Airtag clones can sidestep Apple anti-stalker tech

Open source + public key generation = no alerts, says infosec startup


An infosec startup says it has built an Apple Airtag clone that bypasses anti-stalking protection features while running on Apple's Find My protocol.

Source code for the clones were published online by Berlin-based infosec startup Positive Security (not to be confused with US-sanctioned cybersecurity outfit Positive Technologies), which said its tags "successfully tracked an iPhone user... for over five days without triggering a tracking notification."

The user consented, added Positive's Fabian Bräunlein in a blog post explaining his findings.

"In particular," said Bräunlein, "Apple needs to incorporate non-genuine AirTags into their threat model, thus implementing security and anti-stalking features into the Find My protocol and ecosystem instead of in the AirTag itself, which can run modified firmware or not be an AirTag at all."

The findings suggest that Apple's claims of the Find My protocol being "built with privacy in mind" fall short of the mark, with Positive Security spoofing the protocol by having an open-source device broadcast "2,000 preloaded public keys" as a way of fooling some anti-stalking protections.

The proof-of-concept device was kept with a volunteer user for five days, during which time it did not show on Apple's Tracker Detect app – while "location reports for the broadcasted public keys were uploaded and could be retrieved."

Airtags, originally conceived as a way of keeping track of luggage and similar portable items through Apple's Find My app, have been abused by stalkers in the past. Miscreants would drop Airtags into victims' bags or attach them to cars and then use the Find My app to view their precise locations.

Anti-stalking protections were hastily introduced by Apple recently; Airtags are supposed to sound an audible alarm and also send notifications to nearby iPhones announcing their presence.

This doesn't work with non-Apple phones, although Apple released an Android app capable of picking up these broadcasts. The BBC described Airtags last month as "a perfect tool for stalking."

In a 10 February statement Apple declared it was tightening up privacy protections in Airtags, adding "we condemn in the strongest possible terms any malicious use of our products."

Airtag spoofing has also spawned an open source project called OpenHaystack, which is described on its GitHub page as "an application that allows you to create your own accessories that are tracked by Apple's Find My network."

While the use cases presented by the project's creators (Technical University of Darmstadt) are benign, the Find My protocol (which operates over Bluetooth Low Energy) appears straightforward for unofficial devices to piggyback off.

It is unclear if Apple will look at the Find My protocol itself rather than tinkering around the edges with the proprietary devices it deploys to use that protocol. We've asked Apple for comment. ®

Similar topics


Other stories you might like

  • Workers win vote to form first-ever US Apple Store union
    Results set to be ratified by labor board by end of the week

    Workers at an Apple Store in Towson, Maryland have voted to form a union, making them the first of the iGiant's retail staff to do so in the United States.

    Out of 110 eligible voters, 65 employees voted in support of unionization versus 33 who voted against it. The organizing committee, known as the Coalition of Organized Retail Employees (CORE), has now filed to certify the results with America's National Labor Relations Board. Members joining this first-ever US Apple Store union will be represented by the International Association of Machinists and Aerospace Workers (IAM).

    "I applaud the courage displayed by CORE members at the Apple store in Towson for achieving this historic victory," IAM's international president Robert Martinez Jr said in a statement on Saturday. "They made a huge sacrifice for thousands of Apple employees across the nation who had all eyes on this election."

    Continue reading
  • Brave roasts DuckDuckGo over Bing privacy exception
    Search biz hits back at 'misleading' claims, saga lifts lid on Microsoft's web tracking advice

    Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.

    Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.

    "For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."

    Continue reading
  • Apple may have to cough up $1bn to Brits in latest iPhone Batterygate claim
    Lawsuit took its time, just like your older iOS handset

    Another day, another legal claim against Apple for deliberately throttling the performance of its iPhones to save battery power.

    This latest case was brought by Justin Gutmann, who has asked the UK's Competition Appeal Tribunal (CAT) to approve a collective action that could allow as many as 25 million Brits to claim compensation from the American technology giant. He claims the iGiant secretly degraded their smartphones' performance to make the battery power last longer.

    Apple may therefore have to cough up an eye-popping £768 million ($927 million), Gutmann's lawyers estimated, Bloomberg first reported this week.

    Continue reading
  • Apple’s M2 chip isn’t a slam dunk, but it does point to the future
    The chip’s GPU and neural engine could overshadow Apple’s concession on CPU performance

    Analysis For all the pomp and circumstance surrounding Apple's move to homegrown silicon for Macs, the tech giant has admitted that the new M2 chip isn't quite the slam dunk that its predecessor was when compared to the latest from Apple's former CPU supplier, Intel.

    During its WWDC 2022 keynote Monday, Apple focused its high-level sales pitch for the M2 on claims that the chip is much more power efficient than Intel's latest laptop CPUs. But while doing so, the iPhone maker admitted that Intel has it beat, at least for now, when it comes to CPU performance.

    Apple laid this out clearly during the presentation when Johny Srouji, Apple's senior vice president of hardware technologies, said the M2's eight-core CPU will provide 87 percent of the peak performance of Intel's 12-core Core i7-1260P while using just a quarter of the rival chip's power.

    Continue reading

Biting the hand that feeds IT © 1998–2022