A research team headed by CS faculty Qiang Zeng and Lannan Luo has discovered a critical vulnerability in Apple’s Find My network. This attack, called nRootTag, allows an attacker to turn any Bluetooth device into an AirTag-like tracker, leveraging Apple’s 1.5-billion-device network at no cost.
The security implications are significant: military units could be tracked even without GPS or internet, high-value targets (political figures, journalists, dissidents) remain vulnerable despite avoiding smartphones, and smart devices like locks could expose their owners’ locations. The team reported the vulnerability to Apple, which resulted in a fix from the company in December 2024, covering iOS 18.2, visionOS 2.2, iPadOS 17.7.3 and 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2, and Sequoia 15.2.
The work has gained extensive media coverage including Forbes, DailyMail, TechRadar, and security forums. It will be presented at USENIX Security 2025 this summer in Seattle, WA.
More Information
• Research Project: https://nroottag.github.io/; USENIX Security 2025 Paper: https://cs.gmu.edu/~zeng/papers/2025-security-nrootgag.pdf
• CEC News Report: https://cec.gmu.edu/news/2025-02/find-my-hacker-how-apples-network-can-be-potential-tracking-tool
• Forbes Coverage: https://www.forbes.com/sites/davidphelan/2025/03/03/apple-iphone-find-my-critical-alert-issued-to-all-users-in-expert-warning/
• DailyMail Coverage: https://www.dailymail.co.uk/sciencetech/article-14470803/Frightening-flaw-iPhone-app-thats-downloaded-default-national-security-threat.html
• TechRadar Coverage: https://www.techradar.com/phones/phone-accessories/this-find-my-exploit-lets-hackers-track-any-bluetooth-device-heres-how-you-can-stay-safe