Researchers have found a way to use Apple’s Find My’s Offline Finding network to upload data from computers that aren’t connected to the internet or mobile networks.

The data is sent to nearby Apple devices that can connect to the Internet through Bluetooth Low Energy, and then to Apple’s servers, where it can be retrieved at a later date.

According to researchers with Positive Security, a Berlin-based security consulting company, the technique could be used to escape the costs and power consumption associated with mobile Internet, or to exfiltrate data from Faraday-shielded sites visited by iPhone users.

Positive Security discovered a way to use Find My BLE broadcasts to send data to nearby Apple computers, based on a March 2021 study from academic researchers at the Technical University of Darmstadt in Germany, which explains weaknesses in Apple’s Find My network.

Although the link between an AirTag and an Apple device is protected using an Elliptic Curve key pair, the owner device doesn’t know which particular key is used by the AirTag, so it produces a list of keys that AirTag has recently used, as well as querying an Apple service for their SHA256 hashes, according to Positive Security’s researchers.

According to the researchers, “Apple does not know which public keys belong to your AirTag, and therefore which location reports were intended for you.”

The position reports, on the other hand, can only be decrypted with the correct private key, but the researchers discovered that they could verify if such reports exist for a given SHA256 hash and even add reports to it.

“In the shared key-value store, we can set arbitrary bits and query them again. We can transmit arbitrary data if both the sender and receiver agree on an encoding scheme,” the researchers demonstrate.

The researchers used the ESP32 microcontroller, an OpenHaystack-based firmware, and a macOS application to retrieve, decode, and view the transmitted data in their setup, which they published on GitHub as proof-of-concept code.

The sending rate is about 3 bytes per second, but higher speeds are possible. Depending on the number of nearby devices, a latency of 1 to 60 minutes was reported.

The method could be used to upload sensor readings or other data from IoT devices, exfiltrate information from air-gapped networks, or even deplete the mobile data plans of nearby iPhones (through broadcasting many unique public keys).

Apple should enforce authentication of the BLE advertising (the current setup doesn’t distinguish between real and spoofed AirTags) and rate limit the position report retrieval to prevent such an assault.