Users hack AirTag to use free internet without mobile data plan

Tram Ho

Instead, it uses the AirTag protocol on a Bluetooth device with no internet connection to “trick” nearby Apple devices into sending data to the internet on its behalf.

Simply put: you are accessing the internet for free, but in return will be a little limited in terms of bandwidth and latency.

Specifically, in the test, researcher Fabian Braunlein used a cheap and easy-to-program Bluetooth/Wi-Fi ESP32 chip, which is widely used in IoT devices and sold extensively on components websites. electronic. He named this hacking concept “Send My”, a parody of Apple’s “Find My” service, in which AirTags will use a network of iPhones to report their location even when they have no internet connection. .

Since AirTag can report location to Apple even without an internet connection, Braunlein wondered if the process could be tweaked a bit with a non-Apple Bluetooth chip, using reporting data from Find My to determine the location of Apple. Send My data transmission or not?

The process for sending location data from AirTag goes like this:

– When you pair an AirTag with an Apple ID, your computer and AirTag agree to activate an encrypted “seed”. This seed is used to generate a random data sequence every 15 minutes. It is like the seed used in a 2FA authentication application that computes a random 6-digit code every 30 seconds (AirTag seed is not shared with Apple).

– Every 2 seconds, AirTag sends out a Bluetooth Low Energy broadcast containing the public key. This is part of an Elliptic Curve key pair generated using a random data sequence from the original seed and corresponds to the current 15 minute timeframe.

As such, all AirTag does is simply broadcast and wait for someone to take over.

If any internet-connected Apple devices such as iPhones or MacBooks are within range of the AirTag and receive the AirTag’s “I’m here” signal, it will act as a repeater and complete The transmission process follows these steps:

– Calculate its location using GPS, Bluetooth, Wi-Fi, or other available sources

– Encrypt location data with Elliptic Curve public key in AirTag . messages

– Upload encrypted data to Apple’s Find My service.

Braunlein discovered a few things: first, AirTags don’t need a unique identifier to transmit, because the ID they use is simply half of an encrypted and ever-changing public-private key pair; second, neither the Apple device that does the free forwarding on behalf of the AirTag nor the Apple itself knows any private keys have been used.

In other words:

– AirTag doesn’t know which Apple device is receiving and relaying its signal, thus ensuring the privacy of the device owner helping it by providing an internet connection to transmit reports to Find My.

– Apple knows which device sent the signal to Find My but can’t decrypt it, so the location of the relay is kept private.

– AirTag owners who want a location report can decode the location in the Find My report, but don’t know which relay brought up the report.

Người dùng hack AirTag để dùng internet miễn phí mà không cần gói dữ liệu di động - Ảnh 1.

And that’s when the question arises: can you use those public keys not to shuffle the data you want to send, but to encrypt the data you want to send?

Braunlein offers an effective solution to do just that. He programmed a Bluetooth device to transmit AirTag’s public keys, but not the keys: his public keys were in fact a sequence of encrypted packets containing hidden data.

Much of that data can be lost in transit over Bluetooth, and Bluetooth signals emitted and received by nearby Apple devices may never be returned to Apple, or take a long time to recover. move away. But by limiting the length of the hidden data and repeating those Bluetooth public keys over and over again, Braunlein hopes to be able to send all packets containing the hidden data to Apple.

At this point, the recipient, who already knows there will be a hidden packet, can query Apple’s Find My servers to see which message has arrived and decrypt the message. The public keys sent to the Apple server tell the recipient what hidden data was sent. Braunlein’s system even ensures that the contents of outgoing messages will be completely put together in the correct order regardless of when they arrive at Apple’s servers, and that the data can be reconstructed as long as possible. even if some pieces of information don’t get there.

Isn’t that a form of free (and secret) internet access?

However, as mentioned above, this system, although free, is neither fast nor convenient.

Braunlein says he can send data out at 20 bits per second and receive at about 25 bits per second, but those hidden messages take anywhere from a minute to… an hour to arrive.


Is Braunlein’s Hacking a Potential Risk?

Probably not.

According to Braunlein, Apple may not be able to prevent misuse of its Find My system, and probably won’t, considering it designed the system with anonymity and privacy in mind. It’s possible that Apple will put some restrictions on the already meager send and receive bandwidth that Send My takes advantage of, but that doesn’t mean the technique will be useless.

Braunlein says his Send My technique can be used to retrieve data from secure environments where mobile phones are only allowed to install approved apps, and all internet-connected devices are monitored and controlled.

That’s because the technique opens up a way for anonymous Bluetooth devices to transmit data over the internet through nearby approved phones, without having to authenticate with those phones or any other apps. any other of them.

If you’re concerned about this risk, you probably shouldn’t allow other people to bring their cell phones into secure areas, or you need to remind people to switch to airplane mode before entering.

Reference: Sophos

Share the news now

Source : Genk