Feb 28, 2025 16:25:00

Researchers discover 'nRootTag' attack that can track all Bluetooth-enabled devices in Apple's 'Find' app, allowing all smartphones and PCs to unintentionally use AirTags instead

Associate Professor Qiang Zeng of George Mason University in Virginia, USA, and his colleagues have discovered a method of attack that exploits a network vulnerability in Apple's '

Find My Device' feature to mistake a target smartphone or PC for a 'lost AirTag' and track it down.

Tracking You from a Thousand Miles Away!
https://nroottag.github.io/

Find my hacker: How Apple's network can be a potential tracking tool | College of Engineering and Computing

https://cec.gmu.edu/news/2025-02/find-my-hacker-how-apples-network-can-be-potential-tracking-tool

Find My Network Exploit Turns Any Bluetooth Device Into a Tracker - MacRumors
https://www.macrumors.com/2025/02/27/security-flaw-apple-find-my-track-any-device/

Apple offers a 'Find My Device' feature in case you lose your iPhone, iPad, AirPods, or other devices, which allows you to find them even if they are turned off.

In the case of AirTag, a lost item tracker, first (1) public and private key information is shared between the owner's device and the AirTag. Then, (2) when the AirTag separates from its paired device, it sends a 'lost message' including the public key information in a BLE advertisement (packet). (3) When an Apple device passes near the AirTag and receives the 'lost message,' it creates an encrypted 'location report' and sends it to Apple's server along with the hashed public key information. (4) The user can check the related 'location report' based on the public key information stored on Apple's server. The location report can only be decrypted using the correct private key, and to ensure anonymity, it is not confirmed whether the 'lost message' was sent from an Apple device.

Associate Professor Zeng and his colleagues discovered that they could manipulate the encryption keys in the Find My network to trick Bluetooth devices into thinking they were genuine AirTags.

The attack, which the research team calls 'nRootTag,' has a 90% success rate and can pinpoint the device's location within minutes.

Researcher Junming Chen describes the attack as 'like turning a laptop, phone, or game console into an AirTag without the owner even realizing it.' It has already been proven to work on multiple operating systems, including Windows, Linux, and Android, as well as on mobile devices, smart TVs, and VR headsets.

Details of the research results will be presented at the USENIX Security Symposium to be held in Seattle in August 2025.