Apple was notified about a Find My network vulnerability last year, but it hasn't been fixed yet

In July 2024, researchers at George Mason University uncovered a chilling vulnerability in Apple’s Find My network, a system designed to help users locate lost devices like AirTags. Dubbed “nRootTag,” this exploit allows hackers to silently transform any Bluetooth-enabled device — be it a smartphone, laptop, or even a gaming console — into an unwitting tracking beacon, all without the owner’s knowledge. Despite Apple being notified over seven months ago, the issue remains unpatched as of this writing, leaving users increasingly frustrated with the company’s lackluster response.

The Find My network operates by leveraging nearby Apple devices to anonymously relay the location of AirTags or other compatible trackers to their owners via Apple’s servers. However, the researchers — led by Junming Chen, Qiang Zeng, and Lannan Luo — discovered a method to hijack this system. By cracking cryptographic keys tied to Bluetooth addresses using hundreds of GPUs, hackers can trick the network into treating any device as an AirTag. With a 90% success rate, the exploit requires no advanced privileges, making it alarmingly accessible. In tests, the team tracked a computer to within 10 feet, followed an e-bike through a city, and even reconstructed a flight path by tracing a game console.

“It’s like transforming any laptop, phone, or even gaming console into an Apple AirTag without the owner ever realizing it,” Chen explained in a blog post from earlier this month. The implications are dire: a hacked smart lock is bad enough, but knowing its exact location elevates the threat to a stalker’s dream.

Apple acknowledged the George Mason team’s findings in 2024 security updates, but the company has remained tight-lipped about a timeline or solution. The researchers warned that even if a fix is deployed, it could take years to fully resolve. Many users delay software updates, meaning vulnerable devices will persist in the ecosystem.

We foresee that there will be a noticeable amount of users who postpone or prefer not to update for various reasons and Apple cannot force the update; therefore, the vulnerable Find My network will continue to exist until those devices slowly ‘die out,’ and this process will take years.

This isn’t just a technical glitch — it’s a privacy crisis, especially since bad actors could use this for stalking, espionage, or worse.

For now, the advice is simple but limited: keep devices updated, avoid granting unnecessary Bluetooth permissions, and stay vigilant. Yet, this feels like a Band-Aid for a gaping wound to many Apple customers. The exploit’s low cost — enabled by affordable GPU rentals — and potential for mass tracking (think advertising firms profiling users) only heighten the urgency. As the researchers prepare to present their findings at the USENIX Security Symposium in August 2025, pressure is mounting on Apple to act.

Users deserve better than silence and half-measures. With its reputation on the line, Apple’s sluggish approach to this exploit has left a sour taste, especially for a brand synonymous with trust. Until a robust fix arrives, the Find My network — meant to offer peace of mind — remains a double-edged sword.