An interesting thing to note from the article is that this isn't just a garden variety jailbreak/adversarial interoperability with a BLE protocol. It lets you turn someone else's device into an airtag, then track its location.
> In addition, we appreciate the help from the Apple Security Team for their prompt responses and acknowledgement. Apple recently released patches in iOS 18.2, visionOS 2.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, Sonoma 14.7.2, Sequoia 15.2 to fix the vulnerability. However, the attack remains effective as long as unpatched iPhones or Apple Watches are in the proximity of the computer running our trojan.
Seems like a pretty bad vulnerability to just hope 1.5B iPhones alone update soon enough. I know people still on iOS 17/16... All of them are now complicit.
But I'm happy to see my state represented in security research :)
Yeah - this is really really cool, but if you have code running on the target device, why relay its location via FindMy? If you are already talking to an external server to get pre-computed keys, there are easier ways to share location than FindMy… I guess if the target device doesn’t have GPS, FindMy does get you closer than other geolocation methods.
Yes, not having GPS is one reason. The other one (less good) is that you can continue to track the device even when it has no network connection (as long as it's turned on and near an iPhone).
But there probably aren't many situations where someone has a network-enabled device turned on, disconnected from the network, but in range of at least one iPhone that has a network connection. Perhaps on a plane?
The patch for iOS is not to stopp the potential hijack via a Trojan software but to stopp the mesh of iOS devices to broadcast the find my messages around.
> In addition, we appreciate the help from the Apple Security Team for their prompt responses and acknowledgement. Apple recently released patches in iOS 18.2, visionOS 2.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, Sonoma 14.7.2, Sequoia 15.2 to fix the vulnerability. However, the attack remains effective as long as unpatched iPhones or Apple Watches are in the proximity of the computer running our trojan.
Seems like a pretty bad vulnerability to just hope 1.5B iPhones alone update soon enough. I know people still on iOS 17/16... All of them are now complicit.
But I'm happy to see my state represented in security research :)