Aside from Find My, maps, routes, and emergency SOS, Apple's location services are quite handy, and they have many useful features. A research team at the University of Maryland has uncovered a critical vulnerability in Apple's location services, which might allow an unauthorized person to access the location information of millions of routers and potentially even information about a person's movements in a matter of seconds.
It has been reported that Erik Rye and Dave Levin from the University of Maryland have found that Apple's location services are working strangely, according to Krebs on Security. It is possible to sneak information from one place to another using a passing Apple device, such as a computer on the other side of the world, over the air, without any other connection to the internet at all.
Using Bluetooth Low Energy (BLE) broadcasts and microcontrollers programmed to function as modems, Fabian Bräunlein, co-founder of Positive Security, devised a way of transmitting a limited amount of arbitrary data from devices without an internet connection to Apple's iCloud servers. Using a Mac application, he can retrieve data from the cloud and subsequently use a Mac application to retrieve that data from the cloud. His proof-of-concept service Send Me was dubbed in a blog post that he wrote on Wednesday.
As a crowd-sourced location-tracking system, the Find My network on Apple devices functions as a crowdsourced location-tracking tool when it is enabled. Participating devices broadcast via BLE to nearby attentive Apple devices, which relay the data back to Cupertino's servers through their network connection to Cupertino's servers via their network connection. Through Find My iPhone, an iOS/macOS version of the company's Find My app, authorized device owners will be able to receive location reports about enrolled hardware using iCloud.
To reduce energy consumption, smartphone manufacturers are trying to use alternatives to GPS and its constant queries. To determine the precise location of a device, it is necessary to analyze the data from surrounding Wi-Fi networks and calculate a device's location based on the number of networks that are detected and how strong the signal is at the moment. In Apple’s and Google’s databases, active Wi-Fi networks are used as names for active networks (Wi-Fi-based Positioning Systems, also known as WPS) to make calculations a great deal of time.
Researchers discovered that Apple's WPS system had an oddity: it sent the necessary data to the user's device, which enabled the user to make these calculations locally, as opposed to sending the necessary data to the server on the user's computer. Apple's WPS server also appears to be sending out up to 400 other known Wi-Fi networks in the approximate vicinity of the device as part of its location database that has been crowdsourced by users of the app.
From this list, the requested device searches for eight possible variants and then calculates its location by that data.
WPS technology on Apple's iOS device, the router on which the network is based, and the MAC address of the device are all identified using the so-called BSSID (Basic Service Set Identification) and are usually accompanied by a MAC address, which is usually static. ESP32 microcontrollers running OpenHaystack-based firmware were used by Bräunlein as the basis of his data exfiltration scheme because it was able to broadcast a hardcoded default message and to listen to new data over the serial port.
The signals will be picked up by nearby Apple devices that are using Find My Broadcasting and transmitted to Apple's servers if they have this feature enabled. It is necessary to use an Apple Mail plugin that is running with elevated privileges to obtain the location data from a macOS device, as Apple requires authentication to access location data stored on Macs. For the user to be able to view unsanctioned transmissions, OpenHaystack must also be installed as well as DataFetcher, which was developed by Bräunlein under the Mac OS X platform.
This is not exactly a high-speed attack since Send Me does not have a lot of speed. Considering that the microcontroller can send three bytes per second and can retrieve sixteen bytes in five seconds, along with latency ranging from one to sixty minutes depending on the number of devices in the vicinity, there are certainly faster channels of data transmission than what is available through the microcontroller. The fact that Send Me can be used by sophisticated adversaries does not make it impossible for an adversary could find a way to exploit it.
Bräunlein added that Send My uses Apple's network infrastructure to create Amazon Sidewalk, Amazon's network for IoT devices based on Apple's network infrastructure, into Amazon's Sidewalk. A satellite network and a global mobile network can be used to carry data around the world, he pointed out, proving that the threat is not a new one. The Send My application may prove useful in situations, however, such as those where the networks are intentionally shielded from access or where they are not accessible.
Apple's design of the Find My network emphasizes privacy, aiming to maintain the anonymity of finders, prevent the tracking of owner devices, and ensure the confidentiality of location reports. However, security researcher Fabian Bräunlein asserts that this design approach complicates Apple's ability to safeguard against certain abuses.
This vulnerability has sparked interest among other security researchers, who are now probing the robustness of Apple's privacy measures in various contexts. On Tuesday, security firm Intego revealed that AirTags, despite Apple's preventative measures, can potentially be used as covert tracking devices.
Furthermore, a German security researcher known as stack smashing has successfully hacked and reflashed AirTags, showcasing another dimension of potential security risks.
Upon discovering this vulnerability, the researchers reached out to Apple, Google, Starlink, and several other manufacturers. Although Apple has yet to announce any significant changes to its handling of Wi-Fi networks, it has updated a support document to provide users with an opt-out option for this data collection.
To opt-out, users need to append the character string "_nomap" to the end of their network's name (SSID). This method is also applicable to Google and its Wireless Positioning System (WPS). For Microsoft networks, users must enter their MAC address into a form so the manufacturer can add it to a block list within their database, a process that may take up to five days.
The increasing scrutiny of Apple's privacy measures highlights the broader implications of interconnected device security and the ongoing challenges in balancing user privacy with functionality. This situation underscores the necessity for continuous vigilance and adaptability in addressing emerging security threats in the digital age. As the landscape of technology evolves, so too must the strategies employed to protect user data and privacy.
