Apple AirTag and other tagging devices add to CISO worries

We tag content, devices and our belongings. Tagging is ubiquitous today, in early 2022, but it wasn’t always the case.

Stepping back into history, the late 1990s and early 2000s saw the unsavory side of competitive intelligence in Silicon Valley, with companies having their trash dumpsters siphoned for useful information, pretext calling to elicit inside information, and the wholesale theft of electronic devices. Stories ad infinitum exist of teams finishing an engineering meeting and heading down to Chevy’s for dinner and putting their laptops in the trunk of the vehicle and heading into the eatery, only to find the trunk had been jacked and all the laptops missing. Same at the local sports fields, parents would arrive, throw their bag/device into the trunk only to find it gone when they returned. Such was the frequency both the San Jose and Milpitas police began placing signage in shopping centers reminding individuals to take their belongings with them.

CISOs were stuck doing damage assessment, then damage control.

The quick fix to the above was security awareness briefings, local police awareness programs, and ensuring laptops were using full-disk encryption so that the loss of laptops was an accounting exercise and not a data loss event.

The good and bad of tagging and tracking

Apple and others have long had the ability to track one’s devices with various riffs on the “Find My” app, which when activated seeks out the location of a missing device. More often than not the device is in another room.

On April 20, 2021, Apple introduced the AirTag, the small disk, about the size of a quarter, which is designed to be an “accessory that provides a private and secure way to easily locate the items that matter most.” The AirTags went live on April 30 and while the technology of tagging is not new by any stretch of the imagination, it has taken off in directions that Apple may not have foreseen when they hit the retail “go button.”

If “find my device” or AirTags existed at the turn of the century, the ability to trace one’s bag, purse, key chain, and devices may have allowed the unscrupulous to have been identified forthwith and the loss of trade secrets reduced or mitigated.

Other devices that operate in a similar fashion to that of the AirTag are available. Yet all is not roses in the tagging world.

The ability to drop a tag into a target’s person or vehicle has enhanced the criminal elements’ ability to conduct surveillance of individuals of interest and enhanced their ability to track their target. Such is the frequency of individuals receiving “Unknown Accessory Detected” advisory on their phones, that police departments are issuing advisories on how to discern whether the warning is simply the user’s device syncing via Bluetooth with another device or if in fact an unexpected device such as an AirTag has been planted. (The police recommend accessing the Apple safety message, hitting “continue” and then “play sound” to locate the AirTag).

Within weeks of the AirTag being released to the market, the Washington Post did a test on how easy it is to stalk an individual without their knowledge. In their test, the tag was dropped into the target’s bag and the tag was tracked over the course of multiple days. In their test, the iPhone alerted the target that an unknown device was moving with them, but had the target been using an Android device, there would not have been such an alert available. The Washington Post piece points out that Apple is fine-tuning its security while pointing out that Tile (another tagging device) has done nothing.

On the other side of the coin is the use of the AirTag to track items you don’t want lost. Like one’s household effects which were professionally moved from Colorado to New York, when a service member and family were reassigned. The owner, a military spouse, placed the AirTag into one of the boxes so that she could track the movement of the shipment by the moving company. What she discovered was that the moving company’s driver’s updates were not matching the data she was obtaining from her AirTags and from the company.

Tagging abuse another concern for CISOs

CISOs can easily extrapolate from these examples how the use of tags is a double-edged sword. Misuse in the workplace is relatively easy, with employees, vendors and competitors easily able to track employees, vehicles, and items. Similarly, employers could use tags to track individual employees’ or contractors’ movements, which may be unethical or desirable depending on the circumstances.

When used effectively, tags can reduce pilferage of devices and independently track shipments of sensitive cargo. In-transit theft is a reality, as evidenced by the wholesale theft of items from train cars in the Los Angeles area. Knowing where your item is physically located, independent from a third party with the responsibility for safeguarding the item, provides a degree of independent checks by the customer.

Tags provide, as the Russian proverb goes, an ability to “trust, but verify.”