In This Story
George Mason University researchers recently uncovered a way for hackers to track the location of nearly any computer or mobile device. Named "nRootTag" by the team, the attack uses a device’s Bluetooth address combined with Apple's Find My network to essentially turn target devices into unwitting homing beacons.
"It's like transforming any laptop, phone, or even gaming console into an Apple AirTag - without the owner ever realizing it," said Junming Chen, lead author of the study. "And the hacker can do it all remotely, from thousands of miles away, with just a few dollars."
The team of Qiang Zeng and Lannan Luo—both associate professors in the Department of Computer Science—and PhD students Chen and Xiaoyue Ma found the attack works by tricking Apple's Find My network into thinking the target device is a lost AirTag. AirTag sends Bluetooth messages to nearby Apple devices, which then anonymously relay its location via Apple Cloud to the owner for tracking. Their attack method can turn a device—whether it's a desktop, smartphone, or IoT device—into an "AirTag" without Apple's permission, at which point the network begins tracking.
In experiments, they were able to pinpoint a stationary computer's location to within 10 feet, accurately track a moving e-bike's route through a city, and even reconstruct the exact flight path and identify the flight number of a gaming console brought onboard an airplane. Zeng gave an alarming example: “While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location. With the attack method we introduced, the attacker can achieve this.”
While Apple designs an AirTag to change its Bluetooth address based on a cryptographic key, an actor could not do this on other systems without administrator privileges. So instead of trying to modify the Bluetooth address, the researchers developed efficient key search techniques to find a key that is compatible with the Bluetooth address, making the key adapt to the address instead.
What makes nRootTag particularly unsettling is a 90 percent success rate and the ability to track devices within minutes. The technique doesn't require sophisticated administrator privilege escalation typically needed for such deep system access. Instead, it cleverly manipulates the Find My Network's trust in device signals, essentially turning Apple's helpful lost-device feature into an unwitting accomplice. The researchers demonstrated that the attack works broadly on computers and mobile devices running Linux, Android, and Windows, as well as several Smart TVs and VR Headsets.
"Time is essential in an actual attack, and we don't have a year to do the cracking," said Chen. They used hundreds of graphics processing units (GPUs) to help find a match quickly, taking advantage of the affordability in the current GPU rental landscape, where people rent out idle GPUs for credits, driven by previous mining trends and the current AI boom. Chen explained that unlike Bitcoin mining where only one solution is kept, their mismatches can be saved to a database (called a rainbow table) for future use, making it particularly effective for targeting thousands of devices simultaneously. Chen suggested this technique could be attractive to advertising companies looking to profile users without relying on device GPS.
Most concerning are the privacy implications, as bad actors could easily abuse this technique for stalking, harassment, corporate espionage, or threats to national security. The researchers recommended to Apple that it update its Find My network to better verify devices, but a true fix may take years to roll out. The team informed Apple of the problem in July of 2024 and Apple officially acknowledged it in subsequent security updates, though they have not disclosed how they will patch the issue. Chen cautions that even once the patch is rolled out, “we foresee that there will be a noticeable amount of users who postpone or prefer not to update for various reasons and Apple cannot force the update; therefore, the vulnerable Find My network will continue to exist until those devices slowly ‘die out,’ and this process will take years.”
The team will present these findings this August in Seattle at the USENIX Security Symposium, one of the premier conferences worldwide for computer security and cryptography.
In the meantime, researchers advise users to be wary of apps asking for unnecessary Bluetooth permissions and if Bluetooth was unintentionally enabled, keep their device software up-to-date, and consider privacy-focused operating systems for better protection against prying eyes.