Exploiting Apple’s “Find My” Network for Covert Transmission of Keylogged Passwords

The functionality of Apple’s “Find My” location network, designed to aid users in locating lost Apple devices, has been found to be susceptible to abuse. Malicious actors can covertly transmit sensitive information captured by keyloggers installed in keyboards through this network.

The “Find My” service utilizes GPS and Bluetooth data from millions of Apple devices worldwide to locate lost or stolen devices, even if they are offline. Lost devices emit Bluetooth signals, detected by nearby Apple devices that anonymously relay the location through the Find My network to the owner.

Researchers discovered the potential for abuse over two years ago. While Apple reportedly addressed the issue, the researchers released a proof-of-concept implementation called ‘Send My’ on GitHub, demonstrating the uploading and retrieval of arbitrary data on Apple’s Find My network from any internet-enabled device.

The researchers created a hardware device, integrating a keylogger with an ESP32 Bluetooth transmitter into a USB keyboard. This showcased the possibility of relaying passwords and sensitive data typed on the keyboard through the Find My network via Bluetooth.

Unlike WLAN keyloggers or Raspberry Pi devices, Bluetooth transmission is stealthier, and the Find My platform leverages ubiquitous Apple devices for covert relay. The keylogger doesn’t require an AirTag or an officially supported chip; Apple devices respond to any Bluetooth message. If appropriately formatted, the receiving Apple device creates a location report and uploads it to the Find My network.

To simulate multiple AirTags, the sender creates numerous slightly different public encryption keys, encoding arbitrary data into these keys. The reports retrieved from the cloud can then be concatenated and decoded at the receiving end, revealing the keylogger’s captures.

The cost of this data-siphoning contraption was approximately $50, utilizing a Bluetooth-enabled ‘EvilCrow’ keylogger and a standard USB keyboard. The proof-of-concept achieved a transmission rate of 26 characters per second and a reception rate of 7 characters per second, with latency ranging from 1 to 60 minutes, depending on Apple devices in proximity.

While not exceptionally fast, the method poses a threat as it allows malicious actors to recover valuable information such as passwords over several hours or days without activating Apple’s anti-tracking protections. The stationary keylogger inside the keyboard remains hidden and less likely to be discovered, as Apple’s anti-tracking notifications for Air Tags are not triggered by it.

To mitigate this security risk, Apple users are advised to stay vigilant and employ additional measures, such as regularly reviewing connected devices and ensuring the security of their physical surroundings to prevent unauthorized access to keyboards.