It is supposed to make it easier to find Apple devices - but normally not for everyone. The offline finding system Find My from tech giant Apple is a tracking app that can find all of a user’s Apple devices, from MacBook to AirPod. Since the tracking relies on Bluetooth, it also works when the devices are offline or switched to flight mode. This is a practical function for all Apple users to see, for example, if one only forgot the iPhone in the office or if it actually fell from the pocket in the subway on the way home.
Find My is also supposed to be secure: the app uses end-to-end encryption so that no one - not even Apple itself - should be able to read and track the location and identity of the participating devices. Concerning the security of this data, however, the research team of the Secure Mobile Networking Lab at TU Darmstadt consisting of Alexander Heinrich, Milan Stute, Tim Kornhuber and Matthias Hollick has now found multiple issues in Apple’s offline finding. In their joint paper “Who Can Find My Devices?”, which will be presented at the Privacy Enhancing Technologies Symposium (PETS), they explain two major security vulnerabilities.
A malicious application running on the macOS operating system could secretly access past and current location data of all a user’s Apple devices for this user. With the knowledge of this data, it was then easy to identify, for example, the home or workplace as frequently visited places of the victim - with a location accuracy of up to ten metres. The team has reported this vulnerability to Apple along with proposed solutions; it was fixed with a software update for macOS 10.15.7 in September 2020.
But even without unauthorised access to the computer, conclusions could be possibly drawn about device owners: if two or more Apple users are in proximity and subsequently retrieve the data of their Find My app, Apple could afterwards infer this contact. Heinrich, Stute, Kornhuber and Hollick give the example of a demonstration where the participants switch their iPhones to flight mode so that they cannot be tracked by police via the mobile phone network. In this case, the mobile phones would continue to report each other via Find My. Apple claims that this data is not logged, it would, however, be technically possible to log such encounters centrally at Apple, according to the research team.
Finding these weaknesses in the offline finding system in the first place required a lot of time and effort from the researchers. “It took us more than a year to get a sufficiently clear picture of all the components involved in offline finding to start looking for vulnerabilities. Even now, we don’t understand everything in detail,” explains Stute. The research team had to painstakingly reconstruct how the app works, before being able to get experimental proof of the security vulnerabilities. To document their work, enable further security research and, thus, increase the security of the closed system in the long term, the team has published an open-source framework of the offline finding system called OpenHaystack.
The work took place at the intersection of the research centers LOEWE emergenCITY and ATHENE. emergenCITY investigates how to increase the resilience of digital cities - where such location-based information plays an increasingly important role. ATHENE focuses on the security aspects of our digital society.
Hollick criticises that the time-consuming reverse-engineering process left Apple users and their data being potentially vulnerable for more than a year. He pleads for more transparent open-source solutions in this area of sensitive data: “We understand that companies need to protect their intellectual property. However, we believe that systems dealing with highly personal data such as Apple’s offline finding need to be openly and fully specified to facilitate timely independent analyses.”
This text was first published at emergenCITY.de.