Follow us

I know when you are at home. Billions of iOS users making AirTags a favorite snooper’s weapon

We look at the Apple AirTag device to understand its vulnerabilities.

Published: August 25, 2021 By Sabrina Lupsan

Person that looks like a hacker standing in front of a computer.

Image source – pixabay.com

60% of iPhone users are predicted to buy at least one AirTag device in 2021, according to a trusted source. And while millions of AirTag devices are expected to sell by the end of the year, this might affect you, even if you do not own one.

In this article, you will understand how AirTags work, why they use other people’s phones to connect to their owners, and what vulnerabilities have been identified so far.

Disclaimer: The information presented in this article is based on my personal opinion and experience and should not be considered financial advice.

Why are AirTags vulnerable?

I have identified a few vulnerabilities related to the Apple AirTags, which will be further explained in this article.

I will talk about:

  • Why non-Apple users can be stalked using these small devices
  • How the German researcher Thomas Roth managed to hack the firmware of the AirTags and changed their behavior, which affects Apple customers
  • How AirTags can become a reconnaissance tool and how easy it is to get away with it

What is an AirTag device?

AirTag is a small, round, coin-like Apple device that can be used to easily find your lost items. AirTags can be placed inside your wallet. They can be attached to your keys, luggage, or other things you often lose around the house or around the car.

Two Apple AirTags

Image source – apple.com

You can see two AirTag devices in the picture above.

Using an application on your phone, it immediately becomes a tracking device for your things. The device can make a sound, or it can show you what is the distance between you and the Apple product and which direction you should follow so you can find it.

In the image below, you can see the "Find my" application using Augmented Reality to guide you towards your AirTag.

How the “Find my” application shows in what direction the AirTag device is and how far away is it.

Image source – apple.com

What can you use this device for?

AirTags can be used for many things; for this reason, they also come in 4-packs. An AirTag can be used to:

  • Locate your keys, wallet, or other things you often lose
  • Track your luggage when traveling by plane to make sure your belongings don’t get lost when transferring from airport to airport
  • Always make sure your child is safe and is in the right place
  • Find a lost pet by attaching the AirTag to its collar
  • Find a stolen bike
  • Find your car in the parking lot (if you forgot where you parked your car)

And many other things. AirTags can also be personalized by engraving them with your name or an emoji in case you live with other people who also own AirTags, or you're sharing a 4-pack with your family.

How do AirTags actually work?

  1. You have to pair the AirTag device using the application "Find my" available in the Apple App Store. You give it a name, and it is paired with your Apple ID.
  2. After doing this, the location of the AirTag is available through Bluetooth. The small AirTags do not actually contain GPS capabilities. So, in order to locate an AirTag, there must be an iPhone nearby.

The reason is that an AirTag device will use an iPhone with Bluetooth activated to send its location details to the Apple cloud. From there, your iPhone collects the data. The application uses that information to identify the location of the lost AirTag.

According to Apple, the whole procedure is encrypted and anonymous, and no one else can know your location based on the Bluetooth info, not even Apple themselves. They also assure their customers that location and data are not stored on the AirTags.

In order for the AirTags to work, an iPhone needs to be in its range. Otherwise, it can not be detected and located.

What vulnerabilities have been discovered?

  • Can Android users be stalked?
  • AirTags’ firmware was hacked
  • AirTags can be used for reconnaissance

While some of these vulnerabilities have been tackled to some point by Apple, some still remain available and should be considered.

Thinking about how these small devices work, we must say it is a bit weird – other people’s phones detect your device and then send that information across to the Apple Cloud, where it is stored for you. Then, the location of the AirTag is sent to your application.

Let me tell you why this is worrying to me and what vulnerabilities have been discovered so far for this device.

Can Android users be stalked?

Now, of course, the AirTags were made especially for Apple users. They do not work for Android phones because they do not have access to the Apple Cloud, and therefore to the “Find my” application, which is not available in the Play Store.

Considering this aspect, let’s see how a foreign AirTag behaves when it is with you.

If someone else’s AirTag is near you, while that person isn’t (that is, their iPhone), you get a notification on your phone. The notification says that a foreign AirTag device is with you.

This was made to assure no snooper can track your location by just hiding the little device in your belongings.

All seems well until we think about a phone that does not use iOS (so the majority of phones out there).

Because a non-Apple phone cannot perceive these small devices being nearby, this raises the problem: can Android users be stalked using an AirTag?

We consider the following scenario.

Let's say I throw one AirTag in your backpack, or in your car trunk, or in a pocket, you never use or check, and I plan to track your location with it.

 If you don’t have an iPhone, will you know it is there?

Yes and no.

When this product first came out, it had this feature that if the AirTag was not with its owner for three days, it would start alerting and making noise. However, three days is a very big timeframe, and a stalker can very easily assure they visit you in this period of time.

Recently, Apple changed this timeframe to somewhere random between 8 to 24 hours. Of course, this is way better than three days. But is it enough?

If you live with a stalker, it is probably not enough. Constantly refreshing this timeframe by entering the ~10m operating distance of the AirTag, the stalker will most likely not be caught.

On top of that, if you are hard of hearing or simply have it tucked away and you cannot hear its sound, you will never know you are being stalked by someone.

The beeping noise can be missed under some circumstances. Especially if someone with bad intentions placed it somewhere where you can barely hear it.

And while we have seen some action from Apple towards fixing this vulnerability, it is currently not enough. Non-Apple users are still threatened by this feature.

Apple also wants to work towards this security issue by releasing an application for Android users that detects the AirTag. However, this is not out yet.

And what about the non-Android (and non-Apple) users? Or about people that are not aware of this vulnerability and do not install this application (that probably seems pointless unless informed properly)? Or elderly people not familiar with technology?

AirTags’ firmware was hacked

The German researcher Thomas Roth successfully hacked the firmware of the AirTags and managed to change the behavior of the device.

Thomas Roth’s tweet about his successful hacking of Apple AirTags.

In the linked YouTube video, he showed step-by-step how you can successfully modify the product’s firmware. The video was intended for informational purposes and did nothing harmful for an Apple customer, but hackers could exploit it.

In the video, Thomas Roth changed the NFC web address so that when you scanned the AirTag with your phone, a YouTube notification with a Rick Roll would appear. While that is funny, the joke can turn into something serious in a split second.

If a malicious hacker were to change the behavior of the AirTag so that it opens a fake website when scanned, the Apple customer could easily be tricked into doing anything the hacker wants, especially if the spoofed website would have the Apple logo and a similar design.

For example, they could ask for personal information, bank details or even trick their target into downloading a virus or some other type of malware.

I am not aware of Apple releasing a patch for the AirTag regarding this vulnerability. This is why the AirTag still has to be improved in terms of cybersecurity.

I believe that this product should be approached carefully. It comes with a great price, an attractive design, and it definitely is an innovative way to easily find things you often misplace or lost pets.

However, it comes at a cost. Are you willing to pay for it?

AirTags can be used for reconnaissance

Because this product essentially uses the network of iPhones nearby to advertise its location, this feature can very quickly turn into a “weapon” against Apple users.

Let’s think about it. An AirTag shows your location only if it is near an iPhone. Therefore, we consider the following scenarios:

  • You leave alone your small Apple product on a table in a café; does it still advertise its location? If yes, there is an iPhone user in the building
  • You leave it at home and see if it is detected. That way, you can tell if your neighbors have iPhones. Even better, if you already knew they do, you can find out when they are at home and when they aren’t.

And, of course, this information is not very exact, as you might have none or multiple neighbors with an iPhone. But if you were to live or travel in an unpopulated area, AirTags could become a very useful reconnaissance tool.

One very important thing to consider is that it is perfectly normal to leave your AirTag at home or even lose it in the park or in a building. If you were to get caught, you would have a very valid explanation.

How do you stay away from AirTags?

Unfortunately, if you have an iPhone, it is pretty difficult to not be a part of Apple’s web. If your phone has the location enabled and the Bluetooth turned on, it will inevitably participate in the AirTags’ location procedure.

So, unless you turn off the location or Bluetooth, your phone will still be a sensor for other Apple customers.

However, turning these features off will affect applications and IoT devices which you would have to give up on, like your Bluetooth speaker or your Snapchat location.

What other tracking devices should you consider?

The Apple AirTags are not the only devices on the market with that purpose. Two other options you should consider are the Samsung SmartTags Plus and the Tile Pro devices.

Below you can see a side-by-side comparison between these products.

Device
Price for 1 device
Compatible OSs
Network size to find the device
Ultra-Wideband (accurate location)
Augmented Reality capabilities
Customizable sound
Apple AirTag
$29
iOS
Large
Yes
Yes
No
Samsung SmartTag Plus
$39
Android
Medium
Yes
Yes
Yes
Tile Pro
$35
iOS, Android, and others
Small
No
No
Yes

The network size is smaller for the Samsung SmartTag Plus because not everyone that has a Samsung device participates in the process of locating the tracking device, but only the people that have their Samsung account linked to the phone.

Therefore, you can still opt out of the SmartTag locating algorithm by not having your account linked to your phone. Of course, this will limit the phone’s capabilities, but you can still use it.

Tile Pro requires you have the Tile application and an active subscription. Because of this, the network is smaller than Samsung’s and a lot smaller than Apple’s.

Infographic

The following infographic that I made illustrates the vulnerabilities that have been identified regarding the new Apple AirTags devices. It is important to be aware that both Apple and non-Apple users are at risk. You can also see how you can protect yourself by following best practices and being vigilant.

Feel free to share the code of infographics

<iframe width="574" height="2597" frameborder="0" scrolling="no" style="overflow-y:hidden;" src="/sites/default/files/pictures/research/airtags-snoopers-weapon/airtags-snoopers-weapon-4.jpg"></iframe>

Conclusion

While Apple AirTag is a great product and has many functionalities, it is better to be vigilant. New vulnerabilities can always appear and, in order to make sure you don’t become an exploitable target, my advice for you is to:

  • Read the news and keep your eyes out for new vulnerabilities
  • Be careful with your belongings and make sure there are no foreign objects among them
  • Don’t click without thinking; even if it seems to be coming from the official application, we have seen that the behavior of AirTags can be modified

If you were thinking about buying an AirTag: did I change your mind? Or do you still want to go for it?

If you own an AirTag, please leave a comment below with your opinion on the device and what you think about the vulnerabilities presented.

Author
Sabrina Lupsan
Sabrina Lupșan is a writer at CoolTechZone, a cybersecurity enthusiast, and a future penetration tester. She holds a Bachelor’s degree in Computer Science and Economics.

Leave a comment

click to select