November 4, 2023 at 02:02PM
Apple’s “Find My” location network, intended for locating lost or stolen Apple devices, can be exploited to transmit sensitive information by malicious actors using keyloggers. Positive Security researchers have discovered a way to upload arbitrary data onto the Find My network, including passwords, via Bluetooth transmission. The attack is stealthy and utilizes omnipresent Apple devices for relaying data. Apple has yet to respond to the issue.
Based on the meeting notes, it appears that Apple’s “Find My” location network can potentially be abused by malicious actors to transmit sensitive information captured by keyloggers installed in keyboards. The researchers from Positive Security discovered this potential abuse and even published their implementation called “Send My” on GitHub. They demonstrated how they integrated a keylogger with a Bluetooth transmitter into a USB keyboard to relay passwords and other sensitive data through the Find My network via Bluetooth. The transmission rate achieved was 26 characters per second, and the reception rate was 7 characters per second, with a latency of 1 to 60 minutes. The keylogger remains hidden and unlikely to be discovered due to Apple’s anti-tracking protections not being activated by the stationary keylogger inside the keyboard. BleepingComputer has reached out to Apple for a statement but has not received a response yet.