According to study, two flaws in a community driven location-tracking framework that lets users locate Apple devices even though they’re offline might reveal users’ identities.
Apple’s Offline Finding tool, which was released in 2019 for iOS, macOS, and watchOS, allows users to locate their Apple devices even though they aren’t linked to the internet. Though this feature is not exclusive to Apple, the company vowed that the system will perform its mission while respecting consumer privacy.
Although the technology achieves its privacy objectives for the most part, it may have bugs that “can contribute to a position correlation assault and illegal users to the location background over the past seven days, which may de anonymize users,” according to a research team from Germany’s Technical University of Darmstadt (PDF).
Researchers Alexander Heinrich, Milan Stute, Tim Kornhuber, and Matthias Hollick set out to see if Apple’s assertions that OF protects finder privacy, doesn’t monitor owner computers, and keeps position reports private is true. They informed Apple of their results, and the company replied by issuing a patch for the more severe bug.
Of is the world’s biggest crowd-sourced position monitoring method, relying on a platform of hundreds of millions of smartphones. Furthermore, it’s expected to get much bigger as OF adds aid for non-Apple devices in the future, according to analysts.
The system operates by using a network of “finder” devices to locate “lost” or unassociated systems using Bluetooth Low Energy (BLE). The user of the missing computer will then receive tracking information from the finder systems that are linked to the internet.
Getting a Glimpse of What’s Under the Hood
The Darmstadt team reverse-engineered the protocol to retrieve the specifics of the closed-source OF parameters that are used in computer loss, search, and recovery, revealing a method of encryption and decryption on how the technology operates, according to researchers.
They said, “In short, computers belonging to the same user agree on a series of so-called rolling public–private keypairs.” “Devices that may not have access to the Internet, such as those lacking cellular or WiFi, emit BLE advertising that encrypt one of the rotating public keys. Hearing ads on Finder devices encrypts their present position using the rolling public key and sends the positions report to a central Apple-run server.”
Researchers clarified that while looking for a missing device, another owner system searches the central registry for position reports using the lost device’s identified rolling public keys. Using the private key, the owner may decode the reports and recover the location.
Although the overall architecture meets Apple’s basic privacy targets, researchers discovered two flaws “that appear to be outside of Apple’s vulnerability model but may have serious implications for consumers,” they stated.
Anonymity Is Being Lost
According to researchers, one weakness in the architecture of OF enables Apple to connect the positions of multiple owners if they are reported by the same finder, “adequately enabling Apple to create a social graph,” which may compromise user privacy.
When posting and accessing position files, finder and owner machines show their identities to Apple, allowing the organization to see who has been in near proximity to whom. Furthermore, the business will archive the information for future use. Researchers observed that in order to circumvent this bug, a system owner will have to request the position of their device using the Find My application.
Researchers discovered a second flaw that presents a more severe threat. It may be used to create “malicious macOS applications that retrieve and decode the OF position reports for all of its users and for all of their smartphones over the last seven days,” according to the researchers.
The issue with OF is that the location protection of missing devices is built on the presumption that the confidential part of the advertising keys—which shift every 15 minutes—is only identified by owner devices. Researchers reported that the system would retrieve position information from the previous seven days, implying that there are a total of 672 advertising keys per unit for which possible position reports exist on Apple’s servers.
All of these keys may theoretically be produced from the master beacon key at any time. Apple, on the other hand, opted to cache the advertisement buttons, most definitely due to consistency concerns. The cached keys are stored on a directory disk that is accessible by the particular computer or any app that operates with user rights, according to the researchers.
The vulnerability can also be used to bypass Apple’s constrained location API to gain access to the geolocation of all user devices without user permission, researchers said. The flaw can also be used to create a personalized mobility profile and classify the user “with great precision” by exploiting past location reports.
The team informed Apple of their results, and the company responded by issuing a fix in September 2020, dubbed CVE-2020-9986 and defined as a “file access problem… with some home folder data.” Nothing in the bug might cause a “malicious program… to interpret confidential location details,” according to the researchers. In macOS Catalina 10.15.7, Apple answered the issue with “improved connectivity restrictions.”