Architecture of nRootTag | Source: George Mason University
Apple’s Find My network leverages a crowdsourced Bluetooth system to enable remote tracking of compatible devices. For instance, an AirTag transmits encrypted location beacons via Bluetooth to nearby iPhones, which then relay these signals to Apple’s network, allowing the AirTag’s owner to track its location.
In theory, if an attacker could exploit a vulnerability to impersonate an AirTag, they could achieve remote tracking of other devices. Researchers at George Mason University have uncovered such a flaw, which they have named nRootTag.
“A remote attacker can exploit this vulnerability to turn your device—whether it’s a desktop, smartphone, or smartwatch—into an AirTag-like tracker, enabling the attacker to track your location. […] Over 1.5 billion iPhones could act as free tracking agents for the attacker worldwide,” resesearcher warns.
By exploiting this vulnerability, researchers were able to transform any Bluetooth-enabled device—such as a smartphone or laptop—into an AirTag, effectively enabling precise tracking via the Find My network. Under optimal conditions, this method can achieve location accuracy within approximately three meters.
Although Apple has implemented encryption-based Bluetooth address randomization to mitigate such threats, the researchers developed a system capable of rapidly identifying Bluetooth address keys. This system utilizes hundreds of GPUs to crack the encryption and retrieve the necessary keys.
Crucially, these GPUs do not need to be purchased outright; attackers could simply rent them from various cloud computing platforms, allowing them to derive the necessary keys in a short period before terminating the rented resources—making the attack both efficient and cost-effective.
To execute this attack, a hacker must first infect the target smartphone or PC with malware. While mere infection alone does not reveal precise location data, combining it with the Find My network vulnerability enables real-time, pinpoint tracking of the user.
The researchers reported the nRootTag vulnerability to Apple in July 2024, recommending an urgent update to strengthen Bluetooth device authentication within the network. While Apple has acknowledged the issue, the vulnerability remains unpatched as of now.
According to the researchers, a complete fix could take several years, as Apple would need to update all Find My-compatible devices, including iPhones and other connected hardware. However, even after the necessary firmware updates are released, adoption may be slow, as not all users immediately upgrade their devices.
Related Posts:
- Israel filed a suit against Apple on the iPhone
- The National Police Agency have the ability to crack iPhone
