Our work uncovered a vulnerability in the Find My service that permitted all types of BLE addresses for advertising. Leveraging this flaw, we proposed a novel attack method, nRootTag, which transformed a computer into an ''AirTag'' tracker without requiring root privilege escalation.
The project forms a complete attack chain and depends on each component working together. The setup might be sophisticated, we thank you for your patience. The project contains the following components: C&C Server, Database, Seeker, and Trojans for Linux, Windows, and Android, respectively. Each component can be evaluated separately.
📺 We provide screen recordings for essential steps. Due to size constrain of GitHub, please download the screen recordings from Zenodo. They are available under ScreenRecording directory. Please review Evaluation.md for detailed steps to reproduce and evaluate our project.
We created Chapoly1305/FindMy for our experiment. You may also visit other existed projects on the Internet to retrieve and develop your own retrieval platform. We do not endorse or vouch for any of these projects.
We have contacted Apple regarding the vulnerability and attack method. Apple has acknowledged the issue and implementing fix. This code is for academic research and security analysis only. Use responsibly in controlled test environments.
Please consider sharing and citing our research paper Tracking You from a Thousand Miles Away! Turning a Bluetooth Device into an Apple AirTag Without Root Privileges!
@inproceedings{chen2025track,
title={Tracking You from a Thousand Miles Away! Turning a Bluetooth Device into an Apple AirTag Without Root Privileges},
author={Chen, Junming and Ma, Xiaoyue and Luo, Lannan and Zeng, Qiang},
booktitle={USENIX Security Symposium (USENIX Security)},
year={2025}
}
nRootTag uses GPL v3, inherits the license from the original projects. We appreciate the authors for their contributions.
- OpenHayStack - GPL v3
- VanitySearch - GPL v3
- win-ble-cpp - MIT
- Windows-universal-samples - MIT