ppietra

Xed said:

ppietra said:

Xed said:

ppietra said:

Xed said:

nicholfd said:

Xed said:

rob53 said:

So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 

As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.

The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)

You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.

That is not how AirTags work. AirTags don’t connect to any other device other than the owner’s iPhone, neither are AirTags responsible for sending information to servers.
AirTags only broadcast a Bluetooth ID for other Apple’ devices to see. It’s the iPhones and iPads in the network that communicate with Apple servers, and once there is a request for an AirTag they probably receive the associated Public Key to encrypt its location so that the owner can discover it. 
Just pay attention to the fact that devices cannot establish a Bluetooth connection without first pairing,  and strange devices don’t pair without user consent... Not only would it be a very high security risk to create ad-hoc connections with strange devices, it would also easily saturate bluetooth connections making it impossible for people to use their own devices and increasing power consumption unnecessarily.

Of course they do. That's a key to how they securely send their location to your device when you're not within BT range, just like with Tile, Trackr, et al. This isn't a difficult concept to understand. Just because the device isn't showing up on another person's phone doesn't mean the device isn't connecting to the internet via said device.

They will even connect to Android devices which allows AirTag to be scanned which will pop up an alert on the screen that includes a web link (as this researcher did in the article). If it's marked as lost, you'll see instructions on how to contact the rightful owner and get the item back to them.

No they don’t. If you knew anything about how bluetooth works on an iPhone, you would know that there is no connection over bluetooth without pairing, and devices only pair with user authorisation.
The location is securely sent by other iPhones not by the AirTag. The iPhone sees the AirTag "ID", the iPhone knows its own location, the iPhone communicates to Apple encrypted (using the AirTag broadcasted Public Key) location. It is a concept quite easy to understand, that has been around for a few years to find offline Phones!!! For other people devices the AirTag is passive, non connected.
AirTags don’t connect to Android devices. Android devices can scan the NFC chip and get a link to a website, and that is it. Anything else after that doesn’t involve the AirTag, nor does it connect an AirTag to a server.

Being passive doesn't mean it doesn't connect. It's a signal that is going to a device which transmits its ID to a server which then forwards it's ID to its owner along with its location. If it didn't do this there would be such thing as AirTag or Tile. In no comment did I say that it pairs with another device.

Additionally, and yet again, there are other wireless technologies in which more than just iPhones can retrieve data from AirTags. That is very clearly a wireless transmission of data from one device to another and to say otherwise is foolish.

OMG!!! being passive means it doesn’t connect because that is my own description and that is what I meant. There is no signal going through another device! The AirTag is only broadcasting an ID (an alphanumeric string) that anyone can see! It doesn’t interact with other iPhones!!! 
"In no comment did I say that it pairs with another device":
In several comments you mention that the AirTag connects to the internet via another device!!! You can only use another device’s internet if your pair the devices!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! You actually mention a lot the idea that an hacked AirTag could use these devices (iPhones) to connect to servers not from Apple... so clearly you thought that the AirTag could behave in far more complex ways than it actually does.

Xed said:

ppietra said:

Xed said:

nicholfd said:

Xed said:

rob53 said:

So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 

As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.

The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)

You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.

That is not how AirTags work. AirTags don’t connect to any other device other than the owner’s iPhone, neither are AirTags responsible for sending information to servers.
AirTags only broadcast a Bluetooth ID for other Apple’ devices to see. It’s the iPhones and iPads in the network that communicate with Apple servers, and once there is a request for an AirTag they probably receive the associated Public Key to encrypt its location so that the owner can discover it. 
Just pay attention to the fact that devices cannot establish a Bluetooth connection without first pairing,  and strange devices don’t pair without user consent... Not only would it be a very high security risk to create ad-hoc connections with strange devices, it would also easily saturate bluetooth connections making it impossible for people to use their own devices and increasing power consumption unnecessarily.

Of course they do. That's a key to how they securely send their location to your device when you're not within BT range, just like with Tile, Trackr, et al. This isn't a difficult concept to understand. Just because the device isn't showing up on another person's phone doesn't mean the device isn't connecting to the internet via said device.

They will even connect to Android devices which allows AirTag to be scanned which will pop up an alert on the screen that includes a web link (as this researcher did in the article). If it's marked as lost, you'll see instructions on how to contact the rightful owner and get the item back to them.

No they don’t. If you knew anything about how bluetooth works on an iPhone, you would know that there is no connection over bluetooth without pairing, and devices only pair with user authorisation.
The location is securely sent by other iPhones not by the AirTag. The iPhone sees the AirTag "ID", the iPhone knows its own location, the iPhone communicates to Apple encrypted (using the AirTag broadcasted Public Key) location. It is a concept quite easy to understand, that has been around for a few years to find offline Phones!!! For other people devices the AirTag is passive, non connected.
AirTags don’t connect to Android devices. Android devices can scan the NFC chip and get a link to a website, and that is it. Anything else after that doesn’t involve the AirTag, nor does it connect an AirTag to a server.

Xed said:

nicholfd said:

Xed said:

rob53 said:

So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 

As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.

The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)

You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.

That is not how AirTags work. AirTags don’t connect to any other device other than the owner’s iPhone, neither are AirTags responsible for sending information to servers.
AirTags only broadcast a Bluetooth ID for other Apple’ devices to see. It’s the iPhones and iPads in the network that communicate with Apple servers, and once there is a request for an AirTag they probably receive the associated Public Key to encrypt its location so that the owner can discover it. 
Just pay attention to the fact that devices cannot establish a Bluetooth connection without first pairing,  and strange devices don’t pair without user consent... Not only would it be a very high security risk to create ad-hoc connections with strange devices, it would also easily saturate bluetooth connections making it impossible for people to use their own devices and increasing power consumption unnecessarily.

Most of what is said in the report shows some lack of knowledge of what are todays technological advancements and requirements. Do they think that it could be as easy to repair (every component) as an old CRT TV, or some power supply?
However, it is ridiculous how much companies such as Apple charge for parts and repairs, for things that can already be easily swapped. That is what the authorities should focus on, making sure that people have access to affordable repairs and wide availability of repair shops... not nitpicking on design decisions like they would know better.

FoodLover said:

ppietra said:

Did anyone notice how they deceitfully play with words?
First they say they are tracking some Data - avoiding saying they are tracking people!
Then they try to seed confusion by saying "how we limit the use of this information if you don't turn on this setting", like if people choose the negative option ("not to track") Facebook will get information.

Well, I have a Galaxy Phone and no Facebook. So FB cannot track where I am. It can just collect data on the owner.

But when I am with iPhone users within the same network, all iPhone users are constantly sharing my location with Apple. Apple knows exactly who is in the same location with whom, independent of whether the others have an iPhone or not.

 https://www.tcd.ie/news_events/articles/new-study-raises-fresh-privacy-concerns-about-apple-and-google-mobile-phones/

 Apple not only collects data about handset activity, but also about handsets nearby. When you use WiFi, the WiFi MAC addresses of other devices on the network are sent to Apple.  When the location toggle is enabled on the handset then the precise GPS location is also included. The WiFi MAC address identifies a device on a WiFi network and so, for example, uniquely identifies your home router, cafe hotspot or office network.  That means Apple can potentially track which people you are near to, as well as when and where. That’s very concerning.

Even Google doesn’t do this. This is scaring. But Apple fans always believe Apple is the good guy. Read the complete study. Apple and Google collect both data, but what Apple does, does nobody else.

with all due respect but you have no idea of how Apple handles the data it collects, so you saying that Apple can track you is BS based on speculation.
As for Facebook it is well known that it can track you even if don’t use Facebook, because Facebook is also an Ad network for other applications that you probably use, collecting data from those applications (that is Facebook business)... hey, it is even the owner of other popular apps!