Did Apple just release a surveillance product for everyone?

With the iPhone Apple put the internet in everyone’s pocket and with the release of AirTag have they just done the same for surveillance.

The AirTag is a tracking device that can be attached to something or someone. When the AirTag is not in Bluetooth range of its paired iPhone it uses the Find My network of around one billion devices to relay a message back to the owner. iOS devices can detect if an AirTag is not with its owner and notify the user if an unknown AirTag appears to be moving with them (Apple 2021). If the AirTag is separated from its owner for an extended period, then it will use a built-in speaker to make a sound (Hardwick 2021).

It is small, light, has a long battery life and can be tracked anywhere without an onboard GPS. These are all desirable features but also map directly to possible threats and misuse cases detailed below.

Screen Shot 2021-10-22 at 10.28.30 am

Apart from tracking a particular AirTag over time the implementation of the recommended controls would eliminate the associated risk.

OpenHaystack is a framework for tracking a Bluetooth device, such as an ESP32 using the Find My network. The authors reverse engineered the Find My network. It uses a macOS application that inherits Apple Mail’s entitlements to download location reports from Apple’s servers via a private API and a firmware image for the Bluetooth device (Heinrich & Stute 2021). The ESP32 firmware and BLE message does not include the bytes used for the stalking notification nor does it emit a sound (Heinrich & Stute 2021). This circumvents anti-stalking measures implemented in AirTags.

Screen Shot 2021-10-22 at 10.23.53 am

References

Apple 2021, Apple introduces AirTag, press release, accessed 23 April 2021,

< https://www.apple.com/newsroom/2021/04/apple-introduces-airtag/ >

Hardwick, T. 2021 ‘AirTags Separated From Owners for Three Days or More Play Audible Sound When Moved’, accessed 21 April 2021, < https://www.macrumors.com/2021/04/21/airtags-play-sound-after-three-days/ >

Heinrich, A. & Stute, M. 2021, OpenHaystack, accessed 22 April 2021,

< https://github.com/seemoo-lab/openhaystack >

Heinrich, A., Stute, M., Kornhuber,T., Hollick, M. 2021, Who Can Find My Devices?

Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System . Accessed 22 April 2021, < https://arxiv.org/pdf/2103.02282.pdf >