An infosec startup says it has built an Apple Airtag clone that bypasses harassment protection features when running on Apple’s Find My protocol.
The source code for the clones was posted online by Berlin-based infosec startup Positive Security (not to be confused with US-sanctioned cybersecurity team Positive Technologies), which said its tags “tracked with success an iPhone user… for more than five days without triggering”. a follow-up notification.”
The user consented, Positive’s Fabian Bräunlein added in a blog post explaining his findings.
“In particular,” Bräunlein said, “Apple needs to incorporate inauthentic AirTags into its threat model, thereby implementing security and anti-harassment features into the Find My protocol and ecosystem rather than the AirTag. itself, which may run modified firmware or not an AirTag at all.”
The results suggest that Apple’s claims that the Find My protocol is “built with privacy in mind” fall short, with Positive Security spoofing the protocol by having an open-source device broadcast “2,000 preloaded public keys ” as a means of circumventing certain anti-harassment protections.
The proof-of-concept device was kept with a volunteer user for five days, during which time it was not displayed on Apple’s Tracker Detect app, while “released public key location reports have downloaded and could be recovered”.
Airtags, originally designed as a way to keep track of luggage and similar portable items through Apple’s Find My app, have been abused by stalkers in the past. Criminals would drop Airtags in victims’ bags or attach them to cars, then use the Find My app to view their precise locations.
Anti-harassment protections were hastily introduced by Apple recently; Airtags are supposed to sound an alarm and also send notifications to nearby iPhones announcing their presence.
It doesn’t work with non-Apple phones, although Apple has released an Android app that can pick up these broadcasts. The BBC last month described Airtags as “a perfect tool for harassment”.
In a Feb. 10 statement, Apple said it was strengthening privacy protections in Airtags, adding “we condemn in the strongest possible terms any misuse of our products.”
The airtag spoofing also spawned an open-source project called OpenHaystack, which is described on its GitHub page as “an application that lets you create your own accessories that are tracked by Apple’s Find My network.”
While the use cases presented by the creators of the project (Technical University of Darmstadt) are benign, the Find My protocol (which runs on Bluetooth Low Energy) seems simple to use for unofficial devices.
It’s unclear if Apple will look at the Find My protocol itself rather than tinkering with the proprietary devices it deploys to use this protocol. We’ve asked Apple for a comment. ®