AirTag clone bypasses Apple’s anti-stalking measures

Fabian Braunlein, Positive Security (via AppleInsider):

Recently, reports about AirTags being used to track other people and their belongings were becoming much more frequent.

In one exemplary stalking case, a fashion and fitness model discovered an AirTag in her coat pocket after having received a tracking warning notification from her iPhone. Other times, AirTags were placed in expensive cars or motorbikes to track them from parking spots to their owner’s home, where they were then stolen.

Lots of press on this issue, and this response from Apple, titled An update on AirTag and unwanted tracking, wherein Apple lays out their work with safety groups and law enforcement agencies to “update AirTag safety warnings and help guard against further unwanted tracking.”

Back to Fabian’s headline linked blog post:

I might be slightly more familiar with AirTags than the average hacker (having designed and implemented a communication protocol on top of Find My for arbitrary data transmission), but even so I was quite surprised, that when reading Apple’s statement I was able to immediately devise quite obvious bypass ideas for every current and upcoming protection measure mentioned in that relatively long list.

The following section will discuss each anti-stalking feature and how it can be bypassed in theory. Thereafter I will describe how I implemented those ideas to build a stealth AirTag and successfully tracked an iPhone user (with their consent of course) for over 5 days without triggering a tracking notification.

There’s a market for stalking devices. Apple did not invent the concept. But consider:

Apple needs to incorporate non-genuine AirTags into their threat model, thus implementing security and anti-stalking features into the Find My protocol and ecosystem instead of in the AirTag itself, which can run modified firmware or not be an AirTag at all (Apple devices currently have no way to distinguish genuine AirTags from clones via Bluetooth).

Hoping the AirTag team digs into this post.