back to article Unpatched flaw 'weaponises' Apple AirTags to turn them into the phisherman's friend

Apple has been accused of ignoring a vulnerability in the Lost Mode functionality of its AirTags location-tracking accessories which would allow an attacker to seed "weaponised AirTags" for harvesting the iCloud credentials of anyone who find them. Launched back in April, AirTags are compact battery-powered devices you stick …

  1. Throatwarbler Mangrove Silver badge
    FAIL

    "We did not copy Tile"

    This is true. Tile is cross-platform, while AirTags only work on iProducts. Of course, the iSheep have eaten it up, to the point that a fanboi confidently if baselessly told me that AirTags were more popular than Tiles. For my part, not being an Apple user, I had never even heard of AirTags.

    1. DJV Silver badge

      Re: "a fanboi confidently if baselessly told me"

      Maybe we should carry around stickers that say "citation required" when confronted by such fanbois. The stickers need to be big enough to fit over their mouths and be quite difficult to remove.

    2. The Man Who Fell To Earth Silver badge
      Black Helicopters

      Re: "We did not copy Tile"

      They also didn't copy tile in that when anyone reports an Airtag lost, all iPhones are sensitized to that fact and will report the lost tag to the iNetwork if they come within range of it. As far as I know, iPhone users can't opt their phones out of being part of the network.

      1. DS999 Silver badge

        Re: "We did not copy Tile"

        There's no privacy implication - if you walk by my lost Air Tag with your iPhone all I get is a report of its location, which comes to me from Apple not directly from your phone. So it doesn't leak any personal information or allow me to determine your location (only that 'someone with an iPhone was near this spot at some point') so why would you want to opt out of being part of that? Just on the "I don't care about anyone but myself" principle?

        1. yetanotheraoc Silver badge

          Re: "We did not copy Tile"

          "why would you want to opt out of being part of that?"

          For the same reason I want to opt out of scanning my photos for child porn, for the same reason I want to opt out of sharing my wifi with nearby strangers, for the same reason I want to opt out of all this Apple shit. It's not the privacy implications, it's that it *should be* my phone, my cpu, my data plan, my battery, and all such uses should be *opt in*. If in your mind that translates to "I don't care about anyone but myself", then you can just fuck off as well. Put me down as selfish *and* antisocial.

          As an aside, I've been looking into 4G feature phones, it seems all the models available in the USA are just a dumbed-down Android smartphone, except the "independent" kaios which has the Google spyware added as well.

        2. bazza Silver badge

          Re: "We did not copy Tile"

          These things should be opt in, from an anti-trust point of view. Apple is leveraging its exclusive control of its very large platform to grow a business in a way that a competitor isn't able to compete against. Google are doing the same thing too.

        3. Irongut Silver badge

          Re: "We did not copy Tile"

          > 'someone with an iPhone was near this spot at some point'

          Which is very useful info if I'm looking to mug people who own iPhones.

          Two seconds it took me to think of that nefarious usage, I'm sure if I spent some time thinking about it I could come up with many more.

      2. doublelayer Silver badge

        Re: "We did not copy Tile"

        "As far as I know, iPhone users can't opt their phones out of being part of the network."

        If they fix this flaw, I don't think there are many problems being part of the network. If you still want to opt out, Settings -> Apple ID (at the top) -> Find My -> Find My iPhone -> Find My Network -> switch to off. At least that's the path on IOS 14. I don't know if it has changed with IOS 15. It means you can't use the network yourself and you won't be part of it for others.

        1. Fred Flintstone Gold badge

          Re: "We did not copy Tile"

          Yup, it's in the exact same place in iOS 15.1 (downloaded that yesterday).

    3. Anonymous Coward
      Anonymous Coward

      Re: "We did not copy Tile"

      It's also true in that Apple at least tries to address the privacy issue whereas the Tile app uses literally every trick in the book (or iOS) to stay running, even if you don't want it to. I am hard pressed to find any other app that is simultaneously so invasive and so dismissive of your rights to privacy. Also, you can re-assign an airtag to someone else (i.e. sell them), something that Tile has made as impossible as they can manage.

      In short, Tile left a massive hole in the market, and Apple gratefully took advantage of it. I've been experimenting with a set for months now, and it's actually quite impressive how well they work compared to Tiles. So, you're welcome to Tiles - I'll stick to Airtags despite their stupid shape (their only real negative point IMHO).

      1. Brewster's Angle Grinder Silver badge

        Re: "We did not copy Tile"

        "...Tile app uses literally every trick in the book (or iOS) to stay running..."

        I know nothing about either, but do you not think Apple have a slight advantage? They can bake the function into the OS. But they won't let Tile install a kernel driver; they have to write a user mode app and are stuck with hacks.

      2. doublelayer Silver badge

        Re: "We did not copy Tile"

        "the Tile app uses literally every trick in the book (or iOS) to stay running, even if you don't want it to."

        I need some help here. If you've installed the Tile app so you can track things like your phone from a unit or participate in the network, why don't you want it to run? That renders both functions useless, and if you didn't want them, you could turn them off. Apple, meanwhile, supports both things because they have their app running all the time, which they can do without hacking because their hacks are written directly into IOS. How is that any different?

        When you say that Tile left a hole in the market, what exactly is that hole? The only difference I can see is that Apple's can use UWB which makes them easier to find if close to them, but Tile didn't leave that open, Apple forbade them from using that functionality despite Tile requesting it and protesting the double standard. If that's not the hole you saw, what is?

        I don't use either, so you are probably right about reselling them (though they're cheap enough that I don't know how often you would try).

        1. Anonymous Coward
          Anonymous Coward

          Re: "We did not copy Tile"

          I only want Tile to track items nearby, setting off a beep when I cannot find them. I do not want the rest (which, by the way, costs extra), nor do I want a company that basically is trying its level best to have its app approach virus-like behaviour tracking me.

          I have a reasonable degree of confidnece in that at Apple there is at least some control over that information, but I actually read Terms and Privacy Statements and Tile's are far from benign. It's almost as if Facebook's lawyer has written them.

          Last but not least it is hard to reset a Tile so to sell it to someone else, so all in all they can take a hike as far as I'm concerned.

    4. Anonymous Coward
      Anonymous Coward

      Re: "We did not copy Tile"

      @Throatwarbler Mangrove

      Hmmm, "isheep". That's original. Not. How can I be a sheep when I do not follow the herd? (see handle)

      Any herd of Mac users or indeed Windows users on this site seems to pale into insignificance

      compared to the number of Linux users And the only way I refer to them is Windows/Linux users. Nothing else. Easy, simple and doesn't turn civilised argument into a childish slagging match.

      By the way, I have never heard of Airtags either.

  2. Borg.King
    Facepalm

    Save $29.99

    And stick a label with your phone number onto the item you're wanting someone else to recover for you.

    1. Gene Cash Silver badge

      Re: Save $29.99

      Which does not work.

      I have tags on my keys with both my phone number and email address and never gotten a notification the 5 or 6 times I've left them somewhere over the past couple years.

      1. This post has been deleted by its author

      2. This post has been deleted by its author

      3. This post has been deleted by its author

      4. big_D

        Re: Save $29.99

        AirTags won't change human behaviour either. That will just be an additional $29.99 you lose, next time you leave your keys somewhere...

        1. Anonymous Coward
          Anonymous Coward

          Re: Save $29.99

          Not quite.

          Apart from all the mad experiments you can find on Youtube where people with clearly too much money have been sending everywhere and tracking them (North Korea? Really?) I have also bought one pack of four myself and stuck them into some things when I was travelling.

          The features that Tile wants a lot of extra money for like alerting you if a tag leaves your vicinity is standard with airtags, and after travelling to five different countries in the last month (busy setting up a few things) amongst which places that I didn't think would have the infrastructure I can confirm that this stuff works, amazingly so.

          I'm about to buy another pack of four now to stick in my camera flight cases - they work. I just wished they beeped a lot louder. I need a few with the equivalent of a car horn attached :)

      5. Anonymous Coward
        Anonymous Coward

        Re: Save $29.99

        I have - once, in London. As a matter of fact, they contacted me before I even realised my keys had dropped out of my pocket so I cannot claim it doesn't work.

        But then I bought a better key holder..

    2. DS999 Silver badge

      Re: Save $29.99

      You don't understand how they work at all if you think that's even remotely equivalent.

    3. Mike 16

      Re: Save $29.99

      Brings back memories...

      Hotel keys with a fob with the hotel name and room number, along with a request to

      "If found, drop in any post-box to return to the hotel", or maybe just rob that hotel room while you are reasonably sure that the person who dropped that key in the casino parking lot will be gone for a while.

      Or how about the states that required the registration card for a vehicle to be visible from outside the car. for convenience of police finding abandoned or illegally parked cars. or for the convenience of folks wandering airport parking noting the addresses associated with suitable cars, then burglarizing that home? One had to hit the sweet spot between "car so crappy, house not worth robbing" and "If the dude can afford this ride, probably has fancy security, maybe even 24/7 armed response".

  3. astfgl
    Devil

    Stop educating the sheeple

    Shush, I'm using that flock as a distributed GPS tracking network for my mobile assets. Total outlay was a 4 pack of tags and a secondhand Air 4. No ongoing costs except a few CR2032 batteries every year or so.

    Way more people have iThings with location and BT turned on by default, than have the Tile app installed and active.

    1. Throatwarbler Mangrove Silver badge
      FAIL

      Re: Stop educating the sheeple

      "Way more people have iThings with location and BT turned on by default, than have the Tile app installed and active."

      [Citation needed]

      1. Anonymous Coward
        Anonymous Coward

        Re: Stop educating the sheeple

        Why? I have both Tiles and airtags, and it's demonstrably true. Just stick both in your luggage when you travel and see which one gets more frequent updates. Internationally, it's the airtag by a massive margin where you can even see your luggage approach the plane you just boarded.

        Given the massive privacy problems of Tiles and the amount of tricks the app uses to stay live (at a level approaching malware), Tiles are history as far as I'm concerned - also because the search facility will cost a lot extra whereas it's built into the Apple ecosystem at no extra charge.

      2. astfgl
        Coat

        Re: Stop educating the sheeple

        The play store lists the Tile app as having between 5 and 10 million installs. Lets be generous and add double that maximum number as the iOS installs. Tile and it's partners have sold around 35 million devices. Again, lets be generous and say that no-one bought more than one tile and every single owner installed the app, which makes those numbers come close to equal. Of course, no tiles failed and no-one uninstalled the app, or failed to reinstall it on a replacement phone, and no one disabled BT or location access.

        35 million iOS/Android devices available for Tile tracking.

        Currently there are around 1 billion active iphones, plus a couple of hundred million ipads. Lets be generous and say that half the owners are security conscious Reg readers and have turned off BT and location access, or do not have mobile data enabled.

        600 million iThings available for AirTag tracking.

        I've skewed those numbers wildly in favor of the Tiles, but I was making a point.

        Some references:

        https://www.cnbc.com/2021/04/27/apple-airtags-versus-tile-tracker-how-they-compare.html

        https://9to5mac.com/2020/01/28/apple-hits-1-5-billion-active-devices-with-80-of-recent-iphones-and-ipads-running-ios-13/

  4. Anonymous Coward
    Anonymous Coward

    So, let's add it up then

    Risk = impact x probability (OK, that's not an addition but a multiplication but you know what I mean :) ).

    As for impact, users are asked to log in to steal their credentials. Yes, that is a big deal but especially if the user has multiple devices a logon alert will show up so it's a time limited window of opportunity. But yes, it's presently possible.

    Probability. Given the cost per unit and their limited reach I'd say this is not one for mass deployment, only for targeted use. High value targets tend to be a bit more wary about (a) being overly helpful and (b) entering passwords on request. I can see the danger, but I don't see the volume here.

    Ergo, as far as I can tell, the current risk level is rather low..

  5. TeeCee Gold badge
    Facepalm

    I have a problem with the entire concept.

    Having my phone tell me where I've lost ${thing} sounds like a good idea, apart from one massive snag.

    The only ${thing} that I really give enough of a toss about to spend money on being able to find it is, er, my phone.

    This does seem to be a generic problem though. You try logging into your account from a handy machine to use the "find my phone" function when the 2FA login check on new devices requires the authenticator app on your phone(!) Found that one the hard way. Driving all the way home to log in, only to find that yes, your phone is indeed quite close to the machine you couldn't log in to really sucks, but not as much as driving all the way back to get it.

    1. Throatwarbler Mangrove Silver badge
      Holmes

      Re: I have a problem with the entire concept.

      One of the features of Tile is that your can hit a button on your Tile, and it will cause your phone to emit am alarm, so if you have a Tile on your keychain, you can locate your phone, assuming it's in range.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like