New Hack Turns Any Device into a Secret Tracker via Apple's Find My Network
Researchers at George Mason University have uncovered a devastating security vulnerability known as "nRootTag" that allows hackers to track the location of nearly any computer or mobile device with unprecedented ease. This attack exploits Apple's Find My network by tricking it into treating target devices as lost AirTags, effectively turning them into unwitting homing beacons.
The attack method uses a device's Bluetooth address combined with Apple's Find My network to track locations. It works on an astonishing range of devices, including Linux, Android, Windows, some Smart TVs, and even VR Headsets. But what's even more alarming is the accuracy and speed of the tracking process.
Researchers have pinpointed a stationary computer's location within 10 feet and accurately tracked moving devices with remarkable precision. The technique boasts an impressive 90% success rate and can track devices within minutes, making it a potentially game-changing tool for malicious actors.
What sets this attack apart is its ability to bypass the need for administrator privileges by adapting the key to the Bluetooth address rather than modifying the address itself. Researchers used hundreds of GPUs to quickly find matching keys, taking advantage of affordable GPU rentals. This clever tactic allows them to save mismatches in a database (rainbow table) for future use, making it an effective tool for targeting multiple devices simultaneously.
This vulnerability raises serious concerns about privacy risks, as it could be misused for stalking, harassment, corporate espionage, or national security threats. It's also a tantalizing prospect for advertising companies looking to user-profile devices without relying on device GPS.
Given its widespread impact and the fact that vulnerable devices may persist until they "die out," users are advised to take immediate action to protect themselves. This includes being cautious of apps requesting unnecessary Bluetooth permissions, keeping devices updated, and considering privacy-focused operating systems.
Apple was informed of this issue in July 2024, and while they acknowledged the problem in subsequent security updates, a complete fix may take years to roll out. In the meantime, users must remain vigilant and take steps to safeguard their personal data.