Bluetooth tracking system earns plaudits from independent security analysis despite recently resolved flaw

Researchers uncover hidden flaws in Bluetooth-based location tracking tech from Apple

The security and privacy of Apple’s Bluetooth location-tracking system has earned praise from researchers who uncovered two implementation flaws in the technology.

Apple’s OF (Offline Finding) technology makes use of online finder devices running the ‘Find My’ app to detect the presence of missing offline devices such as iPads using Bluetooth and AirTags.

The ‘crowdsourced’ system reports an approximate location for a device back to the owner via the internet.
Computer scientists from Technische Universität Darmstadt in Germany uncovered a brace of issues after carrying out a detailed analysis of the privacy-focused system.

Reverse engineering

During what’s reckoned to be the first comprehensive security and privacy analysis of Apple’s OF technology, the team of four computer scientists first mapped out the design of the closed-source protocols using reverse engineering techniques.

The team went on to show that an attacker could gain unauthorized access to the location reports, allowing for accurate device tracking and the ability to retrieve a user’s frequently visited locations to within a distance of 10 metres, at least in urban areas.

More specifically the researchers went on to uncover two distinct design and implementation flaws which they said could lead to a ‘location correlation attack’ and unauthorized access to recent location history.

RELATED Telegram for macOS failed to self-destruct messages on local devices

The researchers disclosed their findings to Apple last year. In response, the technology giant addressed their main concern through an update. The other (less serious) implementation flaw remains unaddressed.

The unauthorized access of location history vulnerability allows any “third-party app on the Mac to decrypt the location reports created by any of your devices whenever they were offline”, Alexander Heinrich, one of the researchers, told The Daily Swig.

What’s your location?

Apple’s OF technology means that a MacBook that is in your bag, and normally offline, would be pinged by other devices around you (like your own iPhone), which would find it and report the encrypted location to Apple in the event that it was lost or stolen.

Apple's technology aims to ensure finder anonymity, that owner devices are not trackable, and the confidentiality of location reports. These locations are encrypted, but a flaw in the implementation of the technology meant all the private keys were exposed in a publicly accessible directory on macOS.

“Just by reading this directory it was possible to download and decrypt the location reports for all devices that were connected to the same iCloud account,” Heinrich explained.

The implementation issue – tracked as CVE-2020-9986 – was resolved by Apple last year.

Read more of the latest Apple security news

Milan Stute, another member of the research team, explained that a second, more esoteric issue meant that Apple might be able to correlate user locations.

This potential design issue “would require Apple to store certain meta data about the report uploads/downloads (which we don’t know if they do – but it's technically possible)”, according to Stute.

Apple has not indicated to the researcher that it plans to address this issue. The technology giant didn’t respond to a request for comment on the research as a whole from The Daily Swig.

The researchers detailed their findings in full in a paper (PDF) entitled, ‘Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System’.

Best in show

Despite finding potential shortcomings with Apple’s location-tracking system both Stute and Heinrich were complimentary about the technology.

“Apple’s design is actually very clever and sophisticated,” according to Stute. “So far, it’s the best that we have seen out there (e.g., compared to Tile).”

Heinrich added: “All the similar systems that we know of at the moment do not use any encryption. Even worse many of them had issues with the access control to their servers so others could track such devices very easily.

“So, the first thing those developers need to change is to use similar methods as Apple to encrypt the location data,” he concluded.

YOU MIGHT ALSO LIKE Canadian internet authority’s DNS filtering service broke SSL on iOS