When Apple released AirTag, many users raised concerns over how the tracking device could be used as a tool for stalking. So, the tech giant introduced a ton of security measures like a built-in speaker that alerts people of its presence and notifications for both iOS and Android.
Despite the tech giant regularly adding new anti-stalking features to AirTag, some sellers on eBay and Etsy started selling Silent AirTags with deactivated speakers, raising more concerns about malicious use. In response, published a new article announcing several new anti-stalking features coming later this year including Precision Finding for unknown AirTags, display alerts with sound, and more. However, this may not be enough according to security researcher Fabian Bräunlein of Positive Security who created a cloned AirTag that bypasses Apple’s security and privacy measures.
Researcher built a ‘stealth’ AirTag clone which can sidestep Apple’s security measures
Based on the test conducted by Bräunlein, the AirTag clone was able to track an iPhone over for more than five days without triggering notifications that are put in place to inform users if they are being tracked by an unknown AirTag. Bräunlein believes the main problem does not lie in the tracking device itself but Apple’s Find My ecosystem since Find My cannot limit its usage to genuine AirTags.
They need to take into account the threats of custom-made, potentially malicious beacons that implement the Find My protocol, or AirTags with modified hardware. With a power bank and ESP32 being cheaper than an AirTag, this might be an additional motivation for some to build a clone instead themselves.
With the system’s current design, it seems very difficult to technically distinguish one malicious AirTag clone with constant public key rotations continuously traveling with you from you passing by a few genuine AirTags in your day-to-day life.
The researcher says Apple needs to incorporate non-genuine AirTags into their threat model, thus implementing anti-stalking measures into the Find My ecosystem instead of the AirTag itself which can be a modified device or not genuine at all.