A security researcher has found another creepy and potentially dangerous way to use AirTags, Apple’s new small tracking devices, to stalk people and figure out when a house, apartment, or office is empty.
Apple is marketing the AirTag, a 1.26-inch Bluetooth-enabled Apple-branded button, as the most secure and reliable way to track whatever object you don’t want to lose, such as a backpack, keys, a purse, a wallet, or even a pet.
Videos by VICE
Privacy activists have already sounded the alarm about the AirTag’s potential to be used as a stalking device. Lukasz Krol, a digital security specialist with Internews, has now found another way to misuse them.
By design, an AirTag updates its owner of its position and the last time it transmitted their position via the iPhone Find My app. In practice, that means an AirTag tells its owner when there’s a nearby iPhone, which it piggybacks to report its position. The AirTag interface looks like this:
The owner of an AirTag can infer based on this interface the last time their AirTag was near an iPhone. Because iPhones often travel with their owners basically everywhere, the absence of an iPhone at a location could suggest that there are no people around, and shows not only the comings and goings of people but also how long they have been away.
That means that if someone leaves an AirTag near a house that’s relatively isolated—meaning there aren’t a lot of iPhones around—the owner of the AirTag could figure out when nobody’s home. This obviously only works if you know that the residents of a house are all iPhone users.
In a blog post which he published Monday but shared with Motherboard in advance, Krol explained how he tested out his hypothesis. He said he left an AirTag at a friend’s house, which is far enough from other houses so that the AirTag wouldn’t ping other iPhones. When his friend was home, the AirTag reported its position. When there was nobody home, the AirTag wouldn’t send a beacon at all.
“Stationary AirTags, if located cleverly, can give away a lot of data about the movements of iPhone owners,” Krol told Motherboard in an online chat. “Not only this, but they can do so while looking totally innocuous and providing lots of plausible deniability as well.”
By that Krol means that once they become ubiquitous, it won’t be hard for someone with ill intentions to leave an AirTag in a place of interest and pretend it was a mistake.
Krol said that there are some simple ways for Apple to mitigate these risks. The company could decide not to display the precise time when an AirTag updated its position, or replace the phrase “last updated” with “last moved,” or obfuscate the last moved times.
Do you research vulnerabilities on Apple’s products? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com
As another example, Krol said that he was renting an Airbnb in Kraków. He left an AirTag in the apartment, then went for a walk, and saw immediately that the AirTag was updating its position through the neighbor’s iPhone, thus inferring that someone was home in the apartment next door.
Obviously, these risks are mitigated in densely populated cities, where there might be a lot of iPhones, making it hard to figure out when an apartment is actually empty, Krol explained.
Apple did not respond to a request for comment.
In just a couple of weeks since their release to the public, several security researchers and hackers have found security and privacy issues with AirTags.
Albert Fox Cahn, the founder and executive director of the Surveillance Technology Oversight Project (STOP), and Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and one of the world’s foremost experts in stalkerware, argued that AirTags are “a gift to stalkers” as they can be easily hidden in someone car or bag and used to track them anywhere they go.
Crucially, as The Washington Post reported, the anti-stalking measures that Apple has put in place are not enough to stop this threat. AirTags are programmed to sound an alarm if they are separated from their owner’s iPhone for more than three days, which in theory could alert someone who is being stalked that there’s an hidden AirTag nearby. But “the audible alarm only rang after three days—and then it turned out to be just 15 seconds of light chirping,” as the Post‘s Geoffrey A. Fowler wrote. The other anti-stalking feature devised by Apple is to make an iPhone alert its owner if an unknown AirTag has been traveling with it. But of course this won’t help the millions of people who use Android phones.
Thomas Roth, an hardware hacker who goes by Stacksmashing online, tore an AirTag apart, jailbroke it, and was able to make it Rickroll a nearby iPhone. Roth believes that it may be possible to abuse the accelerometer and turn the AirTag into a listening device. Fabian Braunlein, a security researcher at Positive Security, was able to force an AirTag to to broadcast arbitrary data to nearby Apple devices via the Find My protocol.
These may all be growing pains of a new product. But the ball is now in Apple’s court to make some small, but crucial changes to its new gadget.
Subscribe to our cybersecurity podcast CYBER, here.