A security researcher with Positive Security said he has found a method of exploiting the iCloud-based Find My Device function available to users of iOS and macOS devices, allowing unauthorized transfer of data between the target device and other devices in the vicinity without the need for an Internet connection, Threatpost reports.
Dubbed the “Send My” exploit, the revealed method came with a proof of concept that uses a microcontroller and a custom MacOS app to facilitate the broadcast of data between devices thru Bluetooth Low Energy. The receiving device may then transfer the data to an Apple iCloud server controlled by the attacker when it later connects to the internet.
Regarding use cases for the exploit, the researcher said people can use it as a more efficient means of sharing an internet connection, or, in a threat actor’s case, steal data stored in air-gapped systems or in Faraday-caged rooms, or to deplete an iPhone’s mobile data plan.
Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.
The most promising passwordless technology isn't enterprise-ready. Focus on feasible IAM upgrades that will strengthen your security posture until passwordless solutions mature.
Qualcomm on Tuesday disclosed nearly two dozen security vulnerabilities in its chipsets, including the company’s flagship suite of SnapDragon processor chips and affecting products that range from cars to powerline communications.
Open source software utilization has been scaled back by nearly 40% of industry professionals due to security concerns, with more than 50% reducing open source usage following the emergence of the widespread Log4j vulnerability, The Register reports.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news