Researchers have uncovered a flaw in an iPhone app downloaded and enabled by default, warning it could be a national security threat.

A team from George Mason University in Virginia discovered a vulnerability in Apple’s Find My app network, designed to help users locate misplaced devices, AirTags, and other third-party items.

The team dubbed the attack ‘nRootTag,’ which manipulates the Find My network into mistaking any Bluetooth-enabled device as a lost AirTag. This manipulation allows hackers to track the device owner’s location without their awareness.

Qiang Zeng, one of the team members involved in the research, explained to DailyMail.com that the critical problem lies in how their attack effectively transformed Apple’s Find My network—comprising 1.5 billion iPhones and various Apple devices—into a vast global espionage system that could be exploited by cybercriminals at no cost.

‘A single infected Bluetooth device in a mobile strategic nuclear missile unit could allow attackers to track its movement.’

Zeng also explained that the flaw could let adversaries ‘monitor troop movements’ even if the ‘unit avoids internet connectivity and disables all GPS modules, iPhones in proximity would still report the infected device’s GPS location to Apple’s cloud.’

While researchers are not sharing how the attack is carried out, they said their tests showed an ‘unsettling is a 90 percent success rate.’

The team was able to pinpoint a stationary computer’s location to within 10 feet, track a moving e-bike’s route through a city, reconstruct the exact flight path and identify the flight number of a gaming console brought onboard an airplane.

However, Zeng and lead author Junming Chen raised more concerns about the harassment, stalking and possible national security threat that could happen.

Researchers have uncovered a flaw in an iPhone app downloaded and enabled by default, warning it could be a national security threat 

‘A terrorist leader who avoids carrying a phone for security reasons could still be tracked if they use an infected laptop,’ said Zeng.

‘Nearby iPhones would automatically report their location. Even disabling Bluetooth would not be sufficient, as it can be programmatically re-enabled.

‘The same method could be exploited to track political opponents or dissidents, providing a powerful tool for authoritarian regimes or other actors seeking to monitor individuals without their knowledge.’ 

The researchers demonstrated that the attack works broadly on computers and mobile devices running Linux, Android, and Windows, as well as several Smart TVs and VR Headsets. The attack does not impact Apple products. 

‘It’s like transforming any laptop, phone, or even gaming console into an Apple AirTag – without the owner ever realizing it,’ Chen said.

The team said they informed Apple about the problem in July 2024. The tech giant ‘acknowledged it in subsequent security updates. 

While Apple’s products are not impacted, the company says that it has hardened the Find My network to block inappropriate us. 

The software was release to iPhones on December 11, 2024 with the iOS 18.2, but Zeng said the ‘patch adoption takes time.’ 

The attack, named ‘nRootTag’ by the team, tricks the Find My network into thinking any Bluetooth-enabled device is a lost AirTag, allowing cybercriminals to track the owner without their knowledge

‘For example, as of January 21, 2025—four months after iOS 18’s release—24 percent of iPhones still had not updated, and adoption rates for iPads and smartwatches tend to be even slower,’ he added.

‘This means that even though Apple has released the patch, a significant portion of devices remain unpatched for years.’

Find My network operates by pinging nearby Apple devices with a Bluetooth signal, and then sending that signal anonymously to the Cloud.

And researchers found the flaw in the anonymous signal. 

They were then able to create a key that dynamically adjusts or changes in real time, allowing them to interact with or manipulate the Find My networks encrypted data without requiring traditional administrative privileges.

Essentially, this key enables secure access or modification of the encrypted communication within the network. 

Chen cautioned that even once the patch is rolled out, ‘we foresee that there will be a noticeable amount of users who postpone or prefer not to update for various reasons and Apple cannot force the update; therefore, the vulnerable Find My network will continue to exist until those devices slowly ‘die out,’ and this process will take years.’