The exploitation of the vulnerabilities allowed unauthorized access to the location history of Apple device users over the past seven days.
Cybersecurity researchers at the Secure Mobile Networking Lab at the Technical University of Darmstadt, Germany, have identified two design and implementation issues with Apple's Bluetooth crowdsourced location tracking system that has allowed unauthorized access to user location history over the past seven days.
Apple devices come with Find My, which makes it easy for users to find other Apple products, including iPhone, iPad, iPod touch, Apple Watch, Mac, or AirPods. The location tracking feature, dubbed "offline search" and introduced in 2019, transmits Bluetooth Low Energy (BLE) signals from Apple devices, allowing other devices in close proximity to transmit their location to the tech giant's servers.
Offline download turns every mobile device into a broadcast beacon specifically for tracking movements by using a crowdsourced mechanism that is anonymous and protected with end-to-end encryption. It does this by rotating the keys (public and private pairs) that are generated by each device emitting Bluetooth signals, encrypting the public key with it. Key information is subsequently synced via iCloud with all other Apple devices associated with the same user.
Since this approach involves setting up public key encryption (PKE), even Apple cannot decrypt the user's location data. According to the researchers, this design allows Apple to correlate the location of different owners if their location is reported by the same search devices.
“Law enforcement agencies can use this problem to de-anonymize participants in (political) demonstrations, even when participants put their phones on airplane mode. Malicious applications for macOS can extract and decrypt the last seven days' location reports for all users and for all their devices, since the cached rolling ad keys are stored in the file system in clear text”, the experts explained.
In other words, a vulnerability in macOS Catalina (CVE-2020-9986) could allow an attacker to gain access to decryption keys, using them to download and decrypt location reports sent by the Find My network, and ultimately to locate and identify victims with high precision. The vulnerability was patched by Apple in November 2020 in macOS 10.15.7 using "improved access restrictions."
The second issue found is an application that allows any user to create an AirTag search tracker. A framework called OpenHaystack allows you to track personal Bluetooth devices across the huge Apple Find My network and create custom tracking tags that can be added to physical objects or integrated with other Bluetooth-enabled devices.
Experts told Apple about their findings last year and the company has fixed the problems.