Turning a Bluetooth device into an Apple AirTag without root privileges

[avidiax]

No.

Expensive computed public key first 46 bits == Victim's BLE address

The Apple FindMy system doesn't (or didn't) validate that the public key being broadcast had ever been manufactured or registered. So anyone with an iCloud account could query the Apple FindMy hashtable for the last observed encrypted payload, which contains the observed location generated by the nearby phone.

If you have root on the victim's device, you don't need the expensive computation step. You just take a public/private keypair of your choice and reprogram the victim's Bluetooth hardware to broadcast that instead.

[aorloff]

ok so it seems like 2 attack patterns, one where you can replace the bluetooth on the target device, and another where you can find a matching public key prefix and set up an beacon for it using your own private key ? or am I still not getting that

[avidiax]

It was always possible to configure a victim device to be a Bluetooth beacon if you had root on the victim device. You just clone an AirTag to the victim by changing the victim's Bluetooth address (using root access) and start broadcasting FindMy beacons.

What is novel in this attack is that you can use non-root access. You observe the victim's fixed Bluetooth address, and then craft a FindMy beacon that happens to match. Since the FindMy beacon is basically just a public key that the receiver uses to encrypt location data, crafting the beacon is just finding a public/private key pair that matches the victim's Bluetooth address. Since broadcasting a beacon requires less rights (less than root), this is much more broadly exploitable (excluding the expensive precomputation step).