Third-party app allegedly outperforms Find My service by detecting the DIY device

AirTag clone bypassed Apple's tracking-protection features, claims researcher

A security researcher claims he bypassed the tracking protection features built into Apple’s Find My app and AirTag tracking devices with a custom-made AirTag clone.

Amid mounting concerns that AirTags are ripe for abuse by stalkers and other wrongdoers, the researcher said he successfully tracked an iPhone user for five days (with their consent) without triggering a single tracking notification.

Launched in April 2021, AirTags communicate with Apple’s Find My service to help users keep track of personal items such as keys, wallets, and luggage.

However, several reports of malicious misuse have surfaced, from devices planted to facilitate grand theft auto to those surreptitiously slipped into victims’ coat pockets.

‘Obvious bypass ideas’

Apple moved to address fears around unwanted tracking earlier this month by unveiling a raft of safety warning enhancements.

However, Fabian Bräunlein, co-founder of Berlin-based infosec consultancy Positive Security, said he quickly devised some “quite obvious bypass ideas for every current and upcoming protection measure”, before building an OpenHaystack-based AirTag clone to validate his hypotheses.

RECOMMENDED Jaw-dropping Coinbase security bug allowed users to steal unlimited cryptocurrency

The most common method for detecting unwanted AirTags – iPhone notifications that are triggered when AirTags are separated from their owner’s device but observed moving with another device – was readily bypassed by programming the clone “to continuously broadcast new, never-seen-before public keys”.

The clone, which had no speaker, was also undetectable by beeping alerts.

Bräunlein said Apple’s upcoming privacy changes would be similarly toothless in the face of modified or cloned AirTags. These include a new ‘Precision Finding’ function, refinements to unwanted-tracking alert logic, and use of louder audio alerts.

Third-party success

While the clone went undetected by Apple’s asset-tracking apps for the iOS and Android ecosystems – Find My and Tracker Detect, respectively – it was spotted by a third-party alternative.

AirGuard, which was developed by the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt’s computer science department, discovered the clone in ‘manual scan’ mode.

Read more of the latest IoT security news

“iOS and Tracker Detect ignore those devices since they mimic a lost iPhone,” Alexander Heinrich, SEEMOO PhD student and a security expert on the AirGuard project, told The Daily Swig.

Despite its success against Bräunlein’s AirTag imitator, AirGuard was actually designed to detect off-the-shelf devices, such as the Chipolo One Spot and modified, speaker-free AirTags, which Heinrich said are fuelling stalking.

Heinrich said SEEMOO is now working on a follow-up project. “The main issue is that a lost iPhone or a closed MacBook send exactly the same signals as such a tracker,” he said. “We want to develop [the] next version that utilizes as much information as possible to reduce possible false alarms and reliably detect malicious and modified devices.”

‘Cat and mouse’

Bräunlein told The Daily Swig that Apple could incorporate AirTag imitators into its threat model by “excluding non-genuine devices from the network” or “improving the detection logic to also detect nearby trackers”.

“The first option would seem to require major changes to the Find My protocol’s design,” he continued. “The second option would require smaller changes, but it’s likely also less effective and leads to the ‘cat and mouse game’ we know from other areas of security.”

The Daily Swig has invited Apple to comment on Bräunlein’s findings but we’ve heard nothing back so far. We will update the article should they get back to us.

DON’T FORGET TO READ MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications