Braunlein posits that this could be used to “exfiltrate data from certain airgapped systems or Faraday caged rooms.” Devices within such spaces might be insulated from the internet, but they could conceivably pass data to an iPhone belonging to a visitor walking by.
One more generally-useful finding is that, according to Positive Security, there doesn’t appear to be a technical reason why users can only have a limited number of AirTags.
“In this light, the stated restriction of 16 AirTags per Apple ID seems interesting, as to me it does not seem that Apple can currently enforce this,” says Braunlein.
Stay on top of all Apple news right from your HomePod. Say, “Hey, Siri, play AppleInsider,” and you’ll get latest AppleInsider Podcast. Or ask your HomePod mini for “AppleInsider Daily” instead and you’ll hear a fast update direct from our news team. And, if you’re interested in Apple-centric home automation, say “Hey, Siri, play HomeKit Insider,” and you’ll be listening to our newest specialized podcast in moments.