- Aug 17, 2014
Apple’s “Find My device” function for helping people track their iOS and macOS devices can be exploited to transfer data to and from random passing devices without using the internet, a security researcher has demonstrated.
Security researcher Fabian Bräunlein with Positive Security developed a proof of concept, using a microcontroller and a custom MacOS app, that can broadcast data from one device to another via Bluetooth Low Energy (BLE). Once connected to the internet, the receiving device can then forward the data to an attacker-controlled Apple iCloud server.
Bräunlein called the method “Send My,” and posited several use cases for the method — including the benign building of a network for internet-of-things (IoT) sensors, or as way to deplete people’s mobile-data plans over time.
The misuse of Find My in this way seems nearly impossible for Apple to prevent, he said, given that the capability is “inherent to the privacy and security-focused design of the Find My offline finding system,” Bräunlein observed.
The ‘Send My’ exploit can use Apple's locator service to collect and send information from nearby devices for later upload to iCloud servers.