AirTag clone developed by researchers works around Apple's anti-stalking measures

AppleInsider

Security researchers have created a clone of Apple's AirTag, in a bid to prove to Apple that the device and the tracking protection features of the Find My network can be bypassed.

The AirTag has been the subject of numerous reports involving tracking and personal security, with it being used for thefts and stalking despite Apple including features to limit usage in that way. Following criticism over misuse, Apple said on February 10 it was to introduce several changes to the Find My network to address the stalking issue.

In a blog post published by security researcher Fabian Braunlein of Positive Security on Monday, several "quite obvious bypass ideas" for current and upcoming protection measures were published. Braunlein believes that all can be put into practice.

To test the assumption, a cloned AirTag was produced. The report claims that the stealth AirTag was able to track an iPhone user for over five days, without triggering any tracking notifications.

The researcher came up with ideas to thwart quite a few elements of Apple's planned changes, starting with Apple's claim that every AirTag has a unique serial number that is paired to an Apple ID. The concept doesn't apply here as the clone doesn't use an AirTag serial number, neither for hardware nor in software, and it was not paired with an Apple ID.

While Apple is decreasing the delay before the AirTag beeps from separation from a paired Apple device from over 3 days to between 8 and 24 hours, the clone works around it by not having a functional speaker. Furthermore, this aspect has already been defeated through the sale of AirTags that had their speakers removed or disabled.

On notifications to a potential stalking victim, Braunlein notes that Apple is trading off privacy in two ways. While it wants AirTags to be indistinguishable from others over Bluetooth to prevent identification of a specific tag, Apple also wants to be able to identify specific AirTags over time to determine between tags traveling with the user or one merely passing by.

In Braunlein's example workaround, a list of over 2,000 preloaded public keys was used, with one broadcast by the clone every 30 seconds.

For upcoming changes, items such as privacy warnings during setup, AirPods alert issue changes, and updated support documentation were deemed irrelevant to the clone. Precision Finding using Ultra Wideband is also not covered here, as the microcontroller used didn't include a UWB chip, so cannot be found in that way.

Making the clone

To build the clone itself, Braunlein based the system on OpenHaystack, a framework for tracing Bluetooth devices using the Find My network. Using an ESP32 microcontroller with Bluetooth support, a power bank, and a cable, a non-AirTag clone was created.

The AirTag clone made for the Positive Security project

The clone used a custom ESP32 firmware that constantly rotated public keys, sending out one periodically, with the list repeated roughly every 17 hours. However, it is thought that a common seed and derivation algorithm used on the clone and a Mac application used to track it could create a "virtually never-repeating stream of keys."

Furthermore, using an irreversible derivation function and overwriting the seed with the next round's output would make it impossible for law enforcement or Apple to get the tag's previously-broadcast public keys, even if they had physical access to the clone.

In testing, the Android Tracker Detect app did not show the cloned AirTag at all. AirGuard, an Android tool that could be used to scan for nearby Find My devices created by the TU Darmstadt lab behind OpenStack, was able to keep track of the cloned device, with it appearing multiple times due to the changing public key.

Five days of tracking data produced using the clone AirTag [via Positive Security]

Over the five days, the clone AirTag was able to be tracked, with the target shown at home and on occasional trips out from the home via a macOS tool modified for the project. Neither the subject nor an iPhone-owning roommate reported receiving any tracking alerts during the period.

A hope for change

In summing up the testing, Braunlein believes the main risk isn't in the AirTags themselves, "but in the introduction of the Find My ecosystem that utilizes the customer's devices to provide this Apple service." Since the current iteration of the Find My network cannot be limited only to AirTags and hardware that officially has permission to use the network, Braunlein thinks Apple should consider shoring up its security.

"They need to take into account the threats of custom-made, potentially malicious beacons that implement the Find My protocol, or AirTags with modified hardware," writes Braunlein. "With a power bank and ESP32 being cheaper than an AirTag, this might be an additional motivation for some to build a clone instead themselves."

The researcher concludes "While we don't encourage misuse, we hope that sharing this experiment will yield positive changes to the security and privacy of the Find My ecosystem."

Read on AppleInsider

rob53

Researcher or hacker? Makes me wonder whether they’re the same thing. 

maltz

rob53 said:

Researcher or hacker? Makes me wonder whether they’re the same thing. 

The activity is absolutely the same in the context of security.  Where they differ is in what they do with the fruits of their labor.

AKA White-Hat vs Black-Hat

sans

rob53 said:

Researcher or hacker? Makes me wonder whether they’re the same thing. 

I was about to say it all depends on what they do with the data. That got me thinking: wouldn't every "real" hacker also be a researcher of sorts? And that go be to right were you are.

techrider

Apple chose to get into this market. Now that it has, it seems to be leading in protecting Apple and non-Apple customers from potential misuse of AirTags. Clearly there is much more to do. All smartphone and tracking device makers need to protect their customers from misuse of their own and other tracking solutions.

rumpels

Apple should just stop manufacturing AirTags, and get out of that market entirely. AirTag makes as much sense as the round mouse on the 2001 iMacs.
It is true that airtags have better security than other devices of other brands. Other brands don’t even let people know they’re being stalked. Airtags do. However, people don’t really understand technology to use it correctly, so airtags letting people know they’re being stalked is backfiring as bad marketing for Apple instead. Too much drama.

chadbag

These researchers did not clone an AirTag.  Their findings have very little to do with actual AirTags.  They created their own "tracker" that uses the "Find My" service / network.  And maintain there are issues with it.  

beowulfschmidt

So this researcher proved that the Apple device can be modified so that it acts exactly as stealthily as every other tracker on the market?  How profound.

edited February 2022

rob53

rumpels said:

Apple should just stop manufacturing AirTags, and get out of that market entirely. AirTag makes as much sense as the round mouse on the 2001 iMacs.
It is true that airtags have better security than other devices of other brands. Other brands don’t even let people know they’re being stalked. Airtags do. However, people don’t really understand technology to use it correctly, so airtags letting people know they’re being stalked is backfiring as bad marketing for Apple instead. Too much drama.

I liked the round mouse!

if Apple got out of every product line where people didn’t understand the technology behind that product they wouldn’t have any products to sell. The majority of people rarely change from default settings so anything Apple can do to make things secure out of the box is helpful. As for drama, we deal with all sorts of drama every day so what’s new?

chadbag

beowulfschmidt said:

So this researcher proved that the Apple device can be modified so that it acts exactly as stealthily as every other tracker on the market?  How profound.

That is not what they did.   They didn't do anything to or with an AirTag.   The headline is extremely misleading.   The researchers created their own tracker, nothing to  do with Air Tags, except they both use Apple's "Find My" network, and then "proved" that the anti-stalking features couldn't work with their own tracker.   

mike1

chadbag said:

beowulfschmidt said:

So this researcher proved that the Apple device can be modified so that it acts exactly as stealthily as every other tracker on the market?  How profound.

That is not what they did.   They didn't do anything to or with an AirTag.   The headline is extremely misleading.   The researchers created their own tracker, nothing to  do with Air Tags, except they both use Apple's "Find My" network, and then "proved" that the anti-stalking features couldn't work with their own tracker.   

I was getting the same thing from the article, but wanted to reread before I posted.

To me, they lost all credibility when it said their tracker had no speaker. So it wasn't a clone.

cia

If you are honestly willing to jump through all these hoops to make a cloned AirTag, you REALLY have to want to make a cloned AirTag.

Instead of going through all those steps, you can just buy a cellular tracker off Amazon for under $100, pop in a pre-paid SIM (Bought with cash) and track someone that way.  No warnings ever.

chadbag

mike1 said:

chadbag said:

beowulfschmidt said:

So this researcher proved that the Apple device can be modified so that it acts exactly as stealthily as every other tracker on the market?  How profound.

That is not what they did.   They didn't do anything to or with an AirTag.   The headline is extremely misleading.   The researchers created their own tracker, nothing to  do with Air Tags, except they both use Apple's "Find My" network, and then "proved" that the anti-stalking features couldn't work with their own tracker.   

I was getting the same thing from the article, but wanted to reread before I posted.

To me, they lost all credibility when it said their tracker had no speaker. So it wasn't a clone.

Ignoring the speaker thing, the device doesn't show up as an AirTag it appears.  They had to track it with their own Mac app and a custom Android app using the open source library Open Haystack.  

If it could be used purely within Apple's system then it could be considered a clone of some sort.  Even without a speaker.  

I've read it twice and it seems they were piggy backing on the Find My network.  But how much is unclear and I am not familiar with the details of it.  Could their subject wander anywhere far away and still be tracked by all the iPhones out there uploading it's presence?   Anyway, it is not a clone of AirTag but their own design of a tracker that may share the same Find My system. 

robin huber

rumpels said:

Apple should just stop manufacturing AirTags, and get out of that market entirely. AirTag makes as much sense as the round mouse on the 2001 iMacs.
It is true that airtags have better security than other devices of other brands. Other brands don’t even let people know they’re being stalked. Airtags do. However, people don’t really understand technology to use it correctly, so airtags letting people know they’re being stalked is backfiring as bad marketing for Apple instead. Too much drama.

My $5000 worth of lost/stolen luggage coming home from Spain 3 years ago says otherwise. Swore I would never travel again without a tracker, praying that Apple would do one right. Tried Tile when it first came out years ago and found it wanting. Apple’s works great—sure wish I had it for Spain trip! It’s a great product with a perfect use case for me. Problems of misuse can be dealt with, just as they have been with other technologies. No baby with the bathwater, please. 

lkrupp

The media and security researchers have zeroed in on Apple as the focus of the stalking problem. They will keep pounding away at AirTags over everything else. Of course, stalking and tracking have been around for hundreds of years but when Apple is involved it’s a problem immediately. I have a close friend who visited the other day. He had just gotten an Watch for Christmas, we were talking about things, and I mentioned AirTags. The very first words out of his mouth were, “Oh, I read they’re being used to stalk people.” That’s all the general public knows at this point, AirTags are used to stalk people.

When a long time member here posted his prediction that Apple would be forced to pull AirTags from the market I chuckled at the thought like so many others here did. Now I’m not so sure anymore. Like the Google Glass debacle if the public gets the idea that AirTags are solely for stalking people then I think the prediction will come true. We are well on the way to demonizing AirTags as evil technology.

wmfork

A crucial difference between Apple's and the other's implementations is if you are an iPhone user and don't use AirTags, you may still be contributing to someone being stalked/vehicles being stolen (and what isn't clear to me is if you opt out of Find My Network, will you still be alerted of an unknown AirTag?)

Just think hard about that for a minute.

edited February 2022

chadbag

This has nothing to do with AirTags.  I wish AI would update their headline since it is incorrect.  

It has to do with being able to piggy back on the Find My network Apple runs (and AirTags use but so do many other things) and potential privacy/security holes on it.   I am not saying there isn't a story here, but rather that the story is not AirTags.  No one cloned an AirTag, based on the story.  They did make their own tracker that was usable on the Find My system. That is the story. 

david808

I remember a few years ago when some researcher "proved" that someone could "hack" Touch ID by cutting off someone's finger and using that to unlock a phone. Then, people were panicking about someone stealing a phone and cutting off your finger while at it.

 Unsurprisingly, the rash of phone and finger thefts never happened.  Yes, having a device that can track people is worrisome, but then again if someone really wanted to stalk you, all they'd have to do is to buy a cheap and untraceable GPS tracker from Amazon. The fact that Apple will hand over the name of an AirTag owner with a lawful request should put a stop to people eventually. 

mikethemartian

david808 said:

I remember a few years ago when some researcher "proved" that someone could "hack" Touch ID by cutting off someone's finger and using that to unlock a phone. Then, people were panicking about someone stealing a phone and cutting off your finger while at it.

 Unsurprisingly, the rash of phone and finger thefts never happened.  Yes, having a device that can track people is worrisome, but then again if someone really wanted to stalk you, all they'd have to do is to buy a cheap and untraceable GPS tracker from Amazon. The fact that Apple will hand over the name of an AirTag owner with a lawful request should put a stop to people eventually. 

All they have to do is use a burner iPhone and ID.

sunman42

sans said:

rob53 said:

Researcher or hacker? Makes me wonder whether they’re the same thing. 

I was about to say it all depends on what they do with the data. That got me thinking: wouldn't every "real" hacker also be a researcher of sorts? And that go be to right were you are.

No. Many people considered "hackers" by the popular media are just script kiddies, or people who, say, buy speakerless Air Tags on eBay.

bestkeptsecret

So essentially, create a tracker that does not have any of the AirTags safety/ accountability features like a unique ID, association with an Apple ID and a speaker, and then use the available Find My network and claim that the AirTags safety features are not enough? 

Does the researcher know that the Find My network is available for any tracker?

edited February 2022