Bypassing Apple’s AirTag Security

A Berlin-based company has developed an AirTag clone that bypasses Apple’s anti-stalker security systems. Source code for these AirTag clones is available online.

So now we have several problems with the system. Apple’s anti-stalker security only works with iPhones. (Apple wrote an Android app that can detect AirTags, but how many people are going to download it?) And now non-AirTags can piggyback on Apple’s system without triggering the alarms.

Apple didn’t think this through nearly as well as it claims to have. I think the general problem is one that I have written about before: designers just don’t have intimate threats in mind when building these systems.

Tags: , , , ,

Posted on February 23, 2022 at 6:28 AM16 Comments

Comments

Jason Keirstead February 23, 2022 6:56 AM

The core issue here is that a primary use case for people purchasing AirTags is theft prevention, and for that use case, the anti-stalking features of an AirTag are not desired, and actually negate it – alerting a thief that the thing they are stealing has a tracking device to be removed is definitely not something that you want to be doing.

The fact that Apple does not market or endorse AirTags for theft prevention, does not change why people are actually buying them. If Apple pushes too hard against that use case, then no one will buy AirTags anymore and people will just move to another platform that does fill that use case (which will then once more be able to be used for stalking, because these two use cases are perpetually at odds).

Gordon February 23, 2022 7:37 AM

The reporting on airtags feels like the reporting on COVID variant detection. Those with the best detection get the blame.

Apple have the only meaningful anti-stalker features, so get dumped on when they detect stalking. In fact, the only reason we hear about Apple tags being used for stalking is from the cases where the stalker detection worked.

Tile has been in the business for years, but has no similar feature, so no one complains about stalk by tile.

Samsung tag can check for stalking, but you have to actively check for being tracked.

So who should we be worried about? The few people who produce custom hardware and software to track over Apple’s ‘find my’ network, or a typical deranged ex-boyfriend who just buys a tile or Samsung tag, safe in the knowledge that there is next to no change they will be caught electroncally.

Roger February 23, 2022 7:58 AM

Apple simply took what Tile was doing an integrated it better into the iOS ecosystem. Apple even improved upon the design by adding ant-stalking features; but yet Apple is the bad actor here. Why weren’t these issues ever reported when Tile had the market share? Oh yeah, they didn’t report stalking attempts so for the most part they went undetected.

Apple really should be praised for bring the stalking issues to light. There are several other, even cheaper, solutions on the market for stalking — but no one is talking about those. Is it really just easier to attack the well known company in the room and ignore the other bad actors?

Lukas February 23, 2022 8:05 AM

“designers just don’t have intimate threats in mind”

I’d guess that most people on that team were never victims of this type of threat.

“So who should we be worried about?”

This is a question of scale, right? Anyone can go to Aliexpress and order a small GPS tracker, but who actually does that? Very few people. But Apple makes this type of thing accessible to a lot of people (that is, in fact, one of their primary strengths), so suddenly a niche issue becomes a major mainstream problem.

Ted February 23, 2022 10:04 AM

If the ‘Find My’ network is this open to abuse, this has to be a serious liability for Apple.

The fact that Apple is rolling out anti-stalking feature after anti-stalking feature – ALL with holes and blind spots – should signal this product is not as safe as the community requires. Being one of the largest retailers puts them in a unique position of having greater market recognition and impact.

As Bruce and Karen said in their paper:

But if the use of a device increases privacy risk to another person who is not the direct customer, the interests of that person must be protected as well.

The paper also references a 2014 NPR survey of 72 domestic violence shelters. 85% of those shelters had helped victims whose abusers tracked them using GPS. This is before cheap and ubiquitous AirTags were even on the market. We know the threat is real and should absolutely weigh on decision-making about this product.

Clive Robinson February 23, 2022 10:31 AM

@ Bruce, ALL,

Apple didn’t think this through nearly as well as it claims to have.

They designers probably did, but they were probably overruled.

I’m no fan od Apple, in fact the opposite, and dishing the dirt by the dumper truck full might be fun.

But what this tells me is that people are critisizing without actually thinking it through themselves.

Ask your self the simple question,

“From the technical side, what is the difference between finding lost property and stalking an individual?”

The answer is “absolutly none”.

That might supprise a few, but think it through… That is the purpose of the system is,

“That a person wants to know where an object is that they don’t know the location of, but had it adjacent to them at one point.”

The more valuable the object is to a person the more likely they are to “tag it” when they have it to hand.

Now ask yourself the question,”Does the tag know or care if the object is lugage or a human being?”

The answer is it does not, nor can it.

Now further consider what one of these tags realy is… Now compare it to a phone.

The mobile phone you carry in your pocket is in basic function identical to the way all these tag systems work.

So “What is the difference between having a mobile phone in your pocket, a fitness band around your wrist, or an air tag on your keys in your pocket?”

The answer is again none they all are radio frequency beacons giving up the position of the object they are attached to.

So all this OMG AirTag is StalkersRus panic is rather silly, because all of the previously mentiond bit of technology are “trackers by design” as well.

As for cost, the AirTags are ludicrously expensive. I can buy over the counter a brand new 2G small phone in the UK for about 1/3rd the price of an AirTag. I don’t need to register it with anyone as I can get a SIM for as little as £3 in a cornor shop or supermarket and put it in.

The only hard bit is getting the software onto the phone that will reply to an SMS with the location data. But if you know where to look you can download it.

Alternatively look up “fleet managment” systems, you can get a SIM for 2G that is custom designed to turn any mobile device it is put into into a tracker. You can buy such SIMs ten at a time for very little.

Oh and remember the US has admitted quite publically “We kill by meta-data” that is by mobile phone location getting a HellFire droped on it, if that is not “ultimate stalking” I realy do not know what is…

Oh and as Russia is kicking off at the moment, what about that rebal leader using a SatPhone that got a cruise missile dropped on him? The one that aledgadly made Osama Bin Laden not just give up his SatPhone but all mobile phones and much else besides (including the Internet and cable television that give meta-data).

Apples AirTags are just one of over a thousand devices the meta-data of which, can if you let them give up your location and movments… Even that Smart Meter you have in the utiliry closet, can tell people way way more about you than you would want them to know…

For instance an LCD or similar display by it’s power usage leaks data about what is on the screen. Say you are watching a movie on your computer that is pluged into the wall socket, then enough of a “Dynamic Power Signature” is given out for the film to be identified.

Thus if you are watching some “illegal” film that the authorities have the dynamic power signiture for then you are “dead in the water”. So if you are going to China don’t let your kids take there “Winnie the Pooh” films on the laptop,

https://www.theguardian.com/world/2018/aug/07/china-bans-winnie-the-pooh-film-to-stop-comparisons-to-president-xi

Freezing_in_Brazil February 23, 2022 12:44 PM

Regarding Bruce’s seminal article on the privacy in the intimate [or perhaps immediate] sphere, I had the pleasure to read it when it came to light, and have incorporated those aspects in my practice ever since.

I agree that these aspects can be easily overlooked. That is one thing we need to talk about more often.

JonKnowsNothing February 23, 2022 1:02 PM

re: Tracking Use Case A

The Missing Spouse Case:

In a recent MSM human interest article, the journalist got permission from spouse to put an Apple tracker on them for a week as part of a civilian test.

When the week was up, they exchanged information.

The tracked spouse was surprised at the details of all the places they had been followed including the loo.

The tracked spouse proudly demonstrated that they found the 2 trackers on day 1. The journalist show the tracked spouse where the 3d tracker was.

LoJack for Errant Spouses.

The Missing Beehive Case:

Bees and beehives are a very common theft target, especially in rural areas. Bee Keepers rent out the hives to orchard owners to pollinate their trees. They are also rented out to farmers who need fields pollinated.

It’s not the average smoe that steals beehives. Some keepers have lost 500 beehives in a season. That means those farm fields and orchards don’t get pollinated, and that impacts the entire food supply chain.

Some beekeepers have started putting tracker-GPS tags in their hives to find them after someone with beekeeping gear and a forklift has perma-borrowed the hives.

LoJack for Beehives.

Ted February 23, 2022 3:29 PM

@Clive

I don’t know that I’d give up on limiting the abilities of devices to track (or stalk) people just because that possibility is out there. Every company has degrees of responsibility for its products and services.

The GDPR protects data and privacy. Agencies like the Consumer Product Safety Commission protect consumers from unreasonable risks of injury or death. How many people have to be shaking-scared or worse before the risks here are unreasonable?

Remember Apple has close to 60% of the US smartphone market. That’s a lot of potential AirTag users. On the flip side, that’s a lot of Android users who can’t detect AirTags by default…

Ted February 23, 2022 3:30 PM

… What’s even crazier is that people are now more aware of the nuts and bolts of this ecosystem – including the workings of technologies like the ‘Find My’ network. And we now know of at least one researcher who is publishing proof-of-concepts for connecting to it in ways that bypass anti-stalking safeguards.

It’s not even just original AirTags we have to worry about, but also modified AirTags and clones. How is Apple going to deal with these exposures? If you think they won’t have to address it, all it takes is one lawsuit.

This honestly seems like a whole can of worms. I doubt the people who have been inappropriately tracked quit thinking about these risks.

Clive Robinson February 23, 2022 4:17 PM

@ Ted,

I don’t know that I’d give up on limiting the abilities of devices to track (or stalk) people just because that possibility is out there.

You’ve kind of missed the point.

No matter how you implement the technology it can be used in many ways.

Technology is an “enabler” not a “director” of the use to which it is put.

I’ve made this point repeatedly in the past but I will go through it again.

1, The technology is an “enabler” of an “action” to be performed.
2, The “use” of that action is decided by the “Directing mind”.
3, It is the third party “observer” who decides if the use is “good or bad”.

In this case the technology “enables the tracking of objects” it is attached or adjacent to. The technology has,

1, No knowledge of the object.
2, No choice in what use, it is put to.

The person who decides the use is the directing mind, it has three things the technology does not,

1, A “Point of view”(PoV)
2, The “agency to act”
3, The “choice” to act or not

Whilst the Directing mind might decide if some use is good or bad, they rarely do, as the use is predicated by their PoV or the PoV of someone at a higher pay grade.

It is the observer who realy is the arbiter on “good or bad” and they are fickle beyond human understanding.

That is they are driven by three things,

1, The current mores of Societ
2, Ethics
3, Morals

All of which are “malleable” in the extream. So in the past has given rise to some codification we call legislation and regulation. And all to often due to the malleability both are actually quiet bad.

It’s why I say,

To try to solve societal issues with technology will almost always fail to deliver the desired outcomes.

Politicians willfully ignore this, and the result is legislation that is,

1, Inappropriate
2, Unworkable
3, Way to broad in scope

The latter is why just about everyone in the USA commit felonies they can be imprisoned for several times a day.

Because,

Every time a power is created,
It will be abused by a Directing mind with an agenda.

That is the way of the world, and our rapid progress in technology just makes “abuse by agenda” so very much easier for those in positions of power. Which is the “trap” that we as a society with a love of technology as,”status symbols” are “sleep walking into”.

But don’t take my word for it do a little research on the likes of “Prosecutorial Overreach” and oh so much more.

DancingDaisy February 23, 2022 5:03 PM

Include women and actually listen to women during the design process. And don’t retaliate because they dared to mention how ubiquitous stalking is. And have to repeat it when not taken seriously.

Clive Robinson February 23, 2022 9:16 PM

@ DancingDaisy,

Include women and actually listen to women during the design process.

For much of my professional life I’ve tried to encorage women into STEM especially engineering, that has pitifully few in a per capiter comparison with Science, Technology and Maths.

The sad fact is few women want to be engineers. Of those that do they quickly realise that better hours, more money and better oportunities are to be found in Technology, or managment.

But I’m into my fifth decade of being an engineer and failed scientist, neither engineering or science are what they were, most of my generation and younger think more of the sharp mind than they do of social roles. Oddly perhaps Technology which attracts more women is in a lot of places as backwards if not worse than engineering and science were in the late 1970’s.

I know some of the reasons why this is and I guess some will not be surprised to hear me say there is a very definate correlation with such bad social graces and the inability of people to produce quality –that is reliable, available and secure– code.

Likewise some know I take a very dim view on certain code development methodologies and I’m not alone in this view.

Much of the problem in Technology is actually “managment” who know next to nothing about technology and engineering, as for maths and science, I’m not sure they ever grasped it in K12 education.

The idea that shouting, making threats, abusive comments and strutting around gets results faster is unfortunately highly prevelent in some managers, and it is undesirable any where.

If you have the misfortune to have such a manager somewhere above you in the organisational hierarchy, my advice to anyone is leave discretely but quickly.

Which brings us onto,

And don’t retaliate because they dared to mention how ubiquitous stalking is.

It’s a shock to some, to find out just how many engineers got bullied at school, and “stalking” is just one of a bullies repertoire of actions. More so now that technology makes it so easy.

Sadly for some in technology and engineering they take bullying as “normal” and thus do not realy recognise it for what it is, and certainly do not stand up against it as others would.

The problem though is as I’ve said above, technology is neither “good or bad” it’s just an enabler for others to use for their own purposes.

The problem with “tracking” is that as a technology it’s fundemental in just about every other form of modern communications. If you don’t have tracking then you do not have the Internet, fixed point or mobile communications and everything that is reliant on them which is just about every interactive device you can put your hand on.

Humans are actually defined by their ability to communicate non rudimentray ideas and knowledge, nearly everything we have is based on it directly or indirectly.

If you were to turn tracking off then all of that would cease to happen. Which means cities would not be possible nor would suburbs, as infrustructure is absolutly reliant on it. In fact not much of anything except what was before the way we lived a couple of hundred years ago when rapid communications involved flags or those who were fleet of foot or atleast their horses were.

Knowing this requires knowledge of history, as it is not part of “on the job training” nor many “degree courses” it is neglected. Because we neglect it we fail to understand the lessons history can teaches us. So we are either unaware or think despite the historic evidence that this turn of the wheel will be different… And so the wheel turns again only faster this time.

Because “tracking” can not be stopped, “stalking” can not be stopped.

There is a myth about murder, that somehow removing the technology used –guns, knives– somehow magically people will stop killing each other. Well people get killed with anything a murderer cares to use including their bare hands, because murder and wholesale killing in war, certainly predates guns, and even bladed weapons. The only reason “stalking” as we currently view it has arisen is “social changes”. What we do know is all the crimes of violance associated with stalking, were happening back when we lived in tribes at the start of what we now regard as farming, and probably a lot longer before that but is unknown due to the lack of historical evidence of nomadic hunter gatheres.

Stalking like murder is actually a “social issue” not a “technology issue”, all technology has done is made the underlying principle of “tracking” more obvious and in some scant cases visceral.

Good luck trying to fix those social issues, because that is the only way you are going to stop stalking and still alow for privacy that society as we currently know it absolutely relies on. But even with 100% surveillance, people will still murder and commit other social crimes against individuals, because for some it comes built in and a lack of inpulse control is all that is needed for them to commit such acts.

David Sturt February 28, 2022 4:03 AM

There you said it @Clive Robinson, the STOP word. Reducing the availability of technology used to kill is not to stop murders but to reduce the number of murders and accidental killings. Same thinking applies in many areas of life. If you make things easier people are more likely to do that thing. That’s fantastic for things that are beneficial with no harmful side effects, but in other case it takes more thought to make the beneficial thing easier and the harmful thing more difficult.

Clive Robinson February 28, 2022 6:57 AM

@ David Sturt,

but in other case it takes more thought to make the beneficial thing easier and the harmful thing more difficult.

And quite often that is not possible to do in technology.

So you have to do it socially, by the likes of “pricing” and “availability” that restrict the ability to “obtain and use”.

As I’ve said you can buy a phone “no questions asked” that is very small, and aquire either a “Test SIM” of which there are many, or more easily wander into a supermarket and take a SIM off the rack and pay less than $5 for a few weeks service. Put a “tracker” on it and you are ready to play. If you need to top it up just pay cash in anyone of thousands of corner shops.

The base requirments of most mobile phone and similar consumer services is “Your device has to be tracked to function”…

So the only real question on that is who gets access to the location data, how and most importantly how current it is… And the answer will shock most people rather more than this up in the air over AirTags…

For somethings like the human mind, when it’s broken beyond repair what choices do you have as a society?

Morgan H March 23, 2023 2:19 PM

The sad thing is, it seems like they could’ve made this attack a lot harder to pull off just by having the Airtags send an Apple-signed certificate instead of a bare public key. Somebody would then need to have access to a significant number of Airtags in order to perform this key-rotation technique, which isn’t impossible but does significantly raise the cost barrier.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.