Welcome back to our ongoing journey into the fascinating realm of Apple’s BLE-powered services! In our previous posts, we’ve explored the foundational concepts of Bluetooth Low Energy (BLE) and delved into the intricacies of Apple’s innovative FindMy service. Today, we’re going to take a closer look at the darker side of FindMy: the potential for abuse by malicious actors. There are three distinct categories of abuse we’ll look at today.

Direct Tracking

Imagine a scenario where a small tracker discreetly attaches to a person or object - think someone placing an AirTag in your backpack. With Apple devices nearby creating location reports, an attacker could easily track the movement of the individual or item with the high precision FindMy is known for. This abuse-case poses a significant privacy risk, which is not adequately addressed by Apple’s Unwanted Tracking Detection feature.

Direct tracking using FindMy

Researchers and tinkerers quickly found ways to circumvent this feature using unofficial trackers built from commoditiy BLE hardware and Open Source software (see here for details on how to build them and here for the software). Those trackers use the same BLE Advertising format as official trackers but don’t have to follow the same rules for key rotation which makes them basically impossible to detect reliably.

Indirect Tracking / Crowd Monitoring

The next category of abuse is indirect tracking. While the technique described below can be used for privacy-friendly crowd monitoring, it also opens the door for nefarious tracking of individuals.

Trackers strategically placed in various locations triggers nearby Apple devices to create and upload a location report that an attacker can retrieve from Apple’s servers. As those reports are uploaded in bundles and contain upload timestamps, reports from the same device can easily be identified with high confidence. This allows to reconstruct the path of individuals (shown below), potentially leading to invasive surveillance. When this data is combined with external knowledge, like the location of an individual at a given time (e.g. at work), precise and undetectable tracking of individuals is possible.

Indirect tracking of individuals

The more positive use-case of crowd monitoring without infringing the privacy of individuals doesn’t rely on identifying reports created by the same device. Instead the number of reports for a specific tracker and its change over time can be used to estimate crowd density and crowd flow, as researchers detailed in a paper called “Where Is My Tag? Unveiling Alternative Uses of the Apple Find My Service”.

FindMy used for crowd-monitoring

While users currently have limited options to prevent this, Apple could implement measures such as randomizing upload times to make at least the tracking of individuals harder. For users the only effective contermeasure is to disable Bluetooth in the system settings or using an android phone.

Covert Data Transfer

Lastly, we’ll look at a mostly theoretical abuse-case: arbitrary data transfer using unofficial trackers. This was also demonstrated in the paper linked above and separately in a blog post by Fabian Bräunlein.

By manipulating Advertising Keys, attackers could encode and transmit messages using nearby Apple devices as unwitting couriers. However, the practicality of such attacks remain questionable due to the very low data rate and the potential of high error rates since this attack will only work if at least one Apple device with BLE and FindMy enabled is nearby for the whole transfer. Nonetheless, Apple could take preemptive steps to prevent unofficial trackers alltogether, which would also help mitigate circumvention of the tracking detection feature. Researchers expect this to be a non-trivial task that would require a major redesign of the FindMy service, so don’t count on Apple to close down the loophole for unofficial trackers anytime soon.

Using FindMy for covert data transfer

Wrapping up

As you can see, even with a huge focus on security and encryption, Apple still wasn’t able to properly protect the FindMy service against every abuse. While the covert data transfer is no threat to user’s privacy and negative indirect tracking requires a ton of trackers spread around making, especially to cover larger areas, making both more theoretical in nature, direct tracking using Apple’s FindMy still poses significant risk.

Additionally, there are no countermeasures you can implement to reliably protect yourself from this potential surveillance. Until Apple changes the design of the service to prevent unofficial trackers alltogether, every other countermeasure can be circumvented by adjusting the software of those trackers. Still with all the security measures implemented by Apple, the FindMy service is quite good in protecting user’s privacy.