Security researchers studying the "Find My" network used by Apple's AirTags, among others, have been able to trick the system into sending data that Apple can neither monitor nor, apparently, prevent.
It's not something that's easy to reproduce, nor is it something that could mean AirTags users are having problems with malware. However, it is reportedly possible to infiltrate the Find My network to send encrypted messages between devices, albeit very short ones. According to Berlin-based IT security firm Positive Security, it's possible to upload arbitrary data from non-internet-connected devices by sending Find My-like broadcasts. These are then picked up by Apple devices, just as a lost AirTag uses passing iPhones to report its location. Fabian Braunlein writes in a blog post:
While I was mostly just curious if it would be possible, I could imagine the most common use case being uploading sensor readings or other data from IoT devices without a broadband modem, SIM card, data plan, or Wi-Fi connection.
Apple: Users can register a maximum of 16 AirTags per Apple ID
So, in theory, a correctly configured device could send out a Bluetooth LE signal, like AirTags do. Then, when an Apple device is nearby, that device would register the signal and forward it.
Since Amazon operates a similar network called Sidewalk that uses Echo devices, there could very well be demand for it. Since the Finding devices cache received transmissions until they have an internet connection, the sensors can even broadcast data from areas without cell coverage as long as people are passing through the area.
Even more sinister, Braunlein posits that this could be used to "exfiltrate data from certain air-enclosed systems or rooms with Faraday cages." Devices in such rooms may be sealed off from the internet, but could certainly pass data to a passing visitor's iPhone. A more general takeaway is that, according to Positive Security, there doesn't seem to be any technical reason why users can only have a limited number of AirTags. According to Apple, a maximum of 16 AirTags can be registered per Apple ID. But Braunlein says the restriction doesn't seem to be enforceable. (Photo by hadrian / Bigstockphoto)
