back to article Airtag clones can sidestep Apple anti-stalker tech

An infosec startup says it has built an Apple Airtag clone that bypasses anti-stalking protection features while running on Apple's Find My protocol. Source code for the clones were published online by Berlin-based infosec startup Positive Security (not to be confused with US-sanctioned cybersecurity outfit Positive …

  1. Winkypop Silver badge
    Facepalm

    No

    Not creepy at all

    1. Snake Silver badge
      Big Brother

      Re: Not creepy at all

      Remember, as long as it's a corporation stalking you for profit, plus a whiff of an inkling of a hint of a benefit that selling your soul to them gets you a new & shiny button on your mobe, it's all good.

  2. Pascal Monett Silver badge

    "we condemn in the strongest possible terms any malicious use of our products."

    Even though we have created a product that specifically allows for stalking without any serious safeguards.

    Shame on you for taking advantage of it.

    Come on Apple, you goofed. Own up to it, retire the product and think of a better version.

    1. devin3782

      Re: "we condemn in the strongest possible terms any malicious use of our products."

      Apple take responsibility for a mistake? Sorry mate, wrong house.

    2. wolfetone Silver badge
      Coat

      Re: "we condemn in the strongest possible terms any malicious use of our products."

      "Come on Apple, you goofed. Own up to it, retire the product and think of a better version."

      Why is it Apple's fault that people are dicks?

      Come on God, you goofed. Own up to it, retire the product and think of a better version.

      1. BenDwire Silver badge
        Angel

        Re: "we condemn in the strongest possible terms any malicious use of our products."

        Come on God, you goofed. Own up to it, retire the product and think of a better version.

        I think God is well aware of that, and is now working on a much less ambitious project ...

        1. peterw52

          Re: "we condemn in the strongest possible terms any malicious use of our products."

          I've always thought were were gods PhD project and now after getting more experience he will have moved on to more positive projects, leaving us at the back of some multi dimensional cupboard

        2. Kane Silver badge
          Boffin

          Re: "we condemn in the strongest possible terms any malicious use of our products."

          "I think God is well aware of that, and is now working on a much less ambitious project ..."

          I hear slime mould is the new up-and-coming thing

      2. Anonymous Coward
        Anonymous Coward

        Re: "we condemn in the strongest possible terms any malicious use of our products."

        It's not Apple's fault that people are dicks. It's Apple's fault that, despite knowing that people are dicks, they made a product with no effective safeguards against abuse by said dicks.

        1. 2+2=5 Silver badge
          Unhappy

          Re: "we condemn in the strongest possible terms any malicious use of our products."

          > It's not Apple's fault that people are dicks. It's Apple's fault that,

          You're holding looking at it wrong. The way to look at it is:

          Positive Security have found a bug in Apple's implementation of Airtags and the Find My prototcol. But instead of disclosing that vulnerability responsibly they decide to publish the code on Github and give every wannabee stalker a head-start.

          Well done. <slow clap>

          1. Anonymous Coward
            Anonymous Coward

            Re: "we condemn in the strongest possible terms any malicious use of our products."

            Based on my understanding of it, Apple essentially created a tracking network out of the installed base of iPhone users, which turned out to be a wet dream for stalkers. After being called out on it, Apple introduced measures to mitigate against their Airtag product from being used for nefarious purposes. However, Apple's tracking network is unchanged and can also track things that aren't Airtags, so taking measures only against rogue Airtags was only ever a distraction from the real problem.

            This isn't a code bug or an implementation problem that could be responsibly disclosed, it's a big tech company leveraging their ubiquity to create something inherently problematic. From my perspective Apple is currently looking like the corporate villain in some techno-dystopia novel, and it's up to them to fix that.

            1. doublelayer Silver badge

              Re: "we condemn in the strongest possible terms any malicious use of our products."

              I'm not on Apple's side here, but the person to whom you replied has a point. These guys have found a way to use the Find My network with a device that isn't Apple's, which is already not supposed to work, and to evade the announcement features in Apple's equipment. Those are both technical bugs, and Apple should be fixing them. I'm afraid that Apple will only care about the first one so they can make only their products work on their network, but even that would patch this. This is a case where Apple should have been quietly told about the problem rather than code for attacking the vulnerability being publicized.

              I understand that, at some point, security researchers will release proof of concept attack code. This should, however, follow a procedure of getting that vulnerability fixed or at least trying to. Doing otherwise puts users at risk for little benefit.

              1. esque

                Re: "we condemn in the strongest possible terms any malicious use of our products."

                "These guys have found a way to use the Find My network with a device that isn't Apple's, which is already not supposed to work"

                Please tell that to Chipolo and other companies that quite officially make Find My Network compatible trackers: https://chipolo.net/en/products/chipolo-one-spot?cl=header

                1. James Ashton

                  Re: "we condemn in the strongest possible terms any malicious use of our products."

                  Please tell that to Chipolo and other companies that quite officially make Find My Network compatible trackers

                  Chipolo et al. have signed up to rigorous contracts with Apple. These require notifications to be handled through Apple in return for access. (Tile has eschewed the Find My Network for that reason.) Apple clearly intends to be able to control the use of the network so these unauthorised clones indicate a bug and/or a flaw in the protocols used. There's also a good chance the issue is likely to be fixed so if someone like Tile tried to unofficially piggyback on Apple there'd be a huge risk that their devices would be locked out.

                2. doublelayer Silver badge

                  Re: "we condemn in the strongest possible terms any malicious use of our products."

                  Fine, I'll make a slight correction:

                  "These guys have found a way to use the Find My network with a device that isn't Apple-licensed, which is already not supposed to work."

                  As this goes, I'd have preferred an open network anyone could use over one that Apple controlled, but the fact remains that Apple didn't go that way and designed a restricted network for people who license access to it. They would consider an unlicensed device using the network as a bug. I'm certain that, for commercial reasons alone, they're going to try getting this bug fixed. I'm more interested in what if anything they will do about the other bug which bypasses their alerting system.

            2. James Ashton

              Re: "we condemn in the strongest possible terms any malicious use of our products."

              After being called out on it, Apple introduced measures to mitigate against their Airtag product from being used for nefarious purposes.

              This is misleading. AirTags have included anti-stalking features from the outset. Apple will have been aware of the issue since they weren't the first in the market. I can't see any of the vendors giving up while the service is legal.

      3. NXM Bronze badge

        Re: "we condemn in the strongest possible terms any malicious use of our products."

        God found the world in a dumpster. See oglaf a few weeks ago:

        https://www.oglaf.com/strongly-discouraged/

        (be aware this one is marginally sfw, most of the others are definitely not!)

        1. David 132 Silver badge
          Thumb Up

          Re: "we condemn in the strongest possible terms any malicious use of our products."

          Automatic upvote for any fellow fan of Oglaf.

          And yes, most of the strips are definitely NSFW.

          But beautifully and wittily drawn.

      4. Zolko Silver badge

        Re: "we condemn in the strongest possible terms any malicious use of our products."

        Why is it Apple's fault that people are dicks?

        you seriously ask why it is Apple's fault if it lets iStuff connect to iPhones without the user's consent or knowledge ? Because that's what these iStuff do: connect via bluetooth to nearby unsuspecting iPhones, and through them connect via the iPhone's internet connection to Apple headquarters.

    3. Stuart Castle Silver badge

      Re: "we condemn in the strongest possible terms any malicious use of our products."

      You know, I was ready to post something criticising Apple, and hoping they took steps to prevent stalking. I still hope that, but I think we are looking at a symptom of the problem rather than the problem.

      Why do people stalk? What can we do to stop them? Airtags are a tool. Say Apple do stop people being able to use Airtags for stalking, there are other tools. Are you going to stop stalkers using them? How would you stop them using (say) a pair of binoculars, or a car? Both of these probably are used for stalking. How about payphones or Pay as you go phones? Both could be used to intimidate a victim.

      While security on the tools could often be improved, the problem is the people (I'd argue primarily, but not exclusively, men) using them. They need to be stopped. Whether by education, or another way.

      Unfortunately, I don't think anyone has the right answer.

    4. DS999 Silver badge

      You might as well remove almost every product from the market then

      Just because it is possible for use a product for bad ends doesn't mean it should be "retired". Should Samsung retire their phones because they don't stop you from filming child pornography? Should Toyota retire their cars because they don't prevent you from driving drunk and killing an innocent victim?

      There were already existing products that had even less in the way of safeguards, like Tile, so it isn't like stalking via tags/tiles/etc. didn't exist before AirTag, or would stop if it was pulled from the market.

  3. Anonymous Coward
    Anonymous Coward

    I find his Send-My far more interesting

    IMHO his Send-my idea is creepier by some distance.

    1. DwarfPants

      Re: I find his Send-My far more interesting

      There are no use cases I can think of, like bugging, remote surveillance, network snooping that could be enabled by Send-My.

      The whole find-my network thing seems badly thought through/implemented. Can people not use the historic approach; lose keys or other important item, go through pain of sorting it out*, make a point of not misplacing important stuff for the remainder of life.

      * rediscovery of lost item may occur after this point.

      1. tip pc Silver badge

        Re: I find his Send-My far more interesting

        My other half finally managed to spend her Apple Store gift voucher by buying 4 airtags.

        She has 3 I have 1 ,

        1 on her car keys

        1 on dog collar

        1 on a travel bag

        1 on my car keys

        the dog did a runner the other week when i was out walking, i can't track her tags so i had to call her for her to check her phone to see where the dog was. In the end someone had heard me calling and brought the dog back for me. The app showed the dog was in the opposite direction to where he was found. I assume it was the last location it had pinged its location to apple via my phone.

        I had put a tile tag on him previously & we could both see that from our own accounts within our family account.

        I don't understand why we can't permit others to see where our tags are. Family & friends permanently share their locations with us from their idevices i don't see why airtags can't be the same

        https://www.macrumors.com/2021/05/04/airtag-uses-disappointed-family-sharing/

        1. JimboSmith Silver badge

          Re: I find his Send-My far more interesting

          She has 3 I have 1 ,

          1 on her car keys

          1 on dog collar

          1 on a travel bag

          1 on my car keys

          the dog did a runner the other week when i was out walking, i can't track her tags so i had to call her for her to check her phone to see where the dog was. In the end someone had heard me calling and brought the dog back for me. The app showed the dog was in the opposite direction to where he was found. I assume it was the last location it had pinged its location to apple via my phone.

          I’m somewhat relieved that you have a dog and not sharing just a little too much information about your life.

          I also feel your pain about the dog, I’ve lost my folks dog whilst out walking him. This was horrific because another dog nearby had recently been hit by a car after being let off the lead in that field.. There was a hole in the hedgerow that it managed to squeeze through and despite the driver slamming on the brakes still sent it flying a few feet. Fortunately it wasn’t injured at all according to the vet and ours came back after a few minutes carrying a large stick.

          1. tip pc Silver badge

            Re: I find his Send-My far more interesting

            Unless you preface things people too readily jump to the wrong conclusions!!

            I could have just mentioned the dog but the point is we share these tags and they don’t work for us as they are linked to us individually and not our family accounts, while our phones, tablets, computers, headphones locations can be seen by any of us as we deliberately chose to share the locations so we can independently find these things when needed.

            Tile works much better but the new owners don’t seem as honourable as the previous lot.

        2. brainwrong
          Coat

          Re: I find his Send-My far more interesting

          "1 on dog collar"

          "I don't understand why we can't permit others to see where our tags are. Family & friends permanently share their locations with us from their idevices i don't see why airtags can't be the same"

          If you want everyone to know where your dog is, then...

          give the dog a iPhone!

          1. DJV Silver badge

            Re: give the dog a iPhone!

            Yeah, but have you actually tried to teach it how to work the fingerprint log on?

            1. David 132 Silver badge
              Happy

              Re: give the dog a iPhone!

              Or taught it to text?

            2. DreamEater

              Re: give the dog a iPhone!

              "Yeah, but have you actually tried to teach it how to work the fingerprint log on?"

              I imagine its im-paw-sible...

              Rover bring me my coat please...

            3. ITS Retired

              Re: give the dog a iPhone!

              Face recognition.

  4. martinusher Silver badge

    Its the story of the Internet

    Most of the problems we have with security all boil down to the single notion that "nobody would ever do that" back in the early days of protocol design. It was the true Age of Innocence.

    It was also 40 years ago in a very different communications environment.

    Now any design should include the possibility of misuse and spoofing as a key parameter. This doesn't necessarily mean tying up the protocol in a welter of key infrastructure hacks -- they're useful but they're really a Band-Aid trying to stop a hemorrhage -- but at least put basic security into it if the information it carries has a private content. Put simply -- "We should know better".

    1. Charles 9 Silver badge

      Re: Its the story of the Internet

      "Now any design should include the possibility of misuse and spoofing as a key parameter. This doesn't necessarily mean tying up the protocol in a welter of key infrastructure hacks -- they're useful but they're really a Band-Aid trying to stop a hemorrhage -- but at least put basic security into it if the information it carries has a private content. Put simply -- "We should know better"."

      Thing is, just about ANYTHING can be abused if someone demented enough thinks hard enough. Quite simply, we just can't have nice things.

      1. Paul Crawford Silver badge

        Re: Its the story of the Internet

        We could if we tried harder, and a trillion dollar company has resources to try a lot harder.

        1. Charles 9 Silver badge

          Re: Its the story of the Internet

          Nah, it's the Siege Problem. The defender has to be lucky all the time, the attacker only has to be lucky once. Even one-time pads have their weak points.

    2. JimboSmith Silver badge

      Re: Its the story of the Internet

      “Gentlemen do not read each other's mail” Henry Stimson

      I know a father who was widowed and became (understandably) very protective of his two daughters. So when they got iPhones he asked their permission to be able to see their location using his iPhone. They were I think 12 & 13 at the time and said yes quite happily because they didn’t mind daddy knowing. They then forgot about this ability that he had but he didn’t and if they were seeing a boyfriend he’d know their location etc. Then one day after they’d both turned 18 one of them lost her phone. He located it on his phone and after they asked how he’d done that they remembered that he had their permission. They immediately revoked the permission because well they’re over 18 and they don’t think he needs it. However they realised then why he’d been such a cool dad and for example, never asked where they’d been after a night out.

    3. Julz Silver badge

      Re: Its the story of the Internet

      So perhaps we need to redesign the basic protocols. The internet need not be just one protocol and in fact isn't.

  5. Anonymous Coward
    Anonymous Coward

    Read the Apple "Find My" page........

    ......so.....they say that even if your own Apple iPhone is switched off, then the Apple network can find your tag by using the iPhones OF OTHER USERS and the relevant Bluetooth connection.....

    Really?? OTHER USERS?? THE APPLE NETWORK??

    Maybe I've completely the missed the dictionary definition of "privacy"??

    Or maybe this "Find My" service is REALLY CREEPY!!!!

  6. Anonymous Coward
    Anonymous Coward

    Found expensive digital BMW key with a tracker thingy while bike riding. I dropped it at the nearby dairy, where lots of people with ponce-o-phones go so it would be detected. A couple of weeks later, in passing, I picked it up and dropped it at a BMW agent who could read the key and contact the owner.

    Personally, I just have a couple of phone numbers on everything*. Things mostly find their way back super fast.

    *Yeah everything my wife and kids are going to touch

  7. Sorry that handle is already taken. Silver badge
    Mushroom

    we condemn in the strongest possible terms any malicious use of our products...

    ...but couldn't be bothered putting in a minimal amount of effort to make it difficult or impossible to do so.

    Eat this Apple.

  8. MrNigel

    Proximity fun

    Vaguely reminds of those Bluetooth prox apps from back in the 00's. It was kinda fun playing with them on a busy train - specifically the 17:00 non-stop KX-York - where you could post a msg to any phone within range. Then they tightened up the security and users had to 'accept' the message..... What happened to those Bluetooth prox devices that could capture people walking through a door etc then send them a 'special discount code' for in-store use message?

    1. Charles 9 Silver badge

      Re: Proximity fun

      Mostly switched to geo-fencing and hotspot awareness.

  9. Anonymous Coward
    Anonymous Coward

    As somebody else has alluded to, make something useful and others will find a way to use it differently (some to mis-use it). There are numerous examples throughout history. Almost any tool in your toolbox could be used to cause harm; kitchen knives are commonly used as offensive weapons; the laser was initially a solution looking for a problem - it's now commonplace but even small laser pointers can be misused to blind folk; I'll not include guns as they were actually developed to be harmful. Yes, Apple should find ways to minimise misuse of AirTags - but so should Tile. Of course, if Apple lock their system down too much, others will cry foul and point the anti-completive finger. There is no easy answer to human behaviour...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022