AirTag clone developed by researchers works around Apple's anti-stalking measures
Security researchers have created a clone of Apple's AirTag, in a bid to prove to Apple that the device and the tracking protection features of the Find My network can be bypassed.
The AirTag has been the subject of numerous reports involving tracking and personal security, with it being used for thefts and stalking despite Apple including features to limit usage in that way. Following criticism over misuse, Apple said on February 10 it was to introduce several changes to the Find My network to address the stalking issue.
In a blog post published by security researcher Fabian Braunlein of Positive Security on Monday, several "quite obvious bypass ideas" for current and upcoming protection measures were published. Braunlein believes that all can be put into practice.
To test the assumption, a cloned AirTag was produced. The report claims that the stealth AirTag was able to track an iPhone user for over five days, without triggering any tracking notifications.
The researcher came up with ideas to thwart quite a few elements of Apple's planned changes, starting with Apple's claim that every AirTag has a unique serial number that is paired to an Apple ID. The concept doesn't apply here as the clone doesn't use an AirTag serial number, neither for hardware nor in software, and it was not paired with an Apple ID.
While Apple is decreasing the delay before the AirTag beeps from separation from a paired Apple device from over 3 days to between 8 and 24 hours, the clone works around it by not having a functional speaker. Furthermore, this aspect has already been defeated through the sale of AirTags that had their speakers removed or disabled.
On notifications to a potential stalking victim, Braunlein notes that Apple is trading off privacy in two ways. While it wants AirTags to be indistinguishable from others over Bluetooth to prevent identification of a specific tag, Apple also wants to be able to identify specific AirTags over time to determine between tags traveling with the user or one merely passing by.
In Braunlein's example workaround, a list of over 2,000 preloaded public keys was used, with one broadcast by the clone every 30 seconds.
For upcoming changes, items such as privacy warnings during setup, AirPods alert issue changes, and updated support documentation were deemed irrelevant to the clone. Precision Finding using Ultra Wideband is also not covered here, as the microcontroller used didn't include a UWB chip, so cannot be found in that way.
The AirTag clone made for the Positive Security project
The clone used a custom ESP32 firmware that constantly rotated public keys, sending out one periodically, with the list repeated roughly every 17 hours. However, it is thought that a common seed and derivation algorithm used on the clone and a Mac application used to track it could create a "virtually never-repeating stream of keys."
Furthermore, using an irreversible derivation function and overwriting the seed with the next round's output would make it impossible for law enforcement or Apple to get the tag's previously-broadcast public keys, even if they had physical access to the clone.
In testing, the Android Tracker Detect app did not show the cloned AirTag at all. AirGuard, an Android tool that could be used to scan for nearby Find My devices created by the TU Darmstadt lab behind OpenStack, was able to keep track of the cloned device, with it appearing multiple times due to the changing public key.
![Five days of tracking data produced using the clone AirTag [via Positive Security]](https://photos5.appleinsider.com/gallery/47078-91715-tracked-clone-airtag-xl.jpg)
Five days of tracking data produced using the clone AirTag [via Positive Security]
Over the five days, the clone AirTag was able to be tracked, with the target shown at home and on occasional trips out from the home via a macOS tool modified for the project. Neither the subject nor an iPhone-owning roommate reported receiving any tracking alerts during the period.
"They need to take into account the threats of custom-made, potentially malicious beacons that implement the Find My protocol, or AirTags with modified hardware," writes Braunlein. "With a power bank and ESP32 being cheaper than an AirTag, this might be an additional motivation for some to build a clone instead themselves."
The researcher concludes "While we don't encourage misuse, we hope that sharing this experiment will yield positive changes to the security and privacy of the Find My ecosystem."
Read on AppleInsider
The AirTag has been the subject of numerous reports involving tracking and personal security, with it being used for thefts and stalking despite Apple including features to limit usage in that way. Following criticism over misuse, Apple said on February 10 it was to introduce several changes to the Find My network to address the stalking issue.
In a blog post published by security researcher Fabian Braunlein of Positive Security on Monday, several "quite obvious bypass ideas" for current and upcoming protection measures were published. Braunlein believes that all can be put into practice.
To test the assumption, a cloned AirTag was produced. The report claims that the stealth AirTag was able to track an iPhone user for over five days, without triggering any tracking notifications.
The researcher came up with ideas to thwart quite a few elements of Apple's planned changes, starting with Apple's claim that every AirTag has a unique serial number that is paired to an Apple ID. The concept doesn't apply here as the clone doesn't use an AirTag serial number, neither for hardware nor in software, and it was not paired with an Apple ID.
While Apple is decreasing the delay before the AirTag beeps from separation from a paired Apple device from over 3 days to between 8 and 24 hours, the clone works around it by not having a functional speaker. Furthermore, this aspect has already been defeated through the sale of AirTags that had their speakers removed or disabled.
On notifications to a potential stalking victim, Braunlein notes that Apple is trading off privacy in two ways. While it wants AirTags to be indistinguishable from others over Bluetooth to prevent identification of a specific tag, Apple also wants to be able to identify specific AirTags over time to determine between tags traveling with the user or one merely passing by.
In Braunlein's example workaround, a list of over 2,000 preloaded public keys was used, with one broadcast by the clone every 30 seconds.
For upcoming changes, items such as privacy warnings during setup, AirPods alert issue changes, and updated support documentation were deemed irrelevant to the clone. Precision Finding using Ultra Wideband is also not covered here, as the microcontroller used didn't include a UWB chip, so cannot be found in that way.
Making the clone
To build the clone itself, Braunlein based the system on OpenHaystack, a framework for tracing Bluetooth devices using the Find My network. Using an ESP32 microcontroller with Bluetooth support, a power bank, and a cable, a non-AirTag clone was created.The AirTag clone made for the Positive Security project
The clone used a custom ESP32 firmware that constantly rotated public keys, sending out one periodically, with the list repeated roughly every 17 hours. However, it is thought that a common seed and derivation algorithm used on the clone and a Mac application used to track it could create a "virtually never-repeating stream of keys."
Furthermore, using an irreversible derivation function and overwriting the seed with the next round's output would make it impossible for law enforcement or Apple to get the tag's previously-broadcast public keys, even if they had physical access to the clone.
In testing, the Android Tracker Detect app did not show the cloned AirTag at all. AirGuard, an Android tool that could be used to scan for nearby Find My devices created by the TU Darmstadt lab behind OpenStack, was able to keep track of the cloned device, with it appearing multiple times due to the changing public key.
Five days of tracking data produced using the clone AirTag [via Positive Security]
Over the five days, the clone AirTag was able to be tracked, with the target shown at home and on occasional trips out from the home via a macOS tool modified for the project. Neither the subject nor an iPhone-owning roommate reported receiving any tracking alerts during the period.
A hope for change
In summing up the testing, Braunlein believes the main risk isn't in the AirTags themselves, "but in the introduction of the Find My ecosystem that utilizes the customer's devices to provide this Apple service." Since the current iteration of the Find My network cannot be limited only to AirTags and hardware that officially has permission to use the network, Braunlein thinks Apple should consider shoring up its security."They need to take into account the threats of custom-made, potentially malicious beacons that implement the Find My protocol, or AirTags with modified hardware," writes Braunlein. "With a power bank and ESP32 being cheaper than an AirTag, this might be an additional motivation for some to build a clone instead themselves."
The researcher concludes "While we don't encourage misuse, we hope that sharing this experiment will yield positive changes to the security and privacy of the Find My ecosystem."
Read on AppleInsider
Comments
It is true that airtags have better security than other devices of other brands. Other brands don’t even let people know they’re being stalked. Airtags do. However, people don’t really understand technology to use it correctly, so airtags letting people know they’re being stalked is backfiring as bad marketing for Apple instead. Too much drama.
if Apple got out of every product line where people didn’t understand the technology behind that product they wouldn’t have any products to sell. The majority of people rarely change from default settings so anything Apple can do to make things secure out of the box is helpful. As for drama, we deal with all sorts of drama every day so what’s new?
Instead of going through all those steps, you can just buy a cellular tracker off Amazon for under $100, pop in a pre-paid SIM (Bought with cash) and track someone that way. No warnings ever.
If it could be used purely within Apple's system then it could be considered a clone of some sort. Even without a speaker.
I've read it twice and it seems they were piggy backing on the Find My network. But how much is unclear and I am not familiar with the details of it. Could their subject wander anywhere far away and still be tracked by all the iPhones out there uploading it's presence? Anyway, it is not a clone of AirTag but their own design of a tracker that may share the same Find My system.
When a long time member here posted his prediction that Apple would be forced to pull AirTags from the market I chuckled at the thought like so many others here did. Now I’m not so sure anymore. Like the Google Glass debacle if the public gets the idea that AirTags are solely for stalking people then I think the prediction will come true. We are well on the way to demonizing AirTags as evil technology.
Just think hard about that for a minute.
It has to do with being able to piggy back on the Find My network Apple runs (and AirTags use but so do many other things) and potential privacy/security holes on it. I am not saying there isn't a story here, but rather that the story is not AirTags. No one cloned an AirTag, based on the story. They did make their own tracker that was usable on the Find My system. That is the story.
Unsurprisingly, the rash of phone and finger thefts never happened. Yes, having a device that can track people is worrisome, but then again if someone really wanted to stalk you, all they'd have to do is to buy a cheap and untraceable GPS tracker from Amazon. The fact that Apple will hand over the name of an AirTag owner with a lawful request should put a stop to people eventually.
Does the researcher know that the Find My network is available for any tracker?