Researchers have uncovered a flaw in an iPhone app downloaded and enabled by default, warning it could be a national security threat.
A team from George Mason University in Virginia uncovered the issue in Apple's Find My app network. The app helps users locate lost devices, AirTags and other third-party items.
The attack, named 'nRootTag' by the team, tricks the Find My network into thinking any Bluetooth-enabled device is a lost AirTag, allowing cybercriminals to track the owner without their knowledge.
Qiang Zeng, who was involved in the work, told DailyMail.com: 'The core issue is that our attack effectively turned Apple's Find My network—comprising 1.5 billion iPhones and other Apple devices—into the largest global espionage system, with no cost for attackers.
'A single infected Bluetooth device in a mobile strategic nuclear missile unit could allow attackers to track its movement.'
Zeng also explained that the flaw could let adversaries 'monitor troop movements' even if the 'unit avoids internet connectivity and disables all GPS modules, iPhones in proximity would still report the infected device's GPS location to Apple's cloud.'
While researchers are not sharing how the attack is carried out, they said their tests showed an 'unsettling is a 90 percent success rate.'
The team was able to pinpoint a stationary computer's location to within 10 feet, track a moving e-bike's route through a city, reconstruct the exact flight path and identify the flight number of a gaming console brought onboard an airplane.
However, Zeng and lead author Junming Chen raised more concerns about the harassment, stalking and possible national security threat that could happen.
'A terrorist leader who avoids carrying a phone for security reasons could still be tracked if they use an infected laptop,' said Zeng.
'Nearby iPhones would automatically report their location. Even disabling Bluetooth would not be sufficient, as it can be programmatically re-enabled.
'The same method could be exploited to track political opponents or dissidents, providing a powerful tool for authoritarian regimes or other actors seeking to monitor individuals without their knowledge.'
The researchers demonstrated that the attack works broadly on computers and mobile devices running Linux, Android, and Windows, as well as several Smart TVs and VR Headsets. The attack does not impact Apple products.
'It's like transforming any laptop, phone, or even gaming console into an Apple AirTag - without the owner ever realizing it,' Chen said.
The team said they informed Apple about the problem in July 2024. The tech giant 'acknowledged it in subsequent security updates.
While Apple's products are not impacted, the company says that it has hardened the Find My network to block inappropriate us.
The software was release to iPhones on December 11, 2024 with the iOS 18.2, but Zeng said the 'patch adoption takes time.'
'For example, as of January 21, 2025—four months after iOS 18’s release—24 percent of iPhones still had not updated, and adoption rates for iPads and smartwatches tend to be even slower,' he added.
'This means that even though Apple has released the patch, a significant portion of devices remain unpatched for years.'
Find My network operates by pinging nearby Apple devices with a Bluetooth signal, and then sending that signal anonymously to the Cloud.
And researchers found the flaw in the anonymous signal.
They were then able to create a key that dynamically adjusts or changes in real time, allowing them to interact with or manipulate the Find My networks encrypted data without requiring traditional administrative privileges.
Essentially, this key enables secure access or modification of the encrypted communication within the network.
Chen cautioned that even once the patch is rolled out, 'we foresee that there will be a noticeable amount of users who postpone or prefer not to update for various reasons and Apple cannot force the update; therefore, the vulnerable Find My network will continue to exist until those devices slowly 'die out,' and this process will take years.'
