In the fast-paced world of technology, it has become Privacy One of the biggest challenges users face on a daily basis. Recently, researchers from George Mason University uncovered a critical vulnerability in the Find My network that allows hackers to turn any Bluetooth-enabled device into a tracking device without the owner’s knowledge. In this article, we’ll go over the details of this disturbing discovery, how it works, and what you can do to protect yourself from this threat.
When your devices become an eye watching you
Imagine your mobile device, gaming console, or even your Bluetooth-enabled car suddenly turned into a tracking device that can reveal your precise location without you even knowing. This isn’t a scenario from a science fiction movie; it’s a reality researchers discovered this month. The vulnerability, dubbed “nRootTag,” targets Apple’s Find My network, which was developed to help users locate their lost devices. But instead of protecting users, it can be easily exploited to track them down.
What is Find My Network and how does it work?
Find My is Apple’s innovative system that relies on Bluetooth technology to track lost devices like AirTags or other Apple devices. The idea is simple: When a device like an AirTag sends out a Bluetooth signal, nearby Apple devices like an iPhone or iPad pick it up, and those devices then send location data to Apple’s servers anonymously. The owner of the device can then find out where it is via the Find My app.
This system relies on millions of connected devices around the world, making it exceptionally efficient. But this heavy reliance on Bluetooth and encryption has made it a target for security vulnerabilities that researchers have discovered.
nRootTag Vulnerability: How Does It Turn Your Devices Into Spying Tools?
Researchers discovered that the encryption keys used by the Find My network could be manipulated to trick the system into thinking that a regular Bluetooth device like a laptop or game controller was a legitimate AirTag. In other words, attackers could turn any Bluetooth-enabled device into a tracking device without needing physical access or privileges. The precision of this process is frightening, and the results are astonishing.
Experiments have shown that the exploit is 90% successful at locating devices, and can be located quickly in just a few minutes. The researchers were able to track a stationary computer to within 3 meters, and even reconstruct the path of a drone based on the location of a game console that was on board.
Why is this worrying?
It’s not just about hacking your device, it’s about knowing where you are. For example, if a smart lock in your home is hacked, that’s really concerning, but if the attacker knows the exact location of your home, it becomes even more dangerous.
How is the attack carried out?
Although the attack requires significant computing power, with the researchers using hundreds of GPUs, this is no longer a major obstacle. These resources can be easily and affordably rented through cloud computing services, a common practice in the cryptocurrency mining community.
The most worrying part is that the attack can be carried out remotely without having to touch the target device. This means that anyone with the knowledge and resources can target you from anywhere in the world.
Apple response: Is the issue resolved?
Researchers reported the vulnerability to Apple in July 2024, and Apple announced that it had strengthened the Find My network in software updates released in December 2024 to protect users from this type of attack. But is that enough?
Even with these fixes, researchers warn that the vulnerability could persist for years. This is because many users don’t update their devices regularly. This means that the Find My network, which contains this vulnerability, will persist as long as there are devices that haven’t been updated, and will continue to do so until those devices gradually stop working, which could take years.
How do you protect yourself from this threat?
The good thing is, there are steps you can take to reduce the risk of this vulnerability:
◉ Update your devices regularly, and make sure you have the latest security updates installed on all your Bluetooth-enabled devices.
◉ Review app permissions, be careful with apps that request Bluetooth access, and only grant permission to trusted apps.
◉ Turn off Bluetooth when not needed, and if you are not using Bluetooth, disable it to reduce the risk of tracking.
While these steps won't eliminate the risk completely, they will make you much more difficult to target.
Conclusion
The nRootTag bug reminds us that the technology we rely on can be a double-edged sword. The Find My network, designed to make our lives easier, is now a concern because of its potential for exploitation. While Apple has worked to address the issue, your role as a user remains crucial in protecting your privacy.
Source:
Damn this technology, looks like I'll just have to go back to the landline!
Air tag. Every time I take it with the key, it makes a sound.
Hi Salman 🙋♂️, It seems to be normal because when the AirTag is near your device, it makes a sound to make it easier to find. Don't worry, there's no problem with that. Enjoy your smart device experience with Apple! 🍏👌