Tweet
An address confusion vulnerability in FindMy network, allows remote attacker exploits this vulnerability to turn your device—whether it's a desktop, smartphone, or smartwatch—into an AirTag-like tracker, enabling the attacker to track your location. How does it work? Over 1.5 billion iPhones could act as free tracking agents for the attacker worldwide.
Thank you for your interest in this tracking research. This is my first time presenting at DEFCON, and I'm excited to share our findings with this community.
This presentation covers the "nRootTag" attack - a novel post-exploitation technique that transforms any Bluetooth-enabled device into an unauthorized tracker using Apple's Find My network. The content is designed for security researchers interested in privacy implications and those seeking advanced post-exploitation methods.
Background & Discovery
Attack Implementation
Making It Practical
*We will attempt to conduct a live key search using 200 GPUs, with the public key chosen by the audience.
Linkedin: https://www.linkedin.com/in/junming-c/
Discord: chapoly
Project: (Spoiler Alert) https://nroottag.github.io
(Fine print: since live demo at the stage tend to crash regardless how many times we rehearsal prior and especially when adrenaline rush, the make-up demo might be conducted after the presentation somewhere at the hall way if we can find a spot. No payment needed. Participants must be alive to say out the numbers. You don't say You Fuck It Up at the presentation unless the presenter really fucked it up. Please star my project if you may I really looking forward to have many stars so I can show-off and at whatever interview in the future thank you so much.)
Thank you for your interest in this tracking research. This is my first time presenting at DEFCON, and I'm excited to share our findings with this community.
This presentation covers the "nRootTag" attack - a novel post-exploitation technique that transforms any Bluetooth-enabled device into an unauthorized tracker using Apple's Find My network. The content is designed for security researchers interested in privacy implications and those seeking advanced post-exploitation methods.
Background & Discovery
- Apple Find My network fundamentals - how AirTags and AirPods become trackable
- Critical analysis of prior research that missed a key vulnerability
- The fundamental design flaw that makes unprivileged exploitation possible
- Our breakthrough: reverse cryptographic key generation approach
Attack Implementation
- Custom GPU-accelerated cryptographic techniques targeting Secp224r1
- Cross-platform exploitation strategies across major operating systems
- Silent Bluetooth activation methods most security teams don't know about
Making It Practical
- How we reduced a 36-hour attack to under 3 minutes
- Executing sophisticated tracking attacks on a $10 budget
- Advanced techniques for well-resourced threat actors
*We will attempt to conduct a live key search using 200 GPUs, with the public key chosen by the audience.
Linkedin: https://www.linkedin.com/in/junming-c/
Discord: chapoly
Project: (Spoiler Alert) https://nroottag.github.io
(Fine print: since live demo at the stage tend to crash regardless how many times we rehearsal prior and especially when adrenaline rush, the make-up demo might be conducted after the presentation somewhere at the hall way if we can find a spot. No payment needed. Participants must be alive to say out the numbers. You don't say You Fuck It Up at the presentation unless the presenter really fucked it up. Please star my project if you may I really looking forward to have many stars so I can show-off and at whatever interview in the future thank you so much.)
Comment