You Break It, We Fix It

Apple’s AirTags have caused a stir, but for all the wrong reasons. First, they turn all iPhones into Bluetooth LE beacon repeaters, without the owner’s permission. The phones listen for the AirTags, encrypt their location, and send the data on to the iCloud, where the tag’s owner can decrypt the location and track it down. Bad people have figured out that this lets them track their targets without their knowledge, turning all iPhone users into potential accomplices to stalkings, or worse.

Naturally, Apple has tried to respond by implementing some privacy-protecting features. But they’re imperfect to the point of being almost useless. For instance, AirTags now beep once they’ve been out of range of their owner’s phone for a while, which would surely alert the target that they’re being tracked, right? Well, unless the evil-doer took the speaker out, or bought one with the speaker already removed — and there’s a surprising market for these online.

If you want to know that you’re being traced, Apple “innovated with the first-ever proactive system to alert you of unwanted tracking”, which almost helped patch up the problem they created, but it only runs on Apple phones. It’s not clear what they meant by “first-ever” because hackers and researchers from the SeeMoo group at the Technical University of Darmstadt beat them to it by at least four months with the open-source AirGuard project that runs on the other 75% of phones out there.

Along the way, the SeeMoo group also reverse engineered the AirTag system, allowing anything that can send BLE beacons to play along. This opened the door for [Fabian Bräunlein]’s ID-hopping “Find You” attack that breaks all of the tracker-detectors by using an ESP32 instead of an AirTag. His basic point is that most of the privacy guarantees that Apple is trying to make on the “Find My” system rely on criminals using unmodified AirTags, and that’s not very likely.

To be fair, Apple can’t win here. They want to build a tracking network where only the good people do the tracking. But the device can’t tell if you’re looking for your misplaced keys or stalking a swimsuit model. It can’t tell if you’re silencing it because you don’t want it beeping around your dog’s neck while you’re away at work, or because you’ve planted it on a luxury car that you’d like to lift when its owners are away. There’s no technological solution for that fundamental problem.

But hackers are patching up the holes they can, and making the other holes visible, so that we can at least have a reasonable discussion about the tech’s tradeoffs. Apple seems content to have naively opened up a Pandora’s box of privacy violation. Somehow it’s up to us to figure out a way to close it.

40 thoughts on “You Break It, We Fix It

  1. Whatever happened to those keychains that would beep if you clapped? that was 100x better then this privacy drama waiting to get even worse. Also a lot cheaper.

    Cant say im surprised though, with all due respect etc, its honestly really good to see Apple fall from grace in the last year or two (or at least in my country this happened, and imo its well deserved for how terrible they treat their customers and how they STILL oversell outdated hardware)

    Shout out to mr Jobs and his handful of actual innovations, “smh” at what Apple has become since his passing, a complete disgrace.

    1. I live in the Valley. I’ve met both Mr. Jobs and Mr. Wozniak. Friends and I have run into Mr. Wozniak having dinner at local spots on several occasions. We’d also run across Mr. Jobs a time or two. I’ve found Mr. Wozniak warm and friendly. Mr. Jobs was much MUCH less so. Mr. Jobs had a few innovative ideas, but, also many WTF moments. IMHO he was more the “salesman with an over inflated ego” than anything else. The mystique surrounding him is still baffling to me.

      But, yeah, Apple’s been “meh” for a while now.

  2. There is an Airtag tracker for Android, it’s called Tracker Detect. Not sure if it works or not, I’ve tried it in several locations (coffee shops, etc.) but I’ve not found any errant tags.

      1. Cue Apple-double-standard mode.

        Let’s talk about the corresponding payments from:

        Microsoft – what’s the ratio of documented AirTag abuses to documented individual, business, and local/state/national government ransomware attacks traceable to Windows vulnerabilities during the same period? How much do Windows users pay per month for virus protection, parasitic costs of Windows-vulnerability botnets, blocking spam from the same, etc? Heck, “preventing Windows security problems” isn’t a monthly appeasement payment from Microsoft, it’s an entire business and professional sector.

        Google-excuse-me-Alphabet – exactly how many apps on your Android phone hoover every piece of personal data and telemetry they can get, and transmit it to some corporate network? Shoot, let’s restrict that to the ones that transmit that information without any kind of encryption that would prevent any nearby scanner from collecting and reading it?

        Facebook-excuse-me-Meta – of corporations that think civilians need to get over the idea of having privacy, how many of FemM’s apps still collect and transmit personal information/telemetry after you’ve found and enabled all of the “don’t share my info” settings available?

        And let’s not forget the entire “GPS Tracker” product category at Amazon:

        https://www.amazon.com/s?k=gps+tracker&crid=3C8901WYS96MS&sprefix=gps+tracker%2Caps%2C193&ref=nb_sb_noss_1

        surely no one has ever abused any of those before now.

        But sure.. AirTags.. THAT’S the high water mark for unacceptable intrusion of technology on personal privacy.

        How –dare– they.

        1. and then there is all the financial information we share with gusto through Google/Apple pay! And don’t forget Google tracking your every web visit via their plethora of JavaScript API’s used by every website because they are so easy/cheap.

        2. Actually…it only really bugs me how hot my laptop runs and how little battery I get from my phone because of all this stuff. Seriously, fellows, I don’t have the petty cash to make it worth your while!

          (Well, that and the concept of “work phone” seems utterly incomprehensible to them.)

        3. Most of these abuses are committed by intelligent people who have developed specialised software and perhaps hardware to complete the offence.

          Apple had provided hardware and software that abuse by absolute dumb f..ks.

  3. Hasn’t Apple always been trying to be in control, and monitoring it’s customers? I’ve stayed away since the beginning. I like to modify, customize too much, to be limited to just Apple licenced parts. They also tiend to be more expensive, playing on the price tag, means it’s better. Least they aren’t selling total crap, it’s just not for me.

    Since the internet, Apple became the data-miners. Mostly for marketing and product development. but, it open up a proffitable side business for a lot of products and services. Their phones have had lost phone tracking for a long time. Aitags are just an extension. Any phone that’s in range, reports the location… Conceptually, most people would help to find something lost. Just presumes that nobody will take advantage of the generousity of others.

    1. No they haven’t _always_ been in control, but they generally have always been expensive.
      Take the Apple ][ for instance. It cost more than a TRS-80 or PET during its heyday but it’s the only Apple product I own (and have ever owned), it being a truly innovative, honest and form-follows-function design.
      Their products may have gone down hill after that.

    2. Unfortuntely the choice for phone OS’s is one of picking the lesser evil.

      For OS’s that have broad app support one can only choose between a company that lives on tracking and selling everything about its users (Google), and a company that does a lot of the same, but also gets paid for devices and content (Apple).

      While they are both motivated to ignore privacy, it seems to me that Google has every reason to get all they can, while Apple just might choose to limit the worst transgressions to protect its market presence.

      1. There are alternatives but they’re mostly hacker toys and not mainstream. Hopefully things will change, well ultimately they will change so hopefully it’s sooner rather than later.

        Personally I use Android because I can lock out Google and run my own code on the device, these things aren’t options on Apple iPhones.

  4. I have zero idea how there are enough people in the world that misplace their keys often enough to create a market for a 35$ (!) hardware device that only works in conjunction with 1000 $ phones (!) by a single manufacturer (!) and a worldwide surveillance cloud system (!) that can be used to track people without their knowledge. Nobody can tell me that even a significant part of the tags Apple sells are being used as intended.

    Orwell really was an optimist.

  5. But what is the legitimate purpose of these things? Are people actually routinely losing their keys miles away and requiring the services of strangers’ phones to locate them?

    This looks like a device that was designed to be abused with little legitimate purpose. Some of the more unusual uses people have put them too like tracking packages across a delivery system have been interesting but that can’t possibly be the intended role either.

    It seems like if people are going to lose their keys, the vast majority of the time they’re going to be in their own house and this extravagant tracking system will be worthless. But this is a dirt cheap way to track people.

    1. Maybe, first, link all AirTags to a specific iPhone and account, and secondly have your phone notify you if an AirTag not linked to your account remains within a set distance of you for a certain time. If it’s an AirTag in your friend’s house no problem, if it’s something that’s following you (in your car say) notify Apple (the iPhone could get the info from the AirTag without you being able to access it and send it to Apple) and they could tell it’s owner to stop tracking you.

      1. That is approximately how it is right now. Airtags are linked to specific Apple ID. iPhone will notify you after some time spent with an unknown airtag and allow you to disable it. Android users however are out of luck, since their phones don’t have this ability out of the box (they can download an app, but if you don’t know you are tracked, you will not download it). It is possible to track even people who do not have iPhone or even any phone. It’s other users’ iPhones who track them, when they occasionally meet in the public.

        1. Wait, what? This is not an Apple vs Android thing. This is about a normal civilian opting out out of having a tracking tag placed on them. You shouldn’t need *any* kind of smartphone to opt out of being tracked. In fact, that is one of the reasons we opt out of carrying a smartphone in the first place!

          These airtags just use BLE, right? is there a good way to detect them without using a smartphone app? Can I just use the bluetooth on my computer? Can I use an SDR?

    2. Don’t ascribe to malice what can be plainly explained by stupidity.

      Our current society is extremely, self indulgently decadent. We will not tolerate any inconvenience. Especially not to the exertion of our brains. We truly want the gods to just tell us what want to know and provide what we request.

    3. It only works on Apple products so personally I can’t use it even if I wanted to. If it was, I’d might put one in my car, on my bikes, etc, in case they get stolen. You can easily use it for tracking those items. If it had call back home features with an API, it would be cool to integrate it into Home Assistant. I wouldn’t put it on my keys though.

      I don’t think it was designed to be abused. Anything can be abused. A pencil can write a declaration of war, a car can be used to attack people, a laptop can be used to hack websites. These are personal tracking devices, designed to track things you own. They aren’t designed to track other people or other peoples property, but it’s possible.

      1. But people know when a declaration of war is being written, people know when a car is being driven “at” them and they can make informed decisions and take evasive actions. They don’t even know that they “can” be tracked with an apple product that can be hidden and even if they saw one they wouldn’t be suspicious.

  6. So according to Apple the solution for people (particularly woman) who are concerned about being personally tracked by Apple devices is to go buy an Apple phone and install an Apple app to monitor Apple devices.

    Makes perfect (marketing) sense.

    Well no it doesn’t make sense as in common sense.

    What is apple going to do?

    Say “devices don’t track people, people do!” well that works for guns but hey guns are in the constitution so good luck with that Apple. Lawsuit in 3 .. 2 ..

  7. … turning all iPhone users into potential accomplices to stalkings, or worse….
    With the same frame you could state that cell phone operators or cutlery factories are accomplishes of murder, etc. To be an accomplish means to actively engage in or support the activity in my dictionary. Of course stalking people has to be avoided as much as possible, but you don’t need an airtag to do so and it won’t go away if you ban airtags. If a device is more used for bad, illegal actions than for good things, you could consider banning it, but that is not the case with airtags. I use an airtag and other tracking devices in a boat that we use to cleanup waterways, and that got stolen once a year ago. So i am happy that this tech exists.

    1. I had a chuckle when I read “I use an airtag ….”, no bias here lol.

      This situation reminds me of a dating site that had known sexual offenders using the site. For a premium fee they would provide “quality dating suggestions” and prevent the sexual offenders from contacting you.

      How far can you push this form of justification? Could for example Facebook ask a fee to prevent known child sexual offenders on that platform from contacting your child?

      This says allot about moral obligations and more significantly (today) social expectations.

      This is (at least in part) about charging a fee for what reasonable people expect for free as a minimal social expectation.

      Apple realised there was a problem and took measure to protect Apple users. Anyone else can be damned. Well unless they buy an Apple phone to protect themselves from the criminal and potentially fatal abuse of Apple products.

  8. ant

    Any tracking device needs only to make your own phone scream when you get more than reasonable distance from it, no infrastructure! Works at 30 feet, 10 meters. I’d like the alert at that distance, anymore and I wonder why.

    Your tracking device cannot go beyond that distance, otherwise you are leaving it to the public sphere. This is the mess that this gets into. I have read about bike trackers for stolen bikes and this gets into public space. You’re gonna pay for it for security, monitoring, and privacy just like a phone call.

    Who? To whom, making it clear it for all. If we have to fakes here, it’s no good. Phones don’t ring when there is no “caller” or the other way around, don’t happen.

  9. Possible solutions?
    1, Put air tags in annoying epoxy bob.
    2, Detect if tag is opened and disable. And, disable if tag goes flat, requiring visit to apple to re-enable.
    3, Sample the back emf from speaker given specific inputs, if it doesn’t match the real speaker, disable it.
    4, Add an I.C. internal to speaker that has to exist for airtag to work.
    5, Require air tags to be registered with an official Id at apple store.

    1. Good ideas Matt. You provided them for free! Why didn’t the “geniuses” at Apple come up with these ideas when the airtag was being developed? The only explanation I can come up with is that it might cost them money to implement, which would piss off their shareholders.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.