Tagging devices such as Apple's AirTag can be misused by employees, criminals, and competitors to track people and devices in a way that puts organizations at risk. We tag content, devices and our belongings. Tagging is ubiquitous today, in early 2022, but it wasn’t always the case.Stepping back into history, the late 1990s and early 2000s saw the unsavory side of competitive intelligence in Silicon Valley, with companies having their trash dumpsters siphoned for useful information, pretext calling to elicit inside information, and the wholesale theft of electronic devices. Stories ad infinitum exist of teams finishing an engineering meeting and heading down to Chevy’s for dinner and putting their laptops in the trunk of the vehicle and heading into the eatery, only to find the trunk had been jacked and all the laptops missing. Same at the local sports fields, parents would arrive, throw their bag/device into the trunk only to find it gone when they returned. Such was the frequency both the San Jose and Milpitas police began placing signage in shopping centers reminding individuals to take their belongings with them.CISOs were stuck doing damage assessment, then damage control. The quick fix to the above was security awareness briefings, local police awareness programs, and ensuring laptops were using full-disk encryption so that the loss of laptops was an accounting exercise and not a data loss event. The good and bad of tagging and trackingApple and others have long had the ability to track one’s devices with various riffs on the “Find My” app, which when activated seeks out the location of a missing device. More often than not the device is in another room.On April 20, 2021, Apple introduced the AirTag, the small disk, about the size of a quarter, which is designed to be an “accessory that provides a private and secure way to easily locate the items that matter most.” The AirTags went live on April 30 and while the technology of tagging is not new by any stretch of the imagination, it has taken off in directions that Apple may not have foreseen when they hit the retail “go button.” If “find my device” or AirTags existed at the turn of the century, the ability to trace one’s bag, purse, key chain, and devices may have allowed the unscrupulous to have been identified forthwith and the loss of trade secrets reduced or mitigated.Other devices that operate in a similar fashion to that of the AirTag are available. Yet all is not roses in the tagging world.The ability to drop a tag into a target’s person or vehicle has enhanced the criminal elements’ ability to conduct surveillance of individuals of interest and enhanced their ability to track their target. Such is the frequency of individuals receiving “Unknown Accessory Detected” advisory on their phones, that police departments are issuing advisories on how to discern whether the warning is simply the user’s device syncing via Bluetooth with another device or if in fact an unexpected device such as an AirTag has been planted. (The police recommend accessing the Apple safety message, hitting “continue” and then “play sound” to locate the AirTag). Within weeks of the AirTag being released to the market, the Washington Post did a test on how easy it is to stalk an individual without their knowledge. In their test, the tag was dropped into the target’s bag and the tag was tracked over the course of multiple days. In their test, the iPhone alerted the target that an unknown device was moving with them, but had the target been using an Android device, there would not have been such an alert available. The Washington Post piece points out that Apple is fine-tuning its security while pointing out that Tile (another tagging device) has done nothing.On the other side of the coin is the use of the AirTag to track items you don’t want lost. Like one’s household effects which were professionally moved from Colorado to New York, when a service member and family were reassigned. The owner, a military spouse, placed the AirTag into one of the boxes so that she could track the movement of the shipment by the moving company. What she discovered was that the moving company’s driver’s updates were not matching the data she was obtaining from her AirTags and from the company.Tagging abuse another concern for CISOsCISOs can easily extrapolate from these examples how the use of tags is a double-edged sword. Misuse in the workplace is relatively easy, with employees, vendors and competitors easily able to track employees, vehicles, and items. Similarly, employers could use tags to track individual employees’ or contractors’ movements, which may be unethical or desirable depending on the circumstances. When used effectively, tags can reduce pilferage of devices and independently track shipments of sensitive cargo. In-transit theft is a reality, as evidenced by the wholesale theft of items from train cars in the Los Angeles area. Knowing where your item is physically located, independent from a third party with the responsibility for safeguarding the item, provides a degree of independent checks by the customer.Tags provide, as the Russian proverb goes, an ability to “trust, but verify.” Related content interview Strong CIO-CISO relations fuel success at Ally CIO Sathish Muthukrishnan and CISO Donna Hart have forged a partnership steeped in Ally’s culture of radical candor that keeps the financial services firm secure and innovative. By Dan Roberts May 09, 2024 9 mins CIO CSO and CISO IT Leadership news Zscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. By Shweta Sharma May 09, 2024 3 mins Data Breach Cyberattacks news Palo Alto launches AI-powered solutions to fight AI-generated cyberthreats The suite is powered by Palo Alto’s proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies. By Prasanth Aby Thomas May 09, 2024 3 mins Generative AI Security Software news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe