Critical Security Flaw in Pre-Installed iPhone App Flagged as National Security Threat

Researchers Warn Apple’s "Find My" App Flaw Could Enable Global Espionage
(Image: Illustration of iPhone displaying Find My app with location tracking interface)

A critical vulnerability in Apple’s Find My app—preinstalled on all iPhones—has been exposed by researchers at George Mason University, who warn it could be exploited for mass surveillance or even national security threats. Dubbed “nRootTag,” the flaw allows hackers to trick the Find My network into treating any Bluetooth-enabled device as a lost AirTag, enabling covert tracking of individuals or assets.

How the Attack Works
The Find My network relies on 1.5 billion Apple devices worldwide to anonymously relay Bluetooth signals from lost items. By reverse-engineering AirTag protocols, researchers discovered they could spoof these signals. Attackers can implant malware on non-Apple devices (e.g., laptops, Android phones, smart TVs) to mimic AirTags, causing nearby iPhones to report the device’s GPS location to Apple’s servers—without the victim’s knowledge.

“This turns Apple’s network into a free, global espionage tool,” said researcher Qiang Zeng. In tests, the team achieved a 90% success rate, pinpointing a stationary device within 10 feet and tracking a moving e-bike’s route in real time. Shockingly, a gaming console onboard a flight revealed the exact flight path and number.

National Security Risks
The implications extend beyond personal privacy. Zeng warned that a single infected Bluetooth device in sensitive locations—like nuclear missile units—could expose classified movements. Even if such units disable GPS or internet, nearby iPhones would still transmit location data.

• Scenarios include tracking politicians, dissidents, or terrorist leaders avoiding smartphones.
• Bluetooth can be remotely re-enabled on compromised devices, circumventing user attempts to disable it.

(Image: Concept graphic of a military vehicle with a highlighted Bluetooth device and tracking path)

Apple’s Response and Patch Gaps
Apple addressed the flaw in iOS 18.2 (released December 2024) by hardening Find My’s encryption. However, adoption lags: as of January 2025, 24% of iPhones remained unpatched. Non-Apple devices (e.g., Android, Windows) also remain vulnerable until manufacturers implement fixes.

“It will take years for vulnerable devices to phase out,” warned lead author Junming Chen. Attackers can still exploit older iPhones, iPads, or unpatched third-party gadgets.

What Users Can Do

1. Update devices immediately to iOS 18.2 or later.
2. Limit Bluetooth use when privacy is critical—though attackers may bypass this.
3. Monitor unknown devices in Find My app settings.

While Apple continues to secure its ecosystem, the nRootTag flaw highlights the delicate balance between convenience and security in connected networks.

(Image: Close-up of iPhone showing Bluetooth settings with “Find My Network” toggle)

Key Takeaway
This exploit underscores how default-enabled features in widely used apps can become unintended surveillance tools. Vigilance and prompt updates are essential as cyberthreats evolve.

Word count: ~600