Apple’s huge “Where is?” Network can apparently be used to transmit character strings – piggybacking over the data connection of its own and third-party Apple devices in the vicinity. A security researcher has published tools to enable offline devices to upload short messages: In this way, a suitably prepared microcontroller can use any iPhones, iPads or Macs within Bluetooth range for data transmission and send out bits that communicate with a Query the associated Mac app and have it decoded again.
Character strings via bluetooth broadcast
AirTags and others with “Where is?” (“Find my”) compatible hardware sends a frequently changing public key via Bluetooth, which Apple devices in the vicinity perceive – and then, linked to their own location, forward it to Apple servers in end-to-end encrypted form, so that the owner of the AirTag can query this.
The “Send My” tool from security researcher Fabian Bräunlein Imitates the communication path in order to also transmit the coded character strings. The microcontroller can currently send out around 3 bytes per second, the latency ranges from 1 to around 60 minutes, depending on how many Apple devices pass by in the area.
The method makes it possible, for example, to transmit data from sensors that do not have their own internet connection. Theoretically, data could even be transmitted from particularly isolated areas that actually prevent radio communication to the outside, writes Bräunlein: iPhones transmit the recorded data later to Apple’s “Where is?” server as soon as a data connection is established again. You can also try to use cellular data volume from iPhones in the vicinity – but this would require a large number of different public keys to be sent and even then the additional consumption should still be relatively low.
The security researcher believes that Apple has relatively few options to completely stop this misappropriation. Currently, for example, Bluetooth transmissions are not authenticated due to space restrictions, i.e. an iPhone cannot distinguish between a real AirTag and a microcontroller that uses the protocol reverse-engineered by other security researchers on which the Send-my tool is based.