Find My Network Exploit Turns Any Bluetooth Device Into a Tracker

Researchers at George Mason University discovered a vulnerability, dubbed "nRootTag," in Apple's Find My network. This exploit allows tracking of any Bluetooth device without the owner's knowledge by disguising them as AirTags. The attack manipulates cryptographic keys, achieving a 90% success rate in locating devices within minutes. It requires no physical access or administrator privileges, enabling remote tracking. Experiments showed accurate location tracking of stationary and mobile devices. While requiring significant computing power, this is achievable through readily available GPU rentals. Apple acknowledged the vulnerability but hasn't publicly disclosed its fix. The vulnerability's persistence is a concern due to delayed updates by many users. Researchers recommend caution with Bluetooth permissions, timely updates, and consideration of privacy-focused operating systems. The research will be presented at the USENIX Security Symposium.