How Apple’s Find My Can Be Exploited: Inside the Bluetooth Location Vulnerabilities
Researchers from Germany’s Darmstadt University uncovered two design flaws in Apple’s Find My Bluetooth location system that enable unauthorized access to a user’s recent location history, explain the offline‑finding mechanism, and detail how macOS vulnerabilities can be exploited to de‑anonymize devices.
Find My Overview
Apple devices include the “Find My” feature to locate other Apple devices such as iPhone, iPad, Mac, AirPods, etc. Since iOS 14.5 it also supports AirTags, Bluetooth trackers that work with the Find My app.
The underlying technology, introduced in 2019 as “offline finding”, lets devices broadcast BLE signals that nearby Apple devices can relay to Apple’s servers.
Unlike traditional offline finding, the location‑tracking mechanism uses end‑to‑end encryption and anonymity. Each device generates a rotating public‑private key pair; the public key is encoded in the BLE advertisement. The encrypted location data is synced via iCloud to other devices logged into the same Apple ID. Nearby iPhones/iPads decrypt the message with the public key, re‑encrypt it with their own key, and forward it to the cloud.
When a device is marked lost, Apple sends the encrypted location report to other devices of the same Apple ID. The owner can decrypt it with the corresponding private key in the Find My app.
Vulnerabilities and Issues
The design relies on public‑key encryption, but Apple does not disclose the key‑rotation frequency. This opaque rotation makes it hard for attackers to track users, yet researchers discovered two distinct design and implementation flaws that allow unauthorized access to location history for the past seven days.
Because multiple devices may report through the same “finder” device, Apple could theoretically construct a large user network graph. Law‑enforcement agencies could de‑anonymize users even if phones are in airplane mode.
Researchers also showed that the macOS Catalina vulnerability CVE‑2020‑9986 can be used to extract decryption keys, enabling an attacker to download and decrypt Find My location reports with high accuracy.
Apple responded by partially fixing the issue in macOS 10.15.7 (released November 2020), tightening access restrictions.
Full research report: https://arxiv.org/pdf/2103.02282.pdf
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
21CTO
21CTO (21CTO.com) offers developers community, training, and services, making it your go‑to learning and service platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.