Tracking You from a Thousand Miles Away! Turning a Bluetooth Device into an Apple AirTag Without Root Privileges
Junming Chen
34th USENIX Security Symposium (USENIX Security '25) · Day 2 · System Security 3: Mobile Platforms
This talk, presented by Junming Chen at USENIX Security, unveils a critical security vulnerability within Apple's widely used Find My network. The research, dubbed "Android," demonstrates how nearly any Bluetooth-enabled device – from laptops and smartphones to gaming consoles – can be covertly transformed into a tracking beacon without requiring root privileges or user awareness. By exploiting an overlooked aspect of Bluetooth Low Energy (BLE) advertisement handling and a discrepancy in Apple's Find My protocol implementation, Chen and his team illustrate how an attacker can leverage Apple's global network of devices to achieve precise, street-level tracking of arbitrary Bluetooth devices.
AI review
Solid original research that finds a real, exploitable gap in Apple's Find My network — the acceptance of public Bluetooth addresses despite design intent to use random static ones. The attack chain is clever, the economics are brutal ($2.20 for 90% key-match probability), and the cross-platform analysis across Linux/Android/Windows shows the team did the actual work rather than stopping at a single PoC.