Apple AirTags Are Being Used to Track People and Cars

This development suprises no one who has been paying attention:

Researchers now believe AirTags, which are equipped with Bluetooth technology, could be revealing a more widespread problem of tech-enabled tracking. They emit a digital signal that can be detected by devices running Apple’s mobile operating system. Those devices then report where an AirTag has last been seen. Unlike similar tracking products from competitors such as Tile, Apple added features to prevent abuse, including notifications like the one Ms. Estrada received and automatic beeping. (Tile plans to release a feature to prevent the tracking of people next year, a spokeswoman for that company said.)

[…]

A person who doesn’t own an iPhone might have a harder time detecting an unwanted AirTag. AirTags aren’t compatible with Android smartphones. Earlier this month, Apple released an Android app that can scan for AirTags—but you have to be vigilant enough to download it and proactively use it.

Apple declined to say if it was working with Google on technology that would allow Android phones to automatically detect its trackers.

People who said they have been tracked have called Apple’s safeguards insufficient. Ms. Estrada said she was notified four hours after her phone first noticed the rogue gadget. Others said it took days before they were made aware of an unknown AirTag. According to Apple, the timing of the alerts can vary depending on the iPhone’s operating system and location settings.

Tags: , , , , ,

Posted on December 31, 2021 at 9:52 AM59 Comments

Comments

Gerard van Vooren December 31, 2021 10:17 AM

I wonder why Apple has to make this technology. The answer is easy to understand because it is money that they want. If you understand that than it is also easy to understand why they don’t want that their technology is compatible.

Personally I don’t use Apple. Apple was good about a decade ago, but today they are too much into their phones, and they want you to buy their things and only from their resellers. Update the hardware? No, that is not possible.

I don’t like their closed source software, just as I don’t like that of MS, Amazon or Google.

Welcome tot the twenty twenties. I don’t like it. There is just way too much tracking involved.

Humdee December 31, 2021 10:45 AM

It is one more example of privatizing benefits and externalizing costs. The people who benefit from these tags are Apple customers and so Apple’s bottom line while many of the people who bear the cost of these devices have no relationship with Apple at all.

Dancing On Thin Ice December 31, 2021 11:04 AM

Much of the criticism of Airtags such as difficulty spotting their use without an iPhone also applies to other trackers including pet ones that haven’t implemented any safety features.
It sounds more like faulting Apple the company because of their name recognition.
Apple could add more safeguards such as disconecting the speaker used to alert of their presence disables the tracker.

I find it ironic that Apple removed the slot to attach a lock to their laptops long ago.
That said, how secure are the various Airtag holders from removing the device from them if found short of smashing it?

Chris December 31, 2021 11:55 AM

It’s hard to find a good description of how Airtags work, but from PCMAG, “If AirTags are more than 30 feet from your phone, they leverage Bluetooth connections with strangers’ Apple phones to tell you where they are.” So they are hijacking other people’s networks? How is this legal? At what point did other people consent to allow public use of their Bluetooth connection? And since many Bluetooth devices eventually connect to a WiFi / internet connection, how was consent obtained to use another person’s internet? Seems like theft of service to me.

andrew December 31, 2021 1:33 PM

At what point did other people consent to allow public use of their Bluetooth connection?

When they installed the software that collects Bluetooth data to be used by others, or purchased a phone that includes such software and prevents them from running any alternate software. The downsides of relying on software one is (legally or technically) prevented from modifying are something that a small subset of people have been yelling about for like 3 decades now. Perhaps it’s time for the rest of us to pay attention.

(The same goes for people who don’t like the idea of their phones scanning for naughty images.)

I haven’t heard of anyone trying to press these specific issues legally. I’m sure there are grounds to do so in many countries. If Apple require people to agree to new terms in order to get security updates, those who decline the updates because they reject those terms are left with a product unfit for purpose; some could presumably return it for a refund. Consent to data processing would be another legal angle—people have to be allowed to refuse or withdraw such consent at any time, and a data controller cannot entirely refuse service to those who decline consent (i.e., saying one could return one’s phone for a refund would not be an acceptable legal remedy). Europeans affected by this may want to get in touch with noyb.eu.

lurker December 31, 2021 4:55 PM

@Chris

So they are hijacking other people’s networks? How is this legal? At what point did other people consent to allow public use of their Bluetooth connection?

Bluetooth promiscuity is part of the protocol. It has been well known among the tech fraternity, and the general advice was don’t run bluetooth unless you have to, then turn it off again immediately. But nowadays with the hoi-poloi carting around gadgets that they don’t know or care are broadcasting from just above DC to blue light, the average user has little inkling of the difference, if any, between “sharing” and “hotspot”.

Is it legal? Does it matter if it was hidden in a click-thru EULA? Anyone brave enough to ask will be buying lunch for a lot of lawyers…

Clive Robinson December 31, 2021 5:38 PM

@ luker,

Hmm as it’s almost the end of 2021, I should mention that over the past year I have observed that you have become a little more cynical as time progressed…

So I have to ask,

“What are your intentions for 2022?”

Are you planing on overtaking me in cynicism… if so, am I going to have to step up my game or just conced gracefully whilst I still can 😉

Go on smile, and have a happy new year, and many more to come.

@ ALL,

As for all of us, I think one of our New Year Resolutions should be to become more cynical but in a cheerful way 😉

Observe life and look for a funny side or whitisism in it, there almost always is one if you look. There is building evidence from medical researchers that not only is “laughter” a useful medicine it is essential to good health and longevity. That is we spend so much time being serious if not out right miserable, not having a laugh and being chearfull it is actuall making us ill, thus more susceptible to pathogens of all forms.

You might find it hard to find –for obvious reasons,– but there is evidence social media is manipulated to make you feel depressed as this actually makes it easier to manipulate you in other ways…

So a second New Years Resolution of pulling back from Social Media might help people feel happier.

But I wish you all a good New Year and many more to come, and remember, if you see someone who is short of a smile, give them one of yours, with a little luck they will pass it on, and we will all get a smile.

lurker December 31, 2021 6:04 PM

@Clive

Thank you sir, for your observation. Like many curmudgeons I get a little more cynical with each passing year. Perhaps I have always suffered fools a little less graciously than you appear to have. As for 2022, we are living in interesting times, I guess the year will bring what it may…

SpaceLifeForm December 31, 2021 6:32 PM

@ Clive, lurker

Are you planing on overtaking me in cynicism…

There is no plan. But we have you outnumbered.

Seriously though, it will get better.

July. Trust me on this.

Ted December 31, 2021 7:57 PM

@Doug Barton

Re: AirTag detection for Androids

I am specifically referencing Apple’s Tracker Detect app for Androids here. Why is this app rated so poorly on Google Play?

Also from CNET:

On Tracker Detect, you must manually scan for AirTags each time, which can be a nuisance if you’re constantly worried about being tracked.

Kind of a pain. For being a ‘helpful’ product, AirTags seem to generate a few too many uncomfortable and/or unnerving possibilities. How closely is Apple’s response to this going to track with its Apple Watch ethos?

https://www.cnet.com/google-amp/news/android-users-get-this-apple-app-if-you-dont-want-airtags-tracking-you/

SpaceLifeForm December 31, 2021 9:24 PM

@ Ted, Doug Barton

I observed that the app had a higher rating about 2 weeks ago.

If you read the comments, you can see that the shills were in full force early on.

There are other apps that can detect. On demand.

RTFM January 1, 2022 12:11 AM

@Chris

So they are hijacking other people’s networks? How is this legal? At what point did other people consent to allow public use of their Bluetooth connection?

Pretty simple, its called the Apple Find My network. Anyone that turns on Find My on their Apple device opts in to help others that have also turned on Find My in their Apple devices (opted in) to find/track their devices and vice versa.

null clam January 1, 2022 1:09 AM

@ lurker @ Clive Robinson … all

more cynical with each passing year … suffered fools a little less graciously

The received admonition is to suffer fools gladly. But that doesn’t mean you can’t head to Hacker Way 1 and hiss Zuckerberg !

All the best to all in 2022 !

Clive Robinson January 1, 2022 8:14 AM

@ SpaceLifeForm,

There is no plan. But we have you outnumbered.

What no plan!!!

Does this mean I am just as a lowly leporidae hopping and hoping to traversing a major high way at night?

Thus the uncertain fate of a probabilistic road kill in the tread of an 18wheeler driven by a caffine and doughnut fueled, coffee filled and blader distended Teamster heading for the next pitstop with an alacrity the laws do not alow?

Such is the fate of the everday masses on the information super-highway, scraped up or kicked to the road side… Makes you want to become the equivalemt of a goat herding hermit on some distant hill side, but the chances are some malware equivalent of a drone will head your way. For as they used to say in the adverts “just because you can” is their mantra, which brings a new meaning to “Intel inside”… Maybe they were trying to tell us something, kind of nodding yes whilst saying no 😉

Hey maybe we should make 2022 “The year of the big disconnect”…

Fazal Majid January 1, 2022 9:07 AM

Trackers have been around for ages. The hard part was connectivity to report back, usually involving some cellular data plan costing $10 a month, and correspondingly poor battery life.

The real breakthrough with AirTags is turning the swarm of all iPhone users into a giant and free network. The idea was stolen from Tile, but being built into the OS gives it a reach the Tile app could never achieve.

Amazon is trying something similar with its Echo devices, but there are orders of magnitude more iPhones than Alexa devices.

Sumadelet January 1, 2022 9:29 AM

I will wish everyone a Happy New Passing of this arbitrary point in the Earth’s orbit around the Sun. A tidier part of the chaotic interconnected jumble of facts and suppositions that makes up my consciousness wishes that the year started at the moment of the solstice (which is not the moment of the perihelion – see h++ps://www.youtube.com/watch?v=nZMMuv0Ltyo – MinutePhysics: Why December has the longest days).

Anyway, re: Bluetooth, and specifically Bluetooth Low Energy (LE). While many people are fastidious about disabling Bluetooth on their phones, it turns out that some phones still beacon using Bluetooth LE, even when ‘standard’ Bluetooth is ostensibly disabled. I noticed this while running a Bluetooth scanner on my PC. I don’t know if iPhones do this.

This behaviour underlines that software switches are easily ignored, or may not do what you expect. There’s no substitute for disconnecting power and making sure things can’t be powered by capacitance, induction or other non-battery or line-power method. Clive Robinson knows this, as I’m sure many of not most of the readers of these comments will, but citing examples is always helpful.

Ted January 1, 2022 10:11 AM

🚩Reg flag? Yay or nay?

From the Apple forums:

Q:Airtag tracking

My air tag located in my car is sending a message to the wife that she is being stalked even when I am in the car with her. Can she disable this warning indefinitely rather than just a day

https://discussions.apple.com/thread/252860659

Why yes, you can turn off the Safety Alerts for the wife, indefinitely.

markc January 1, 2022 12:07 PM

@Ted
Why yes, you can turn off the Safety Alerts for the wife, indefinitely.

So, some folks hide one or two airtags in various places in their own car, the idea being that if their car is ever stolen, they can then track its whereabouts.

Your vehicle could still end up having an airtag from some criminal. Someone who wants to find where you live in the hopes of stealing your car from the driveway and selling it for the parts.

Turning off those alerts might also block notifications from such criminals airtags.

Ted January 1, 2022 1:15 PM

@markc

Turning off those alerts might also block notifications from such criminals airtags.

I like how you think. Would it? Apple says “If you don’t want to receive item safety alerts on your device, you can turn them off.”

It appears you can also pause safety alerts. If an item belongs to someone in your Family Sharing group, you can pause or turn off the safety alerts for their item indefinitely.

Are we talking features or bugs here?

https://support.apple.com/guide/iphone/if-you-find-an-unknown-item-iph2543c77d7/ios

cont.

Ted January 1, 2022 1:28 PM

cont.

AirTags are so real, they are now included in Apple’s Law Enforcement Guidelines.

I’d really like to see how this works. The US Guidelines say:

Find My connection logs are available for a period up to 25 days; and, if available, may be obtained with a subpoena or greater legal process.

And

With a serial number, Apple may be able to provide the paired account details in response to a subpoena or greater legal process. AirTag pairing history is available for a period up to 25 days.

I don’t exactly know what this means. In time, I suspect we will know more.

https://www.apple.com/legal/transparency/government-information.html

https://www.apple.com/legal/privacy/law-enforcement-guidelines-us.pdf

Clive Robinson January 1, 2022 2:13 PM

@ Ted, ALL,

With regards,

“With a serial number, Apple may be able to provide the paired account details in response to a subpoena or greater legal process. AirTag pairing history is available for a period up to 25 days.”

So Apple can say rather more to Law Enforcment than they originaly implied to their customers.

Makes you wonder what else is hinky with their system.

Obviously it is possible to “clone an AirTag” which opens up some interesting tricks.

But there is also the question of if it is possible not just to “create an AirTag” look alike as far as the Apple network is concerned but also get the network to treat it as valid.

Of course top score would be for someone to entirely co-opt the neywork with not just a fake AirTag but a fake smart device as well…

At which point Apple would have little to tell Law Enforcment, other than the supposed location of the fake smart device, but then that could be faked as well…

K.S. January 1, 2022 2:57 PM

The only reason the use of AirTags didn’t blow up on car thieves is law enforcement incompetency. How many here think that a burner iPhone connected to a throw away account and AirTags purchased with mule/cash is being used? Sure, it not impossible, but the much more likely alternative is that LEO is one inquiry away to Apple to definitively identify who done it, where they were when it happened, and where and when they loaded the car into container.

Clive Robinson January 1, 2022 3:49 PM

@ Ted,

I haven’t yet seen what the tracking device was.

You may never do so.

But have a look at the photograph of the alleged killer, and try and work out how he got those “claimed” self inflicted wounds to his head and perticularly the neck.

Ted January 1, 2022 3:58 PM

@Clive

Makes you wonder what else is hinky with their system.

Is Apple the same company who needs to scan all our devices and accounts for CSAM? Maybe they could work a little harder at coordinating a corporate response to the terrified victims of AirTag stalking. Just saying.

SpaceLifeForm January 1, 2022 4:23 PM

@ K.S.

I do not think it is that clear cut.

Think hinky.

Burner iPhone and Airtag, yes.

Perp that actually stole vehicle was directed to scene via non-Apple tech, say Android, or probably more likely, just face to face convo.

Perp goes to scene without phone.

Tracking who did what will be very difficult. LE is not going to be motivated when they just can argue that the owners insurance company will deal with it.

So, see if you can come up with clear answers to these two questions:

Is a purchaser of an Airtag responsible in any way if the Airtag is lost or stolen?

Can an Airtag be disabled logically like a cell phone can?

Ted January 1, 2022 4:48 PM

@Clive

try and work out how he got those “claimed” self inflicted wounds to his head and perticularly the neck.

Failed suicide attempt? Was that your guess as well?

I think I found a video that shows the tracking device 22 yo Abigail found on her car a short time before she was killed. It looks like it was a GPS tracker, and not AirTags. But you can certainly understand the fear people feel when they find tracking devices on their cars or in their proximity.

https://www.star-telegram.com/news/local/crime/article255388546.html

Hedo January 1, 2022 5:19 PM

Happy new year to everyone!
Please do NOT trust your neighbors or ANYONE ELSE with your Wi-Fi. Do get that patch cable (Cat5e or Cat6) and disable the Wi-Fi on your laptop. That way, ONLY your government and a bunch of other private data harvesting entities (like Dell, HP, M$, Palantir, Apple, Adobe, etc., etc., etc., etc., etc., etc., etc., and to Infinity and beyond) WILL have your data without your consent, without your approval, even without your knowledge, but at least your nosy neighbors won’t have it, UNLESS SOMEONE from the LOCAL POLICE DEPARTMENT HANDS IT TO THEM like they did in MY CASE!
God bless you all!

SpaceLifeForm January 1, 2022 6:04 PM

@ Hedo

So, you never changed your WIFI SSID and password from default?

Did it ever occur to you that there may be a secret algorithm to derive the default password from the default SSID and MAC?

Set a strong passphrase on your WIFI.

Set the SSID to something like FBIVAN3.

Do not use FBIVAN2 because they are everywhere.

As far as is known, FBIVAN1 is still in the shop.

Clive Robinson January 1, 2022 6:15 PM

@ Ted,

Failed suicide attempt? Was that your guess as well?

Take a closer look, yes it looks like ligature marks, but multiple times or sawn backwards and forwards causing rope-burn. And have a look at the angle around the neck… Also it’s below the voice box…

The last time I saw marks like that was when someone had been subjected to a very illegal “restraint hold” by being forced face down on the floor and having some one kneel on their back and pull backwards with a cord, thus giving the petechial marks indicative of rope-burns.

If you tried hanging yourself the marks would be rather more “upward” close to the jaw and ears, and avove the voice box. Also it would be less spread out and would leave more distinctive deep marks with less bleeding.

Also look at his eyes, do you see any hemorrhaging in them? Whilst “petechial” hemorrhaging in the eyes can be hard to see when some one has been strangled to death as they will be small, they tend to go on bleading in the living and can be upto a couple of millimeters in diameter thus become fairly noticeable.

So my guess would be not self inflicted by trying to hang himself.

More like some form of restraint with something like a thin rope or cord, like something used on military kit-bags and similar that use “Para-cord”.

I don’t know if you saw photograps of the early days of Covid in China, some people were dragged away into detention using a pole and loop system not disimilar to dog / wildlife capture nooses. They can leave very similar marks.

SpaceLifeForm January 1, 2022 7:43 PM

@ K.S. , Hebo, Clive, ALL

Location, location, location

https://arstechnica.com/gadgets/2012/03/anatomy-of-an-iphone-leak/

Connecting the dots

What all of this means is that there’s good reason to believe that iPhones and other Apple products—at least when compared to devices running Windows or Android—are unique in leaking MAC addresses that can uniquely identify the locations of networks you’ve connected to recently. When combined with other data often exposed by virtually all wireless devices—specifically the names of wireless networks you’ve connected to in the past—an attacker in close proximity of you can harvest this information and use it in targeted attacks.

[It’s interesting that I have yet to find an Android device (rooted or not) that allows you to connect to a WIFI AP that does not broadcast its SSID]

Ted January 1, 2022 7:58 PM

@Clive

It looks like it was self-inflicted this guys case.

The detective got a judge to sign a search warrant for Szeliga’s place. At 11:30 that night, the Fort Worth SWAT team went to serve it. But Szeliga refused to come out, the affidavit states, and eventually “caused a self-inflicted wound to his neck” that required medical treatment before he was arrested.

https://www.washingtonpost.com/nation/2021/11/05/texas-stripper-murder/

I don’t know where the case is now, but I think he was locked up on a $250,000 bond. I wonder how law enforcement and/or regulators deal with unlawful tracking.

Hedo January 1, 2022 8:21 PM

@SpaceLifeForm,

I do not mean to be rude, but did I ever mention, (and if I did, please tell me where?) that I was using Wi-Fi? What I said (not in these exact words, but perhaps phrased differently), was that even though I used a patch cable, Cat5e, AND disabled the Wi-Fi on the router that separates WAN from my LAN (before doing a “flushdns” AND “ipconfig /release”) whatever reports I made to the local PD about my CRIMINAL NEIGHBORS, due to the CORRUPT NATURE of the PD (or the “connections” the CRIMINAL NEIGHBORS have to someone who had access to the emails I sent to local PD) in the end – the neighbors that I’m reporting to the PD still got ALL of it.
The morale of the story is this:

It does NOT matter how skilled I might be, but rather HOW NAIVE I WAS.
Welcome to the REALITY OF THE US of A. Do NOT TRUST TO THE POLICE!!!

Hedo January 1, 2022 8:28 PM

@SpaceLifeForm
Did it ever occur to you that there may be a secret algorithm to derive the default password from the default SSID and MAC?

Of course, and I’m also aware of the many packet sniffers out there and how they work BUT I NEVER EVER thought that ANY of my neighbors would DARE to use it on his next door neighbor (me) because WHAT IF I FIND OUT?

My father ALWAYS said: “Do NOT shit where you eat”! If you catch my drift.

ResearcherZero January 2, 2022 1:01 AM

@Hedo

Just use a very, very long password, and then laugh at people parked outside in their cars trying to crack that password. If you turn off all the services on the router that are not needed and keep the firmware up to date you should be fine.

SpaceLifeForm January 2, 2022 2:27 AM

@ Hedo

I do not mean to be rude, but did I ever mention, (and if I did, please tell me where?) that I was using Wi-Fi?

You clearly implied that.

https://www.schneier.com/blog/archives/2021/12/apple-airtags-are-being-used-to-track-people-and-cars.html/#comment-397912

Please do NOT trust your neighbors or ANYONE ELSE with your Wi-Fi.

If you disabled your Wi-FI, why did you mention it?

Or, did you just mean you disabled WIFI on laptop, but neglected to secure your router?

Did you disable uPNP on your router?

Is ipv6 disabled on your router?

Since you are using Windows, you better check on those two things.

SpaceLifeForm January 2, 2022 4:34 AM

@ Hedo, Clive, name.withheld.for.obvious.reasons, ALL

Universal Plug and Pray

Check out grc.com and click on the Shields Up.

I can not provide a direct link because it does not work that way.

For security reasons.

Definitely run the Universal Plug n’Play (UPnP) Internet Exposure Test.

Then, you may also want to read:

https://www.helpnetsecurity.com/2020/06/09/cve-2020-12695/

https://blog.talosintelligence.com/2019/03/ipv6-unmasking-via-upnp.html

I’m still thinking on this, but I suspect this is much worse than Log4j.

lurker January 2, 2022 11:52 AM

@SpaceLifeForm

First rule of the internet:

from all, to all: deny

What happens after that is on your own dime.

Ted January 2, 2022 10:31 PM

‘Man finds Apple AirTag tracker on his Dodge Charger’

https://www.fox2detroit.com/news/man-finds-apple-air-tag-tracker-on-his-dodge-charger.amp

https://youtu.be/vyk65zfWMG8

A local auto theft task force tells FOX 2 they’re seeing more cases like these in Metro Detroit. Thieves track the target vehicle and to pick the most opportune time to steal – found mostly on Dodge products, parked in mall parking lots.

This bit of high-tech theft has also been reported out of Austin Texas after an Apple AirTag was discovered between the passenger seat and the center console.

[…] John has a police report made with the Novi Police Department, which has the tracker, so hopefully they can track whoever did this.

It’s not just AirTag owners who have to be worried about the security of their devices, it’s everyone else too.

Clive Robinson January 3, 2022 5:42 AM

@ Ted, ALL,

Have a think about what this means,

“This bit of high-tech theft has also been reported out of Austin Texas after an Apple AirTag was discovered between the passenger seat and the center console.”

At the very least it means,

1, The “owner” of the AirTag was in the vehicle.

But it also means,

2, The AirTag was not retrievable except by entering the vehicle again.

Which means with high probability the AirTag will “alarm” before it can be retrieved…

Which makes me think “jealous partner” or possibly work place related “stalker” more than vehicle “thief”.

If you were a half way sensible thief, you would glue the airtag to a magnet and tuck it under the bumper or similar on the outside of the vehicle, so you could not just place but retrieve it quickly and easily at any time.

Then when the vehicle has ended up at the same place a couple of times go check it out. If it looks like it’s the owners residence take the tag off and go tag another vehicle. Rinse wash and repeat.

Do it useing a phone / tag you got from a pawn brokers or similar and pay cash.

Then after collecting a number of potential targets go flog the phone through another pawn brokers and leave the tag in a taxi cab or some such. Then wait a while before going and actually stealing the cars.

Oh remember technology is designed to spy on you at all times in all places as there is money in “big data” from collect it all… So never use the phone anywhere near close to home or other places you frequent. Keep it turned off in a RF proof bag etc Oh and do not what ever you do use it in or close to a car you own or use from time to time, remember phones log and report back to the mothership all WiFi and Bluetooth signals as part of their location tracking, and modern cars have both… Likewise keep the AirTag away from you go hide it in a phone box or under a streat seat, junction box in a carpark or similar where there is no CCTV etc when you are not using it.

In all honesty though, this use for theft was a short term use for any kind of tag technology. Those that did it probably did not take sufficient precautions. Thus tucked away in “third party records” at Apple or other places is probbably sufficient evidence to identify a thief uniquely, all that is required is someone to “join the dots” now or at some point in the future. Which with sufficient publicity may well happen more quickly than expected.

Vehicle thieves are generally not the smartest crooks in the book as they have too much contact with what they steal, thus have a way higher risk of being caught with the evidence…

Ted January 3, 2022 7:55 AM

@Clive

It looks like the AirTag found in the truck in Austin, Texas may have been put there by people who stole the truck, sold it, and then planned to steal it back.

The rightful owners were able to pick up their truck, and the man who found the AirTag may be out his $800 down payment.

https://www.fox7austin.com/news/discovery-of-airtag-tracking-device-prevents-double-theft-of-truck

https://youtu.be/84dbJ1cD2Do

What do you think about the Open Haystack protocol that supposedly allows other Bluetooth devices to participate in Apple’s Find My network?

One of Open Haystack’s developers is tweeting about a new app called AirGuard.

The app periodically scans your surroundings for potential tracking devices, like AirTags or other Find My devices.

Do you think this would allow someone to find Bluetooth trackers for things like keys? You’d think people who are genuinely using these devices for their intended purpose would want to know about that too.

https://github.com/seemoo-lab/openhaystack

https://twitter.com/sn0wfreeze/status/1437345998796464130

Clive Robinson January 3, 2022 8:17 PM

@ SpaceLifeForm, Ted, ALL,

Think outside the box. Connect dots.

Some I already have…

It’s why I believe a “second market” product is needed that immediately indicates if there is any kind of Tag in the vecinity, and it has some kind of logging and reporting mechanism.

For instance, if you are part of a “close protection detail” knowing about a Tag just appearing without a coresponding item or person that has be verified would be very usefull to know.

Because it is rare for those wanting to take active interest in an asset to not do reconnaissance. Thus they might well use tags or similar to do what used to be done by the Mk1 eyeball.

In the past just sweeping with a 0.1-6000MHz spectrum analyser or what used to be called a “crystal receiver” used to be sufficient to pick up EM radiation… These days things are a lot more difficult.

Ted January 3, 2022 9:59 PM

@SpaceLifeForm, Clive, ALL

Think outside the box.

I think Uber and Lyft would do well to consult with lawyers on this. In a free market newly shimmering with tracking devices, they’d be prudent to know their liabilities regarding passenger, driver, and vehicle safety.

Maybe they’d be wise to update policies, training, and other safeguards?

@SpaceLifeForm what’s your thinking outside the box on this?

Also with regards to the AirGuard app, do you think users can see all the devices the app has seen?

  • AirGuard keeps a local history of all devices

https://twitter.com/airguardandroid/status/1470756120247558146

SpaceLifeForm January 3, 2022 10:00 PM

@ Ted, Clive, ALL

Think of an Airtag as a Meet-in-the-Middle.

OK, not exactly in the middle, it was on one side of the console. Close enough.

Driver and passenger both have iPhones.

SpaceLifeForm January 4, 2022 6:10 PM

@ Ted, Clive, ALL

Also with regards to the AirGuard app, do you think users can see all the devices the app has seen?

Wrong question.

The question should be:

Does the app report to a mothership?

Disable BT on your phone when traveling or when you are travelling. Which you should do anyway, as even hands-free phone conversations are still a distraction. Safety reasons.

If the app reports beacons spotted, along with timestamps, and the beacons are at known fixed locations, then the app and the mothership are tracking your phone, and therefore probably you.

A planted Airtag is not needed if you are carrying a phone with BT enabled and have an app installed that has internet permission.

Be outside this box. Disable BT unless you absolutely, positively need to use.

lurker January 4, 2022 6:44 PM

@SpaceLifeForm

Disable BT unless you absolutely, positively need to use.

Excellent advice, as I gave @Chris in comment #397854 above. But how do you turn it off? Use the software “switch” on the panel? And when that is “off” what is the background status of BTLE? As @Clive observed, even with a spectrum analyser these days you can’t tell signal from noise.

tcpdump run thru a filter might catch things, but post-facto. And the setup difficulty for an average user would be infeasible.

SpaceLifeForm January 4, 2022 9:14 PM

@ lurker

You pay for the service, while you are the product. What a deal, eh?

You pay for the service so you can leak your own PII. What a deal!

As far is as known, to properly secure a cellphone, you must encase it in concrete, and then drop it in the Mariana Trench.

That is pure rumour.

If recovered, the NAND Flash has never lost a bit.

Ted January 4, 2022 9:17 PM

@SpaceLifeForm, Clive, ALL

Does the app report to a mothership?

That’s a good question. At this point, I don’t know who has vetted the code or what it can do.

Here’s AirGuard on Google Play:

https://play.google.com/store/apps/details?id=de.seemoo.at_tracking_detection.release

They say “All this happens locally on your device and the private information, like location, tracker ids, etc will never leave your device.”

But I’m not putting money on this as being the first secure or unassailable piece of software in the world.

I guess my original question was if AirGuard or its underlying protocol can ‘hunt’ for AirTags? If so, could they discover AirTags attached to private items like other people’s keys or wallets – things people don’t want them to find?

Maybe what you guys are saying is that there are ways to search for any device emitting a signal. This whole thing seems like it could get messy.

Clive Robinson January 4, 2022 10:41 PM

@ Ted, lurker, SpaceLifeForm, ALL,

That’s a good question. At this point, I don’t know who has vetted the code or what it can do.

One problem the “vetting” is,

1, Only of the App.
2, Marks an end point in time.

That is the vetting in theory acts as an ‘end marker’ for only the application therefore is immediately invalid at best. Because you have to also consider the phone hardware, it’s drivers, the OS and other applications on the “smart bit”. But… the “smart bit” is subservient to the air interface, which in turn is,subservient to the SIM 100% controled by your network provider (who is actually controled by companies that lease the infrastructure to them).

So unless you take certain steps… you have absolutly no idea what is being done with that “logged data” in either Core RAM or Filesystem.

Unfortunately you can not take those steps as,

“You don’t own the phone, the manufacturers of the SoC devices used by the phone manufacturers, along with the developers of the drivers, OS, and other Apps own the smart device, but that is all subserviant by law to others you have no idea who they are.”

So the reality is “vetting” applications is not going to get you anything. Likewise the code signing used by the OS “Walled Gardens” gives zero security, but does make a handsome profit.

The only place you can add any security functionality –if you can actually get at it–, is the “modem interface” to the baseband Radio Module, and the reality is that does not get you very much (think the equivalent of early AV software on a home PC).

Clive Robinson January 4, 2022 11:34 PM

@ Ted,

I guess my original question was if AirGuard or its underlying protocol can ‘hunt’ for AirTags? If so, could they discover AirTags attached to private items like other people’s keys or wallets – things people don’t want them to find?

Remember we are talking about “intentional EM emmissions” via “standard methods” like Bluetooth that “have been published” (not sure about their UWB transmissions though, they probably have implicit LPI due to the spreading function).

So in theory I can take a “Software Defined Radio”(SDR) connect it to a computer runing the likes of GNU-Radio, and make a fully standards compliant receiver to get the “baseband data”. If this receiver is in range then the signals will be picked up so tags,adjacent to it will be seen.

But… if the baseband data is not secure in terms of data or meta-data then other software may give full functionality.

Even if the basedand data content is secure, it’s a “broadcast system” which means that all the “approved receivers” will have the likes of the “Key Material”(KeyMat) and protocols built in. Which can probably be “reverse engineered” out sufficiently to enable meaningful information to be aquired.

JonKnowsNothing January 5, 2022 1:55 AM

@lurker, @SpaceLifeForm, @All

re:


SLF: Disable BT unless you absolutely, positively need to use.

L: But how do you turn it off? [completely]

Note: all the standard disclaimers about LED or Button Status messages are not always the correct device state. Otherwise known as OFF is NOT Off.

On my old iPhone there are 2 Bluetooth settings.

1) on the swipe up option menu. A button toggle that turns off BT for 24 Hours and then turns it back on. It doesn’t really tell you that it’s going to reconnect automagically, unless you are paying strict attention. This setting is similar to the Airplane Mode option designed for short term BT blackout.

2) on the Settings and Options menu. This is a Slider ON/OFF which is supposed to turn off BT and it is supposed to stay off.

Does it really stay off? Prolly not, but when I have the rare occasion to drive my car, the car BT system indicates No BT Signal.

Buying a $30,000USD car to test the state of your BT setting is not really economical, but if you have access to a car with a BT system, you can try fiddling the switches to see if the car drops the signal.

As noted above, just because the car cannot find the BT signal doesn’t mean the BT signal is truly in an off-inactive-dead state. It just means the car likely needs a SW Update so that it can Quiet-Mode-Find the BT signal even when there isn’t supposed to be one.

Another place you can test your BT connection is in the Market (1). Markets and malls have oodles of BT trackers everywhere but the Market is the easiest place to see them in action. A good number of “proximity” detector coupon dispensers may use any of pile of proximity detectors to start up their blab-about-it ad and offer you a QR scan code for your phone that gives you an enticing 10 cents off per package (must buy 3) (2). You can hover near one and see what it picks up from your phone.

Also the Aisle End Cap area is a ripe spot for BT interceptions.

That might be the next Pokemon style craze game: Turning on-off proximity and BT detectors in quick succession. The guys on the data feed will be going for the acid reflux tabs as they watch their devices ping-pong status. The store folks will be oblivious to this because the machines belong to an outsourced company, often connected to the product on offer and not to the store.

===
1) Due to COVID-19 I do indirect marketing: Trunk Drop.

2) Due to COVID-19 I find my food budget a wee-bit-stretched and 10 cents off maybe very enticing. ymmv

SpaceLifeForm January 5, 2022 3:55 AM

@ JonKnowsNothing

That might be the next Pokemon style craze game: Turning on-off proximity and BT detectors in quick succession.

That is seriously fine BOFH thinking. Well played sir.

SpaceLifeForm January 5, 2022 6:05 PM

@ Hedo

Did you properly secure your router yet?

Did you Factory Reset your Windows laptop yet?

Did you do both while offline?

If not, start over.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.