๐ค AI Summary
This work exposes a critical security flaw in Appleโs Find My network stemming from design weaknesses in its Bluetooth Low Energy (BLE) broadcast protocol, which enables unauthorized tracking and physical theft of lost devices. The authors present Snatcher, the first complete attack framework that operates entirely on commodity Android devices without specialized hardware. By exploiting unencrypted BLE advertisements, an unauthenticated acoustic trigger mechanism, and slow MAC address randomization, Snatcher integrates acoustic direction-of-arrival estimation, RSSIโIMU sensor fusion, and spatiotemporal clustering to achieve real-time tracking and precise localization of Apple devices in realistic settings. This study reveals a fundamental tension between privacy preservation, anti-tracking measures, and physical security, uncovering severe vulnerabilities in the Find My ecosystem.
๐ Abstract
Apple's Find My network connects nearly one billion devices to locate missing property via Bluetooth Low Energy (BLE). This paper reveals that insecure BLE advertisements and design tradeoffs allow unauthorized discovery and physical theft of lost Apple devices. We develop Snatcher, an attack and analysis framework implemented fully on Android smartphones without specialized hardware. Snatcher identifies vulnerabilities in unencrypted BLE advertisements, unauthenticated acoustic triggers, and slow MAC address randomization. Through three levels - sound-based direction finding, RSSI-IMU sensor-fusion navigation, and spatial-temporal clustering - our Android-based platform physically tracks and locates lost Apple accessories and devices in real-world tests. Our results highlight a crucial conflict between privacy protection, anti-stalking design, and physical security, urging Apple to strengthen Find My defenses.