Airtag clones can sidestep Apple anti-stalker tech

An infosec startup says it has built an Apple Airtag clone that bypasses anti-stalking protection features while running on Apple's Find My protocol.

Source code for the clones were published online by Berlin-based infosec startup Positive Security (not to be confused with US-sanctioned cybersecurity outfit Positive Technologies), which said its tags "successfully tracked an iPhone user... for over five days without triggering a tracking notification."

The user consented, added Positive's Fabian Bräunlein in a blog post explaining his findings.

"In particular," said Bräunlein, "Apple needs to incorporate non-genuine AirTags into their threat model, thus implementing security and anti-stalking features into the Find My protocol and ecosystem instead of in the AirTag itself, which can run modified firmware or not be an AirTag at all."

The findings suggest that Apple's claims of the Find My protocol being "built with privacy in mind" fall short of the mark, with Positive Security spoofing the protocol by having an open-source device broadcast "2,000 preloaded public keys" as a way of fooling some anti-stalking protections.

The proof-of-concept device was kept with a volunteer user for five days, during which time it did not show on Apple's Tracker Detect app – while "location reports for the broadcasted public keys were uploaded and could be retrieved."

Airtags, originally conceived as a way of keeping track of luggage and similar portable items through Apple's Find My app, have been abused by stalkers in the past. Miscreants would drop Airtags into victims' bags or attach them to cars and then use the Find My app to view their precise locations.

Anti-stalking protections were hastily introduced by Apple recently; Airtags are supposed to sound an audible alarm and also send notifications to nearby iPhones announcing their presence.

This doesn't work with non-Apple phones, although Apple released an Android app capable of picking up these broadcasts. The BBC described Airtags last month as "a perfect tool for stalking."

• Apple tweaks AirTags to be less useful for stalkers, thieves
• Unpatched flaw 'weaponises' Apple AirTags to turn them into the phisherman's friend
• Apple's Find My network can be abused to leak secrets to the outside world via passing devices
• Apple extends Find My support to third-party vendors including Belkin, Dutch bike maker VanMoof, and Chipolo

In a 10 February statement Apple declared it was tightening up privacy protections in Airtags, adding "we condemn in the strongest possible terms any malicious use of our products."

Airtag spoofing has also spawned an open source project called OpenHaystack, which is described on its GitHub page as "an application that allows you to create your own accessories that are tracked by Apple's Find My network."

While the use cases presented by the project's creators (Technical University of Darmstadt) are benign, the Find My protocol (which operates over Bluetooth Low Energy) appears straightforward for unofficial devices to piggyback off.

It is unclear if Apple will look at the Find My protocol itself rather than tinkering around the edges with the proprietary devices it deploys to use that protocol. We've asked Apple for comment. ®