Airtag clones can sidestep Apple anti-stalker tech An infosec startup says it has built an Apple Airtag clone that bypasses anti-stalking protection features while running on Apple's Find My protocol. Source code for the clones were published online by Berlin-based infosec startup Positive Security (not to be confused with US-sanctioned cybersecurity outfit Positive …
Even though we have created a product that specifically allows for stalking without any serious safeguards.
Shame on you for taking advantage of it.
Come on Apple, you goofed. Own up to it, retire the product and think of a better version.
"Come on Apple, you goofed. Own up to it, retire the product and think of a better version."
Why is it Apple's fault that people are dicks?
Come on God, you goofed. Own up to it, retire the product and think of a better version.
> It's not Apple's fault that people are dicks. It's Apple's fault that,
You're holding looking at it wrong. The way to look at it is:
Positive Security have found a bug in Apple's implementation of Airtags and the Find My prototcol. But instead of disclosing that vulnerability responsibly they decide to publish the code on Github and give every wannabee stalker a head-start.
Well done. <slow clap>
Based on my understanding of it, Apple essentially created a tracking network out of the installed base of iPhone users, which turned out to be a wet dream for stalkers. After being called out on it, Apple introduced measures to mitigate against their Airtag product from being used for nefarious purposes. However, Apple's tracking network is unchanged and can also track things that aren't Airtags, so taking measures only against rogue Airtags was only ever a distraction from the real problem.
This isn't a code bug or an implementation problem that could be responsibly disclosed, it's a big tech company leveraging their ubiquity to create something inherently problematic. From my perspective Apple is currently looking like the corporate villain in some techno-dystopia novel, and it's up to them to fix that.
I'm not on Apple's side here, but the person to whom you replied has a point. These guys have found a way to use the Find My network with a device that isn't Apple's, which is already not supposed to work, and to evade the announcement features in Apple's equipment. Those are both technical bugs, and Apple should be fixing them. I'm afraid that Apple will only care about the first one so they can make only their products work on their network, but even that would patch this. This is a case where Apple should have been quietly told about the problem rather than code for attacking the vulnerability being publicized.
I understand that, at some point, security researchers will release proof of concept attack code. This should, however, follow a procedure of getting that vulnerability fixed or at least trying to. Doing otherwise puts users at risk for little benefit.
"These guys have found a way to use the Find My network with a device that isn't Apple's, which is already not supposed to work"
Please tell that to Chipolo and other companies that quite officially make Find My Network compatible trackers: https://chipolo.net/en/products/chipolo-one-spot?cl=header
Please tell that to Chipolo and other companies that quite officially make Find My Network compatible trackers
Chipolo et al. have signed up to rigorous contracts with Apple. These require notifications to be handled through Apple in return for access. (Tile has eschewed the Find My Network for that reason.) Apple clearly intends to be able to control the use of the network so these unauthorised clones indicate a bug and/or a flaw in the protocols used. There's also a good chance the issue is likely to be fixed so if someone like Tile tried to unofficially piggyback on Apple there'd be a huge risk that their devices would be locked out.
Fine, I'll make a slight correction:
"These guys have found a way to use the Find My network with a device that isn't Apple-licensed, which is already not supposed to work."
As this goes, I'd have preferred an open network anyone could use over one that Apple controlled, but the fact remains that Apple didn't go that way and designed a restricted network for people who license access to it. They would consider an unlicensed device using the network as a bug. I'm certain that, for commercial reasons alone, they're going to try getting this bug fixed. I'm more interested in what if anything they will do about the other bug which bypasses their alerting system.
After being called out on it, Apple introduced measures to mitigate against their Airtag product from being used for nefarious purposes.
This is misleading. AirTags have included anti-stalking features from the outset. Apple will have been aware of the issue since they weren't the first in the market. I can't see any of the vendors giving up while the service is legal.
Why is it Apple's fault that people are dicks?
you seriously ask why it is Apple's fault if it lets iStuff connect to iPhones without the user's consent or knowledge ? Because that's what these iStuff do: connect via bluetooth to nearby unsuspecting iPhones, and through them connect via the iPhone's internet connection to Apple headquarters.
You know, I was ready to post something criticising Apple, and hoping they took steps to prevent stalking. I still hope that, but I think we are looking at a symptom of the problem rather than the problem.
Why do people stalk? What can we do to stop them? Airtags are a tool. Say Apple do stop people being able to use Airtags for stalking, there are other tools. Are you going to stop stalkers using them? How would you stop them using (say) a pair of binoculars, or a car? Both of these probably are used for stalking. How about payphones or Pay as you go phones? Both could be used to intimidate a victim.
While security on the tools could often be improved, the problem is the people (I'd argue primarily, but not exclusively, men) using them. They need to be stopped. Whether by education, or another way.
Unfortunately, I don't think anyone has the right answer.
Just because it is possible for use a product for bad ends doesn't mean it should be "retired". Should Samsung retire their phones because they don't stop you from filming child pornography? Should Toyota retire their cars because they don't prevent you from driving drunk and killing an innocent victim?
There were already existing products that had even less in the way of safeguards, like Tile, so it isn't like stalking via tags/tiles/etc. didn't exist before AirTag, or would stop if it was pulled from the market.
There are no use cases I can think of, like bugging, remote surveillance, network snooping that could be enabled by Send-My.
The whole find-my network thing seems badly thought through/implemented. Can people not use the historic approach; lose keys or other important item, go through pain of sorting it out*, make a point of not misplacing important stuff for the remainder of life.
* rediscovery of lost item may occur after this point.
My other half finally managed to spend her Apple Store gift voucher by buying 4 airtags.
She has 3 I have 1 ,
1 on her car keys
1 on dog collar
1 on a travel bag
1 on my car keys
the dog did a runner the other week when i was out walking, i can't track her tags so i had to call her for her to check her phone to see where the dog was. In the end someone had heard me calling and brought the dog back for me. The app showed the dog was in the opposite direction to where he was found. I assume it was the last location it had pinged its location to apple via my phone.
I had put a tile tag on him previously & we could both see that from our own accounts within our family account.
I don't understand why we can't permit others to see where our tags are. Family & friends permanently share their locations with us from their idevices i don't see why airtags can't be the same
https://www.macrumors.com/2021/05/04/airtag-uses-disappointed-family-sharing/
She has 3 I have 1 ,
1 on her car keys
1 on dog collar
1 on a travel bag
1 on my car keys
the dog did a runner the other week when i was out walking, i can't track her tags so i had to call her for her to check her phone to see where the dog was. In the end someone had heard me calling and brought the dog back for me. The app showed the dog was in the opposite direction to where he was found. I assume it was the last location it had pinged its location to apple via my phone.
I’m somewhat relieved that you have a dog and not sharing just a little too much information about your life.
I also feel your pain about the dog, I’ve lost my folks dog whilst out walking him. This was horrific because another dog nearby had recently been hit by a car after being let off the lead in that field.. There was a hole in the hedgerow that it managed to squeeze through and despite the driver slamming on the brakes still sent it flying a few feet. Fortunately it wasn’t injured at all according to the vet and ours came back after a few minutes carrying a large stick.
Unless you preface things people too readily jump to the wrong conclusions!!
I could have just mentioned the dog but the point is we share these tags and they don’t work for us as they are linked to us individually and not our family accounts, while our phones, tablets, computers, headphones locations can be seen by any of us as we deliberately chose to share the locations so we can independently find these things when needed.
Tile works much better but the new owners don’t seem as honourable as the previous lot.
"1 on dog collar"
"I don't understand why we can't permit others to see where our tags are. Family & friends permanently share their locations with us from their idevices i don't see why airtags can't be the same"
If you want everyone to know where your dog is, then...
give the dog a iPhone!
Most of the problems we have with security all boil down to the single notion that "nobody would ever do that" back in the early days of protocol design. It was the true Age of Innocence.
It was also 40 years ago in a very different communications environment.
Now any design should include the possibility of misuse and spoofing as a key parameter. This doesn't necessarily mean tying up the protocol in a welter of key infrastructure hacks -- they're useful but they're really a Band-Aid trying to stop a hemorrhage -- but at least put basic security into it if the information it carries has a private content. Put simply -- "We should know better".
"Now any design should include the possibility of misuse and spoofing as a key parameter. This doesn't necessarily mean tying up the protocol in a welter of key infrastructure hacks -- they're useful but they're really a Band-Aid trying to stop a hemorrhage -- but at least put basic security into it if the information it carries has a private content. Put simply -- "We should know better"."
Thing is, just about ANYTHING can be abused if someone demented enough thinks hard enough. Quite simply, we just can't have nice things.
“Gentlemen do not read each other's mail” Henry Stimson
I know a father who was widowed and became (understandably) very protective of his two daughters. So when they got iPhones he asked their permission to be able to see their location using his iPhone. They were I think 12 & 13 at the time and said yes quite happily because they didn’t mind daddy knowing. They then forgot about this ability that he had but he didn’t and if they were seeing a boyfriend he’d know their location etc. Then one day after they’d both turned 18 one of them lost her phone. He located it on his phone and after they asked how he’d done that they remembered that he had their permission. They immediately revoked the permission because well they’re over 18 and they don’t think he needs it. However they realised then why he’d been such a cool dad and for example, never asked where they’d been after a night out.
......so.....they say that even if your own Apple iPhone is switched off, then the Apple network can find your tag by using the iPhones OF OTHER USERS and the relevant Bluetooth connection.....
Really?? OTHER USERS?? THE APPLE NETWORK??
Maybe I've completely the missed the dictionary definition of "privacy"??
Or maybe this "Find My" service is REALLY CREEPY!!!!
Found expensive digital BMW key with a tracker thingy while bike riding. I dropped it at the nearby dairy, where lots of people with ponce-o-phones go so it would be detected. A couple of weeks later, in passing, I picked it up and dropped it at a BMW agent who could read the key and contact the owner.
Personally, I just have a couple of phone numbers on everything*. Things mostly find their way back super fast.
*Yeah everything my wife and kids are going to touch
Vaguely reminds of those Bluetooth prox apps from back in the 00's. It was kinda fun playing with them on a busy train - specifically the 17:00 non-stop KX-York - where you could post a msg to any phone within range. Then they tightened up the security and users had to 'accept' the message..... What happened to those Bluetooth prox devices that could capture people walking through a door etc then send them a 'special discount code' for in-store use message?
As somebody else has alluded to, make something useful and others will find a way to use it differently (some to mis-use it). There are numerous examples throughout history. Almost any tool in your toolbox could be used to cause harm; kitchen knives are commonly used as offensive weapons; the laser was initially a solution looking for a problem - it's now commonplace but even small laser pointers can be misused to blind folk; I'll not include guns as they were actually developed to be harmful. Yes, Apple should find ways to minimise misuse of AirTags - but so should Tile. Of course, if Apple lock their system down too much, others will cry foul and point the anti-completive finger. There is no easy answer to human behaviour...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
