Is there more details on this attack? This part is failing the sniff test for me:
> The attacker cannot manipulate the content of the location report, but he can specify the hash that is used to store the location report in the Apple network, cleverly encode the bits and bytes he wishes to transmit within the hash, and retrieve it. By retrieving the location reports, he can find out what data his keylogger has sent. Since the retrieval is effecte via the Internet, the attacker can be in any location at the time.
How is the keylogger downloading this information from the AirTag network? Wouldn’t you need to authenticate with Apple APIs to retrieve information? This would be required because even though it can send data, a keylogger would need to know what’s been sent to confirm the receiver has everything in the right order since the location data is capturing state in a lossy manner…
The location report is signed with a public key advertised by the "lost" device.
To retrieve the device's location and to prevent Apple from knowing who lost the device, all signed in users can download any location report for a given public key.
That doesn’t explain how the keylogger obtains the set of things uploaded. Or is it just spamming the network and hope all the updates make it? Like you don’t even know which beacon made it out
Yep, that’s pretty much it. There doesn’t seem to be a guarantee that you’ll get all the “packets”. I’m not sure what the Find My update rate is either so I don’t imagine this will be very effective to exfiltrate data.
It is different, because this doesn't need cellular connectivity and can even bridge air gaps. Afaik, your iPhone will happily cache found FindMy beacons and send them out once it has internet connection again.
> The attacker cannot manipulate the content of the location report, but he can specify the hash that is used to store the location report in the Apple network, cleverly encode the bits and bytes he wishes to transmit within the hash, and retrieve it. By retrieving the location reports, he can find out what data his keylogger has sent. Since the retrieval is effecte via the Internet, the attacker can be in any location at the time.
How is the keylogger downloading this information from the AirTag network? Wouldn’t you need to authenticate with Apple APIs to retrieve information? This would be required because even though it can send data, a keylogger would need to know what’s been sent to confirm the receiver has everything in the right order since the location data is capturing state in a lossy manner…