Cybersecurity experts have created a replica of Apple Airtag to bypass the anti-stalking technology in its Find My Bluetooth-based tracking protocol.
The result is a stealth AirTag that can successfully track an iPhone user for over five days without triggering a tracking notification, Positive Security’s co-founder Fabian Braunlein said in a deep-dive published last week.
Find my is Apple’s asset track app. It allows you to locate your iOS devices using GPS. You can also view other users’ locations by using the app.
This was not the first time that Apple’s Find My system has been compromised. In March 2021, the Secure Mobile Networking Lab at the Technical University of Darmstadt, Germany (SEEMO) disclosed design and implementation flaws in the protocol that can lead to a location correlation attack and unauthorized access to users’ location histories
Then in May 2021, Braunlein followed it up by sharing details of a communication protocol built on top of Find My that enables arbitrary data to be uploaded from non-internet-connected devices by sending “Find My” Bluetooth broadcasts to nearby Apple devices that can carry out the data upload.
The development also comes as Apple, earlier this month, introduced a raft of new anti-stalking measures to AirTags to prevent their misuse associated with tracking unsuspecting individuals without their consent, inserting a warning notifying users that doing so has criminal repercussions.
” If an AirTag or set of AirPods is found to have been unlawfully tracking someone, police can ask Apple for any information to help their investigation.” Apple spells out in an updated support article.
But the “Find You” AirTag clone devised by Positive Security aims to get around “every current and upcoming protection measure.” It’s also built using OpenHaystack, an open-source framework developed by SEEMO researchers for tracking personal Bluetooth devices via Apple’s crowdsourced Find My network.
By broadcasting new, never-seen-before public keys every 30 seconds from a list of 2,000 preloaded public keys through the proof-of-concept (PoC) device, it was found that the mechanism renders the tracking device undetectable, raising no alerts in iOS and Apple’s own Tracker Detect Android app even when unwanted AirTags are present.
Interestingly, AirGuard, which was developed by SEEMO as a third-party alternative to Tracker Detect, is capable of discovering the clone in “manual scan” mode, calling into question the effectiveness of the safety and security barriers implemented by Apple to safeguard users from the malicious use of AirTags.
“The ubiquitous nature of the Find My network, combined with its high accuracy and low entry cost, lowers the bar for abuse,” SEEMO researchers Alexander Heinrich, Niklas Bittner, and Matthias Hollick said in a new paper, pointing out how “AirGuard found more actual trackers in different scenarios compared to the iOS tracking detection. “
“Apple needs to incorporate non-genuine AirTags into their threat model, thus implementing security and anti-stalking features into the Find My protocol and ecosystem instead of in the AirTag itself, which can run modified firmware or not be an AirTag at all,” Braunlein said.
