"Where is" the security gap
The tracking app "Where is" offered by the Apple group is supposed to make it easier to find one's own Apple devices. The app is encrypted and tracks devices via Bluetooth. Nevertheless, a research team from the Technical University of Darmstadt has discovered security vulnerabilities that took a year to track down.
The tracking app "Where is" from Apple works encrypted via Bluetooth to track Apple devices. Nevertheless, a four-person research team from the Secure Mobile Networking Lab at TU Darmstadt has discovered gaps in the macOS operating system and has publishedthat can be exploited in the tracking app. With the help of malware, it would theoretically be possible to secretly view past and current location data of all Apple devices. With this knowledge, it would be possible, for example, to track a house or a workplace as frequently visited locations. The research team has already reported the massive vulnerability to Apple and it was fixed with a software update in macOS version 10.15.17 in September 2020.
Nevertheless, the research team still pleads for more transparent open-source solutions. The difficulty in tracing the exact functioning of the app had led to Apple users being potentially vulnerable for more than a year.
"Systems that work with highly sensitive information should be freely accessible or at least fully documented to enable timely independent analysis," security forensics experts were quoted as saying in a statement.
Publication: https://arxiv.org/abs/2103.02282
Source: TU Darmstadt
