Apple’s Find My network is a powerful tool for tracking the location of your devices, but it has a major security vulnerability that hasn’t been patched. Researchers at George Mason University discovered the network can be exploited to track almost any Bluetooth device — not just an AirTag or iPhone — through a combination of Apple’s network and a device’s Bluetooth address.
“It’s like transforming any laptop, phone, or even gaming console into an Apple AirTag – without the owner ever realizing it,” said lead author Junming Chen. “And the hacker can do it all remotely, from thousands of miles away, with just a few dollars.”
To understand the exploit, you need to understand how the Find My network operates. Take an AirTag as an example; it pings nearby Apple devices with a Bluetooth signal, and that signal is anonymously sent to the Apple Cloud. The key to the exploit lies in this anonymity.
Since the Find My network relies on encrypted data rather than administrative privileges, the researchers were able to build a key that adapts on the fly. They dubbed it “nRootTag,” and the terrifying part is that it has a 90% success rate.
The team tested the exploit on a wide range of devices to unsettling success. They pinpointed the location of a computer to within 10 feet and identified an airplane’s flight path (and number) by tracking a gaming console a passenger had taken aboard.
While the experiment highlights the power of the Find My network, it also illustrates how easily a bad actor could gain access to sensitive information. AirTags have been used to track people in the past — one of the reasons Apple intends to make the speaker tougher to remove in the AirTag 2 — but nRootTag goes beyond that. The team traced VR headsets, smart TVs, and numerous other devices with relative ease.
Qiang Zeng, another member of the research team, highlighted a particularly awful use. “While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location. With the attack method we introduced, the attacker can achieve this.”
The team alerted Apple of the security flaw in July 2024, and the company has since acknowledged it in update notes. However, no patch has been issued. The exploit takes advantage of the core functionality of the Find My network, and introducing a fix that doesn’t somehow impair the location-tracking functionality will take time — potentially years, according to the team.
As for what to do in the meantime, Chen recommends keeping all devices and software up to date and monitoring anything that requests Bluetooth permission, especially if the app doesn’t need it.
