Cloud Security, Mobile

Proof of concept released for exploit of Apple’s Find My Device function using iCloud

May 13, 2021
A security researcher with Positive Security said he has found a method of exploiting the iCloud-based Find My Device function available to users of iOS and macOS devices, allowing unauthorized transfer of data between the target device and other devices in the vicinity without the need for an Internet connection, Threatpost reports. Dubbed the “Send My” exploit, the revealed method came with a proof of concept that uses a microcontroller and a custom MacOS app to facilitate the broadcast of data between devices thru Bluetooth Low Energy. The receiving device may then transfer the data to an Apple iCloud server controlled by the attacker when it later connects to the internet. Regarding use cases for the exploit, the researcher said people can use it as a more efficient means of sharing an internet connection, or, in a threat actor’s case, steal data stored in air-gapped systems or in Faraday-caged rooms, or to deplete an iPhone’s mobile data plan.
Jill Aitoro

SC Media Editor in Chief Jill Aitoro has 20 years of experience editing and reporting on technology, business and policy. She also serves as editorial director at SC Media’s parent company, CyberRisk Alliance. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.

prestitial ad