You hear AirTag, ghidraninja hears free Wi-Fi

[Prodigy_Smit]

Summary

Russian hacker @ghidraninja has managed to get Apple's AirTags to send a Wi-Fi signal "borrowing" other user's data allowing access to the internet piggybacking on the find my network that allows AirTags to update their location despite not being connected to the network. This is the second major exploit that hidraninja has managed to uncover on the AirTags after effectively jailbreaking them last week.

The main saving grace is that there are hardware limitations to how much bandwidth is available since this capability of AirTags is meant for very low data consumption use i.e. transferring location data. So this is merely a proof of concept and not a way for getting free internet.

 

Quotes

Quote

In that story, the researcher @ghidraninja was able to modify the firmware on the AirTag itself, despite the anti-tampering protection implemented by Apple’s own AirTag firmware programming.

But this “attack” (if that is the right word) is different, because it doesn’t involve modifying or cracking the AirTag itself.

Instead, it involves using the AirTag protocol on a Bluetooth device that doesn’t have internet connectivity in order to “trick” (if that is the right word) nearby Apple devices into sending data over the internet on its behalf.

 

My thoughts

Its concerning to the security of AirTag users but as far as I can tell the exploit can only send an internet signal and does not allow access to the local information on the device being transferred such as banking information if a transaction is made simultaneously. 

 

Sources

https://nakedsecurity.sophos.com/2021/05/14/apple-airtags-hacked-again-free-internet-with-no-mobile-data-plan/

https://twitter.com/ghidraninja

 

[colonel_mortis]

Based on the Sophos source from the post, there isn't actually a payload in the messages sent by the AirTags, the tags just broadcast their IDs and it's up to the receiving phone to add in the location data. The exploit here is that you can use the ID as a way to convey data - I can define ID 10000001 to mean one thing, and 10000002 to mean something else, then see which one was broadcast. The effective bandwidth, according to the article, is only about 20B/s at best, which is pretty useless for most applications.

 

This shouldn't be a concern for anyone here, although it does raise the possibility of some interesting ways to exfiltrate information from secure areas where devices with internet connectivity is heavily restricted.

[Sauron]

5 minutes ago, colonel_mortis said:

Based on the Sophos source from the post, there isn't actually a payload in the messages sent by the AirTags, the tags just broadcast their IDs and it's up to the receiving phone to add in the location data. The exploit here is that you can use the ID as a way to convey data - I can define ID 10000001 to mean one thing, and 10000002 to mean something else, then see which one was broadcast. The effective bandwidth, according to the article, is only about 20B/s at best, which is pretty useless for most applications.

I was about to ask what airtags need unrestricted internet access for, I guess the answer is they don't

[TetraSky]

Somehow not surprised. These kind of devices are typically the things that provide a backdoor to a network or device that they are connected to.

That said.... If someone has access to an airtag, they likely have access to your other stuff that were being "tracked" by it and network access would be the last of my worries.

[mon1ka]

3 hours ago, Caroline said:

This is supposed to go into your backpack, bag, purse or whatever in case it gets stolen, but let's be real, if a thief takes your backpack he's just gonna look for cash or something valuable inside and just toss it away in a dumpster, or if he finds this "air tag" inside hel'll smash it or stick it on a car, I mean there are so many ways to get around this thing that's kinda useless.

Air tags were great in concept. execution deserves execution IMO, way too many ways to get around it.

[orbitalbuzzsaw]

3 hours ago, Caroline said:

This is supposed to go into your backpack, bag, purse or whatever in case it gets stolen, but let's be real, if a thief takes your backpack he's just gonna look for cash or something valuable inside and just toss it away in a dumpster, or if he finds this "air tag" inside hel'll smash it or stick it on a car, I mean there are so many ways to get around this thing that's kinda useless.

yeah, i think the idea is that you can track things if you lose them, not if they're stolen

[mon1ka]

8 minutes ago, orbitalbuzzsaw said:

yeah, i think the idea is that you can track things if you lose them, not if they're stolen

the only way i could logically see them being helpful in a robbery is if they're really well hidden.

[dilpickle]

6 hours ago, Caroline said:

This is supposed to go into your backpack, bag, purse or whatever in case it gets stolen, but let's be real, if a thief takes your backpack he's just gonna look for cash or something valuable inside and just toss it away in a dumpster, or if he finds this "air tag" inside hel'll smash it or stick it on a car, I mean there are so many ways to get around this thing that's kinda useless.

That's why it is not marketed as an anti-theft device.

[Brooksie359]

6 hours ago, Caroline said:

This is supposed to go into your backpack, bag, purse or whatever in case it gets stolen, but let's be real, if a thief takes your backpack he's just gonna look for cash or something valuable inside and just toss it away in a dumpster, or if he finds this "air tag" inside hel'll smash it or stick it on a car, I mean there are so many ways to get around this thing that's kinda useless.

No its not supposed to go in your backpack bag or purse to prevent theft. Its supposed to on your keys you always misplace so that when they go missing you find them. This isn't a device designed to prevent theft its a device designed for people who often misplace things. 

[Zodiark1593]

2 minutes ago, Brooksie359 said:

No its not supposed to go in your backpack bag or purse to prevent theft. Its supposed to on your keys you always misplace so that when they go missing you find them. This isn't a device designed to prevent theft its a device designed for people who often misplace things. 

My Dad misplaces his keys and wallet all the bloody time. 
 

As far as a robbery goes however, Airtags could be rather dangerous. They could potentially be a tool to bait a victim. 

[Fnige]

1 hour ago, Caroline said:

Do you guys not have a place for your keys?

Yeah we do. Where it resides is never known though

[LAwLz]

11 hours ago, Caroline said:

This is supposed to go into your backpack, bag, purse or whatever in case it gets stolen,

No it's not.

 

It's to help you find things you have misplaced, or help someone who finds something return it to its owner.

Saying that Airtags are useless because someone can just remove it is like saying dog collars are useless because someone can just remove it. It's like saying tags on luggage is useless because someone can just remove it.

It's like saying having your contact info on your lock screen is useless because someone can just turn the screen off.

Not sure if other countries has this but in Sweden we have tags you put on your keys that basically say "please put me in a mailbox". If someone finds a pair of dropped keys and put them in a mailbox, they get sent to the owner. Those tags are not useless either, despite someone "might just remove it and use the keys anyway".

 

It's not an anti-theft device and it's not marketed as such either. It's a tracking and identification device.

The idea is that if someone finds an airtagged bag or whatever, they can scan it and return it. Or if someone doesn't find it, the owner can track it down.

 

Your comment only makes sense if you:

1) Never lose anything yourself.

2) Assume that everyone in the world is a thief and nobody would ever return something they had found.

[Brooksie359]

6 hours ago, Caroline said:

Do you guys not have a place for your keys?

I do. I im not the person this is marketed for. My brother is a prime example of someone who this would be marketed for. Loses his key all the damn time and honestly he is exceptionally good at it. It sometimes baffles me how he loses them and they would end up in the most random places. Him trying to find his keys in the morning was a daily occurrence when I was growing up. 

[Kilrah]

Friend is the same. Keys, wallet, phone... he's had Tile trackers for years and I've seen him use them in all combinations multiple times within a single hour, and sometimes spend 15 minutes looking for his stuff several times a day even with that when the lost thing is in the car/upstairs/other building.

 

BTW one thing the AirTags don't do and he definitely needs and can do with the Tile is press a button on the keys' tag to make the phone ring. 

 

Maybe need both, AirTags for the UWB locating AND the Tile to make the phone ring...

[thechinchinsong]

Interesting exploit, but ultimately not going to be useful or impactful except in the most extreme cases. I guess really specific cases of espionage could make use of this if even that?

[tim0901]

On 5/17/2021 at 8:04 AM, LAwLz said:

It's like saying tags on luggage is useless because someone can just remove it.

Luggage tags are for when the airline's tag gets ripped off during processing, so that the luggage handlers can get it where it's meant to go - this is generally a listed requirement in the ts&cs when flying. Those handlers aren't going to remove your tag and pillage your stuff, because it's their job to deal with it and doing so would get them fired. Outside of the airport, yes luggage tags are generally considered completely useless.

 

On 5/17/2021 at 8:04 AM, LAwLz said:

2) Assume that everyone in the world is a thief and nobody would ever return something they had found.

That is generally my experience with losing things, yes. If I lose it, it's gone. And the statistics back this up - only ~10-20% of lost items are ever recovered, with this number dropping drastically for high-value items like laptops (which is likely the reason you want your bag back in the first place).

 

Maybe on a set of keys I could see it working, as they have practically no value to anyone else, but that doesn't stop anyone these days. The one time my dad got his keys back after having lost them, someone had stolen the keyring... (We don't have the posting keys thing in the UK btw - though that would be really useful!)

 

But anything else? It's a lost cause. It will either be taken by someone opportunistic if it has any resemblance of resale value, or disposed of. Especially things like bags - the biggest supposed use case for AirTags - it's highly likely these days that, if left somewhere in public (on a train perhaps?), they will be disposed of as a terrorist hazard as opposed to being put into a lost property box. Police in many countries (such as the UK) won't even accept lost property that doesn't have a name or serial number on it. So your phone would be fine, but your bag or set of keys - even with an AirTag - would be rejected or immediately destroyed.

 

As much as I want to believe in the whole community "lets get this item back to them" idea that AirTags are relying on, I have very little faith in it actually working in today's world.

[LewisSpring]

Comment from Stacksmashing (@ghidraninja) on Twitter:

 

 

[LewisSpring]

On 5/16/2021 at 8:00 PM, Prodigy_Smit said:

Wi-Fi signal "borrowing" other user's data allowing access to the internet piggybacking on the find my network that allows AirTags to update their location despite not being connected to the network. This is the second major exploit that hidraninja has managed to uncover on the AirTags after effectively jailbreaking them last week.

Also, doesn't AirTags communicate with devices via Bluetooth? There is no WiFi signals. 

Isn't the borrowing of other user's data is the whole point of the Find My Network? 

 

Does "the network" mean Find My Network?

 

Also, the Sophos article details "Send My" by a researcher called Fabian Bräunlein. I don't think that's the same person either.

It also says that "Free internet access" is "Very loosely put", "with some spectacular limitations on bandwidth and latency"

 

I don't disagree that the Find My network, however, could be used by an attacker or researcher to communicate via packets, but as I understand, only to Apple's Find My servers and with an ESP32 - not an AirTag. 

Quote

Bräunlein speculates, however, that his Send My technique could be used for exfiltrating data from semi-secure environments in which trusted mobile phones containing only trusted apps are allowed, and all internet-connected devices are monitored and controlled.

That’s because this trick (we’ve decided that, yes, that is the right word!) gives untrusted, anonymous Bluetooth devices a way to transmit data over the internet via nearby trusted phones without ever authenticating to those phones or any of their apps.

 

I invite anyone who thinks I am wrong to correct me, please! 

 

Everything underlined is from the Sophos article.