Security Architecture, Cloud Security, Cloud Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Proof of concept released for exploit of Apple’s Find My Device function using iCloud

A security researcher with Positive Security said he has found a method of exploiting the iCloud-based Find My Device function available to users of iOS and macOS devices, allowing unauthorized transfer of data between the target device and other devices in the vicinity without the need for an Internet connection, Threatpost reports. Dubbed the “Send My” exploit, the revealed method came with a proof of concept that uses a microcontroller and a custom MacOS app to facilitate the broadcast of data between devices thru Bluetooth Low Energy. The receiving device may then transfer the data to an Apple iCloud server controlled by the attacker when it later connects to the internet. Regarding use cases for the exploit, the researcher said people can use it as a more efficient means of sharing an internet connection, or, in a threat actor’s case, steal data stored in air-gapped systems or in Faraday-caged rooms, or to deplete an iPhone’s mobile data plan.
Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.