For years, Apple has marketed the Find My network as a privacy-first way to locate lost devices, AirTags, and even friends.
It’s baked into every iPhone, Mac, and iPad, leveraging a vast network of Apple devices to create a crowdsourced tracking system.
Sounds great, right? However, according to new research, hackers can exploit this very network to track virtually any Bluetooth-enabled device—even ones that aren’t Apple products.
And the worst part? Fixing the issue isn’t as simple as a software patch.
How Hackers Can Turn Your Devices Into Tracking Beacons
Imagine you’re on a flight, cruising at 35,000 feet, and your gaming console is tucked away in your carry-on.
You’d assume that once it’s in airplane mode, it’s invisible to the outside world. However, researchers at George Mason University discovered an exploit that allowed them to reconstruct the exact flight path of a gaming console aboard a commercial plane using Apple’s own Find My network.
The vulnerability, dubbed “nRootTag,” is as ingenious as it is alarming. By manipulating cryptographic keys, hackers can trick the Find My system into treating any Bluetooth-enabled device as if it were an AirTag.
That means your laptop, wireless headphones, VR headset, e-bike, or even your smart lock could be turned into an unwitting tracking beacon. The implications are staggering.
“We were able to pinpoint a device’s location within minutes with 90% accuracy,” one researcher said. “And this attack doesn’t require physical access—it can be executed remotely.”
A Hacker’s Dream Come True
What makes this even more concerning is the attack’s accessibility. While it does require significant computing power, hundreds of rented GPUs were used in the study. so this is hardly an insurmountable obstacle.
Crypto miners and AI researchers rent cloud-based GPUs all the time. If an ethical research team can pull this off, it’s only a matter of time before malicious actors do too.
This isn’t a far-fetched, tinfoil-hat scenario. The research team alerted Apple to the vulnerability in July 2024, and while the company acknowledged the issue, it hasn’t publicly disclosed how it plans to fix it.
Security experts warn that even if Apple patches the flaw in future iOS and macOS updates, the Find My network will remain vulnerable for years because older, unpatched devices will still be broadcasting signals.
Apple’s Privacy Problem Keeps Getting Worse
Apple has long positioned itself as the gold standard for privacy, often taking swipes at rivals like Google and Facebook over their data practices.
But recent history tells a different story. From AirTags being exploited for stalking to iPhone spyware scandals, Apple’s grip on privacy is starting to look more like a marketing strategy than an impenetrable fortress.
This latest Find My vulnerability adds another layer to the growing concern. AirTags, for example, were designed to help users track lost items, yet they’ve been repeatedly weaponized for stalking.
Apple responded by introducing alerts for unknown AirTags traveling with you, but that fix came after months of public backlash.
With this new exploit, the potential for abuse is even greater because any Bluetooth device can be turned into an AirTag-like tracker—without any alert system in place.
Also: 8 iPhone settings you should turn off to keep your data safe and your battery lasting longer
The Fix Won’t Happen Overnight
The big question now is: What can Apple do? The short answer? Not much, at least not quickly.
Unlike a traditional software vulnerability that can be patched with an iOS update, this issue is deeply embedded in the Find My network’s architecture.
Apple would likely need to redesign how device authentication works, which could mean rolling out updates that render older devices incompatible—something it has historically avoided to maintain a seamless ecosystem.
Even if Apple introduces a fix tomorrow, researchers warn that this vulnerability could persist for years.
“The network will remain vulnerable until older devices slowly phase out, and that process will take a long time,” one of the lead researchers explained.
In other words, if you have an old iPhone or Mac sitting in a drawer somewhere, it could still be helping hackers track devices—even if Apple releases a fix.
Also: Apple doesn’t want you to know about these iPhone secret codes—but they still work
What You Can Do to Protect Yourself
While Apple scrambles to figure out a long-term solution, there are a few immediate steps you can take to mitigate the risk:
- Be selective about Bluetooth permissions. Some apps request Bluetooth access unnecessarily. If an app doesn’t need Bluetooth, don’t grant it permission.
- Keep your devices updated. While this vulnerability may persist on older devices, newer updates may include security enhancements that make it harder to exploit.
- Consider privacy-focused operating systems. If you’re serious about security, look into alternative operating systems like GrapheneOS, which is designed with privacy in mind.
Also: Your iPhone has a hidden feature that instantly fixes the biggest hassle of traveling abroad
The Bottom Line
Apple has built one of the most powerful device-tracking networks in existence—but that power comes at a cost.
The same system that helps you find your lost AirPods can also be manipulated to track you without your knowledge. And despite Apple’s reputation for security, this isn’t a flaw that can be quickly patched away.
The Find My network’s biggest strength—its vast, crowdsourced reach—is also its biggest weakness.
Until Apple fundamentally rethinks how its tracking technology works, your Bluetooth devices could be telling strangers exactly where you are.
