Proof of concept released for exploit of Apple’s Find My Device function using iCloud

A security researcher with Positive Security said he has found a method of exploiting the iCloud-based Find My Device function available to users of iOS and macOS devices, allowing unauthorized transfer of data between the target device and other devices in the vicinity without the need for an Internet connection, Threatpost reports. Dubbed the “Send My” exploit, the revealed method came with a proof of concept that uses a microcontroller and a custom MacOS app to facilitate the broadcast of data between devices thru Bluetooth Low Energy. The receiving device may then transfer the data to an Apple iCloud server controlled by the attacker when it later connects to the internet. Regarding use cases for the exploit, the researcher said people can use it as a more efficient means of sharing an internet connection, or, in a threat actor’s case, steal data stored in air-gapped systems or in Faraday-caged rooms, or to deplete an iPhone’s mobile data plan.