Does this mean that Apple is failing to validate the capability of things that purport to be AirTags? Or that the BLE protocol is just not powerful enough to have Apple signatures on each broadcast public key?
If it's the latter, it might mean that the entire AirTag product line is dead in the water.
The mental model I had is that AirTags are manufactured with a private/public key pair burned into them that allows Apple to validate the thing you are linking to your account on initial setup is really a legit AirTag.
It appears none of that was ever true and you can register just anything as an AirTag that speaks the right BLE with no secrets required for a world full of iPhones to start tracking them.
So yeah, expect chinese clones to show up within a month, for five dollars each and certainly no speaker included.
I feel that if the stalker is buying dedicated stalking gear online there are “better” options - you can get actual compact GPS trackers that report over cellular for $10-20.
Stop comparing AirTag to GPS trackers, it's absurd. GPS is an incredibly faint signal that is entirely attenuated in any indoor spaces and most clever hiding places you could come up, all the while being very obviously inferior to the multitude of strategies smartphones use to determine their position.
Can you really? I live in a place with a lot of coyotes so we bring our cat inside every day an hour or 2 before sunset. We bought a Tile (AirTag competitor) for her, but it's really not lived up to what we were hoping and I'd love for the possibility of getting an actual GPS device
Even if it's just for a few days so we can get a sense of what her typical route are so we could know where to look for her other days
But we couldn't find any such GPS device that was anywhere near the pricepoint of an Airtag or Tile unless it came with a really pricey subscription
For your use case wouldn’t something that has a GPS receiver and just records position every minute or so be fine? You can download the map offline later, no need for continuous cell signal.
Not with anything like the battery life or small sizes as an AirTag.
Those sort of devices are a reasonable choice for mounting in your own vehicle, where you can provide relatively unlimited power (and many of them have the ability to implement engine kill). But you aren’t going to slip one of those into someone’s pocket unobtrusively as you bump into them going past. Or attach it to their car in a car park.
More than battery life or small size, I think the most important cost is the cellular plan. With AirTag, the find my network acts as the communication backbone and it tracks the AirTag in literally every country, at no cost. On the other hand, cellular is expensive AF.
> If it's the latter, it might mean that the entire AirTag product line is dead in the water.
The average consumer, or even 99.9% of consumers, don't care at all.
They want to find their things. AirTags help them find their things. They don't care how it works. End of story.
It's not a popular opinion on HN where everyone wants to understand every technical detail of how every product works, but in the real world it doesn't matter. Consumers buy products to solve problems. That's all.
AirTag is one of many ways you can be stalked. Perhaps it’s the cheapest or most well known method at the moment, but you can already buy GPS + cellular trackers that aren’t much more expensive or larger, and they’re only going to get better and cheaper over time.
This problem will need to be addressed though other means than a single company intentionally crippling their own product.
I think the problem is people have to decide "I'm not going to buy this because if nobody buys this then people won't be able to buy this and use it to stalk people." In other words, the consumer gives up a product they want in exchange for a common good they get an infinitesimal benefit from.
Obviously not, given what their smartphone apps and browsers are doing. The real question is whether the though of being stalked by an individual rather than by corporations will make any difference.
Yeah I don't understand this. Surely airtags have to be registered, and when an iPhone sees tag 3957375967 Apple's servers look that up and say "oh it's registered to Billy Bob; I'll tell them".
But if your fake airtag rotates through 2000 IDs how do you register them all?
Apple apparently stores every reported location in a database and allows people to query whether a certain public key was received with or without the key being registered to a specific user since they change on a regular basis so one can’t track a specific device.
Seems like the end-game for this is to change things around like this:
1. you can't track items outside of some distance from you in real-time
2. items marked as lost would need to be sent to a review team inside apple (contractors I imagine) that would then log your information, require you to explain what the item is, and generally make it very cumbersome to get the actual location or history of the location
3. then very likely a neutral 3rd party would have to go to the location to determine if the claim seems to be legitimate, or this is a case of somebody stalking somebody else or something
4. likely would require police getting involved somehow
The idea that people can be vigilante's and track down their own stolen bike is a great idea, but it basically equates to "stalking somebody".. any work-arounds for android users and iphone users will either only work in certain circumstances (what if you only live 1 mile away from the bars downtown -- then now the stalker knows where you live and the device was with you a super short period of time -- maybe 2-5 mins depending upon method of travel)... the only way around this is to block people from being able to get the raw information -- sure the data might be collected, but giving it directly to the customer is both the best and worst thing about this.
The Apple strategy would be that it works fine and then 6 months in they release an update that specifically targets these devices and they are instantly worthless.
Apple will probably say something to the effect of, "we didn't have to put anti-stalking technology in, and it works well for the 99% of use cases." The common stalker will not have the technical skills to build their own custom-firmware version of a BLE-enabled system. I don't think this revelation will kill the product line.
After reading more about this on the attached repo, I think we're going to see some AliExpress clones popping up pretty quick. AirTags appear to be pretty minimal tech - much less complex than I had thought if you exclude the high-precision location finder.
It is a difficult technical problem for Apple to solve all of the corner-cases. The article shows the screenshot of seemingly 100 unique FindMy devices around this guy's personal residence... there may be some characterization work that can help solve that so an iPhone user would get the alert message. But Apple will continue to promote it and dismiss or downplay these security concerns.
> The problem is easy to solve, just store copies of all public keys of each air tag you send out.
that kills the privacy aspect of it, because it also means apple knows about the exact whereabouts of each tag. airtags are specifically designed/marketed so apple can't do that.
Software (and I guess hardware too) is about tradeoffs. The tradeoff here is that in not being able to validate if a device is a valid Airtag is that Apple has created a massive, completely uncontrollable surveillance network. The fact that anyone can interrogate the network to track devices that aren't even guaranteed to be running the official firmware or have the official hardware is insane. Not having Apple be able to know the location of the tags is pretty much irrelevant in the face of this downside.
It basically operates like dead drops. Airtags broadcast their location using a public key that constantly rotates. Apple maintains a mapping of public key to location. Anyone can look up the location of a public key, but the search space is so big that it's not worth bruteforcing. Even if you did, all you'd end up is a heatmap[1] of airtags, not very helpful. However, if you know the corresponding secret, you can predict what the public key will be and know the exact whereabouts of a particular device.
A core selling point of Airtags is that other people's iPhones help you find your AirTag. That's also what makes them effective trackers. It's a bit of an unsolvable problem.
Yes, and Apple 100% has the capacity / ability to filter out "fake" AirTags on their back-end. All they need to do is setup a manufacturing process that captures the public keys.
So the phones will still relay the beacons to Apple, who can then do things and just reject messages from these fake tags.
(I worked for a Medical Device Company that set all of this up within our supply chain).
If they haven't been doing this so far, it seems like it will be a tough job to record them after the fact. Perhaps they could interrogate each device and require it to be re-adopted, then record the data at that point but it seems like an arms race they won't win.
Yes, you could do attestation schemes for hardware - such as a single manufacturing-time private key for large batches (say 1M+ AirTags) or something like Direct Anonymous Attestation.
Apple likely would go toward batch keys - in addition to being simpler crypto, it doesn't give them the capability to use other mechanisms to potentially correlate location reports.
That said, AirTags work solely within BLE advertisements, which are payload size limited to 31 bytes. Apple is currently using 30 of those bytes.
Since the AirTag emits the message, that message would either contain:
- a static signature, which could then be copied and mimic'd by imposters (replay attack)
- store the private key on the AirTag device, which could then sign the a continuously changing nonce like the current datetime. But this means the private key could then be extracted from one device, and used to sign messages on an imposter device. So unless every device had a separate private key, this method would immediately be compromised as well.
So why doesn't Apple have a unique private key for each device? Well it appears it actually does, and has them constantly changing their private keys. But there appears to be some kind purposely implemented anonymity features that is designed to prevent Apple's servers from associating a ping with ever having to decode the contents, and thus of associating your account/device with the emitted location.
If you build in validation to write to the network ping database that goes "here's a ping with a signature ABC and let's lookup if it's valid, oh it is, that must be from AirTag Bob bought last month with private key XYZ, let's declare this ping valid" then Apple is only a logfile-write-of-this-information away from being able to perfectly stalk everyone who has purchased a device. So instead, the tradeoff they made is they don't keep track / purposely blind themselves to their device-in-circulation keys to truthfully say they actually can't track you. That leaves open the ability of imposter devices to transmit information through the network by creating their own known keys which look indistinguishable from authentic device pings.
I didn't fully grep the article, but assuming the src is public and hardware is trivially built - I wouldn't put it past someone packaging this up and selling it. It doesn't need a huge number of people to be bad enough PR for Apple to have to do something - much like 99.9999999% of people are not using them for stalking but it's all that's talked about in the media with these tags.
My memory is a little fuzzy, but iirc after required tags in the advertising packet you had ~28 bytes that could be tagged 0xFF - mfg data. Then there is also BLE5 which adds advertising extensions to get to 240-250bytes. And the scan response packet which was under 30 all the time. But I could be wrong about all of that, been a little while since I was that deep in BLE.
Point for me is that Apple absolutely could do supply chain verification but… for some reason don’t?
I've read a bunch of different numbers around 30, but I've never used beacons personally. I pulled out my copy of the O'Reilly book on BLE (covers up to Bluetooth 4.1), which says this
> Each advertising packet can carry up to 31 bytes of advertising data payload, along with the basic header information (including Bluetooth device address).
I didn't know about advertising extensions, thanks for the info. Without that I'm not sure if supply chain verification is feasible? I also wonder if there's a significant battery impact to broadcasting more data. I suppose they could overload the device address uuid?
4.1 is before packet extensions, but that shouldn’t matter here.
The reason you’ll see different numbers is that not everyone considers the overhead the same. Some count it, some don’t. I do because it just isn’t usable.
AirTag is a difficult problem to solve -- the usefulness of the product for "good" uses is directly related to how easy the "bad" uses are. Eventually it will be limited to the point where you can only track items that your phone can detect, and that won't be super helpful.
Sure you can use it to find your lost keys in your own house and maybe have it warn you when you've been separated from your AirTag, but that's about it.
Isn’t that last scenario basically what the competitors do?
The problem is not the airtag, it’s the find my network. Anything that can be tracked through the find my network can be used for malicious purposes. It is apple’s USP but also its achilles heel.
> The problem is not the airtag, it’s the find my network.
Tile, for example, actually works the exact same way. If you fully loose your tile connected to your keys you can put it into a "lost" mode [1] which will then notify you and gps locate it just like an airtag if someone with the tile app is near your tile. But you are correct, the big difference here will be how many devices have tile installed vs iphones.
There's literally no one I know who uses tile. On the other hand, airtag find my network will guarantee a near 100% coverage in the west and even in some Asian countries.
I understand your point and it's completely valid, but I think the difference is that Apple is mainstreaming personal tracking in a way that other companies could only dream of, and in doing so is also mainstreaming awareness of how technologies like this might be abused. Because of this, Apple has painted a giant target on their back even though they're arguably handling privacy issues better than anyone else in this space.
On the bright side, the end result of this is that AirTags will be safer for everyone, and competitors with tracking products not designed for secret spying will be forced to step up their privacy games.
I think what Apple is really mainstreaming is the mass-use of their devices as a low-bitrate, irregular sneakernet. This should replace lots of IoT stuff.
It's kinda dumb that our cabin has a 'smart' meter on a meshnetwork, but there's no way for me to remotely turn-on a heater 4h before I arrive without a $10+/month subscription.
Maybe one day I can offline order a book and it just shows up because the on-line devices nearby (or are likely to show up nearby) can drop it off wirelessly.
A traffic light won't be needing its own internet subscription or private physical network to beam up a picture of the intersection or status.
I've always been sceptical of this working well enough to be usable. Does the average iphone owner leave their bluetooth, gps, and mobile network on 24/7? Sounds like an awful waste of power. What about in the rest of the world outside the US, Canada and Australia where Android is the market leader and iphones are rather rare?
What happens inside buildings when the phone doesn't have a fix? Does it store the tag's key and sends it as soon as it gets gps data?
Why wouldn't you leave those things on? Apple designed iOS for those things to be handled and turned on when needed. BLE is quite low in power, GPS is only on when location services need it. These are concerns I would have had about 10-15 years ago, but I don't now.
> Does the average iphone owner leave their bluetooth, gps, and mobile network on 24/7?
Yes of course. That's how these phones are supposed to work. I don't have time to micromanage my devices. As long as I get a day of usage, why would I bother?
AirTags exist and they work perfectly fine in all these conditions. We would need to turn the clock back a few years for this comment to make sense, in an universe where AirTags didn't yet exist.
Your phone takes it's last position from GPS, refines it with RSSI of nearby WiFi networks and then you add in the broadband stuff they have to localize the tag further.
I’ve just moved to Spain, from Canada, and was wondering the same. A quick google search shows iPhone has less than 12% market share here. I did a little test in Valencia about a week ago by just walking around with my AirTag on my keys in “lost mode” and they got picked up very frequently. I was pretty happy with the results, I don’t think approximately only one in ten people on the streets having an iPhone would have much effect on the usefulness.
You can purchase pre-made GPS+cellular trackers, but it seems like it would be much easier to tie a detected tracker of this type back to a specific person. A tracker with cellular capability will have a SIM and some kind of subpoena-able service record, while one of the pirate AirTags described in the post is basically just an antenna and a battery.
You can buy a prepaid SIM, but it still needs to be activated with the service provider, and it will report the IMEI to the operator as part of maintaining a network connection. If the victim discovers the tracking device and reports it to the police, the police will be able to discover (from the service provider's records) where the SIM was activated and what payment method is used for service. If the SIM was prepaid, the network operator will have a pretty good idea of where it was sold (by tying the SIM number to a wholesale lot number), and that would give police a narrow pool of suspects (whoever bought a prepaid SIM from that seller while the wholesale lot was on their shelves) to work from. If anyone bought a prepaid SIM with cash, they may have been caught on security camera doing so. I guess if the perpetrator bought the SIM online with Monero, investigators might hit a dead end.
Compare that to the difficulty of tracking down where a commodity BLE antenna and battery pack were sold.
>it will report the IMEI to the operator as part of maintaining a network connection
>Compare that to the difficulty of tracking down where a commodity BLE antenna and battery pack were sold.
The ESP (or whatever BLE chipset was used) probably will have a mac address burned in, which is essentially an IMEI. You'll have a hard time getting anything from that, because the aliexpress supply chain that supplied the GSM GPS tracker keeps records and/or responds to US subpoena as well as the aliexpress supply chain that supplied the airtag clone.
>If the SIM was prepaid, the network operator will have a pretty good idea of where it was sold (by tying the SIM number to a wholesale lot number), and that would give police a narrow pool of suspects (whoever bought a prepaid SIM from that seller while the wholesale lot was on their shelves) to work from.
It was sold from a mobile phone kiosk at a mall
>what payment method is used for service
voucher purchased at the same store, both paid with cash
>If anyone bought a prepaid SIM with cash, they may have been caught on security camera doing so.
the purchase/activation of the sim occurred a month or two ago, outside of the retention range of the surveillance footage. even if the footage exists, all you'd see is a masked (thanks covid!) 5'8" white possibly hispanic male, wearing a hoodie and jeans.
> voucher purchased at the same store, both paid with cash
>> If anyone bought a prepaid SIM with cash, they may have been caught on security camera doing so.
> the purchase/activation of the sim occurred a month or two ago, outside of the retention range of the surveillance footage. even if the footage exists, all you'd see is a masked (thanks covid!) 5'8" white possibly hispanic male, wearing a hoodie and jeans.
That's so much op sec that you wouldn't have to do to exploit the Find My protocol! And let's hope the mall didn't change their retention interval and that the same 5'8" white male didn't do something stupid like buy something with a credit card on the same trip or park in the mall parking lot.
1. it's not really "so much". Wearing nondescript clothing, paying with cash, and maybe parking across the street are measures that people who don't know what "opsec" means can figure out. I think "burner phones" are well known enough that we can presume the typical criminal knows about it.
2. the same mechanism that makes it easy to build stalking devices for, also makes it convenient to use as a lost key finder. I'm not going to attach a GPS tracker and buy a sim card for my keys/bag, but I will buy a $30 airtag.
Other trackers don't have a backdoor into a global network of a billion iOS devices in order to relay the device's location to a cellular network, and thus, the original owner. They were safer because they were small; things such as this do not always scale linearly, which is a fact Apple's leadership doesn't seem to respect.
If you exclude the time to dev the software, design the PCB, and assemble the tracker then you can knock up a NB-IOT module + GPS module + Microcontroller & supporting parts (to tie the two modules together) for about $30-$35 in small quantities, keep your data usage low and you can throw in a pre-paid IOT-NB sim for about $15.
EDIT: Its not gonna be as small as a AirTag, But if you wanted to tag something like a car you could get it into a small enough box to easily hide under it.
EDIT The 2nd: Throw in a movement detector, keep everything asleep unless its moved, before firing up the GPS/modem write your code so not to power up the GPS/Modem up unless a certain time as passed since the last known location fix, when you do fire up the GPS compare the location to the last known location so you only need to phone home if the distance as changed by a certain amount and you could get a decent battery life.
Sure, but I hope it's easy to understand that it's orders of magnitude easier to just buy an AirTag (including "silenced" ones from eBay or wherever) and drop it in someones purse or coat pocket, or attach it to their car.
Pretty much no regular stalker is going to design and build their own GPS+cellular tracker. Even if someone were to do that and then sell them online, the barrier to finding and buying those are still probably going to be higher than getting an AirTag. And the battery won't last anywhere near as long as well. And also consider that the software running on it, as well as the cloud service that lets you check the location, doesn't just magically appear either. Someone has to build and host that as well. Even a lower-tech solution that just emails a location report every few minutes still requires work to build.
Yes, it's absolutely possible, and not super difficult, to track someone using a GPS+cellular device. But it feels really disingenuous to claim that tracking people was just as easy to do for your average stalker pre-AirTags.
> Sure, but I hope it's easy to understand that it's orders of magnitude easier to just buy an AirTag
Oh yeah, Was just pointing out that the pricing of such things is dropping like flies.
> Pretty much no regular stalker is going to design and build their own GPS+cellular tracker.
Agreed, again was just pointing out the pricing of parts.
> Yes, it's absolutely possible, and not super difficult, to track someone using a GPS+cellular device. But it feels really disingenuous to claim that tracking people was just as easy to do for your average stalker pre-AirTags.
I don't think I did claim that. I wasn't trying to claim that. Maybe thats just the limitation of using text.
> Even if someone were to do that and then sell them online, the barrier to finding and buying those are still probably going to be higher than getting an AirTag.
They're on Amazon, for $50-150 [0]. The first result for "GPS tracker" I found has 10 days of battery life, which is a fair negative, but you can do a lot to someone if you follow them for 10 days.
> I find it quite funny how they promote having tracking alerts for a tracking system that they have brought to life in the first place. They introduced the first-ever system for easy, cheap, worldwide tracking into a world where “unwanted tracking has long been a societal problem”, applaud themselves for implementing broken anti-stalking features, and now coerce others into also implementing protection against the tracking network they have rolled out.
It's almost like it's on purpose.
Imagine building a tracking system where your only way to avoid being a victim is to have everyone agree to not participate.
It seems to me that this attack leaves a very easy to detect signature of several tags that were seen only once by the same device. To counter being detected, an attacker would need to fake other readings of the same single-use "tags" by other devices. This is somewhat similar to the detecting fake spam accounts in social networks. It's a cat-and-mouse game, but it seems that in this case the cat has the upper hand unless the mice are willing to put in a lot of effort to fake "realness", which might make the attack not feasible.
Not that hard, but no longer trivially done by just buying the inevitable stealth AirTag clones.
Step one: Set up one of these with a known sequence of keys: either preloaded or a derivation function (to allow it to run continuously). Plant it on your victim.
Step two: set up another one with the same key sequence, but delay it (or advance it), so that the same keys are presented, but on a delay. Plant this one in a public place with lots of iPhones, ideally moving around like on a bus or train.
Now, the keys won't be unique any more. With a bit more thought, you can probably figure a way to make it even less obvious (the decoy tags rotate faster and reuse old keys on a cycle, perhaps, so they keep pinging up and obscuring the single real one).
A lot more effort than a buy and forget device, for sure.
Figuring out a strategy to counter such an attack would be a fascinating game of real life tower defense, if not for the fact that if you fail, people get harmed.
Still seems mad to me that the tags aren't also rocking some kind of secure enclave so that they can, say, cryptographically sign off as genuine. Crypto chips are (perhaps literally if you own the silicon anyway) ten a penny. Even without the security implications, seems like leaving money on the table to me, which is unlike Apple.
Aren't AirTags implicitly linked to an Apple account? 99% of people have no clue how to hide their IP, you can get tracked back by the police so easily (and Apple + telcos + VPNs located in US+ jurisdiction _will_ help the police/FBI). It's almost a benefit to society: a way to enable people to commit crimes in the stupidest way possible.
> While OpenHaystack-based AirTag clones are not paired with an Apple ID, the retrieval of location reports requires authentication. Such an account however can be created anonymously using an email address without any identity/KYC-verification.
> The OpenHaystack team currently even considers running a server that proxies those location report requests, which in the future might take away the need to create an account oneself.
Imagine a clone. They use the apple network for free, while white-labeling it. They could create accounts with their own emails and IPs, and forward the data to users.
My point is, most people are completely unaware of the fact that you can still get found with an anonymous account. Apple keeps the logs and will comply with a subpoena. So, unlike a GPS tracker, you can prove in court really easily and even automate finding offenders..
If we had a government that had a proper relationship with corporate entities, when Apple launched AirTag the government would have been able to say "well we didn't think of that before, but that's fucked up and banned, you need to disable all AirTags and refund all customers."
What's preventing Apple from stopping OpenHaystack from working? Is this simply a security vulnerability that will get fixed, or is there something inherent that may not be fixable? After all, Apple knows all the ids of the airtags they've created.
silly question here: modern smartphones rotate their mac addresses frequently for privacy, but aren't the bluetooth addresses on phones and headphones and all the rest static and easily detected?
ahh, interesting. so i'm guessing the whole privacy preserving digital contact tracing system was just capturing these randomly rotating keys (presumably with some signal strength filter and perhaps tuning of the frequency of key rotation) that were already beaconing out as part of having the bluetooth stack turned up.
Can you get onto a lorawan network without some kind of service contract? Seems like it would leave a paper trail for investigators to follow, whereas the pirate AirTags described in the article are anonymous commodity hardware using the victim's Apple devices for connectivity.
Problem is:
1. Precise location of tracked object, now
This is actually one problem and Apple didn't solve it very well, airtag doesn't work in real-time. You only get updates when there are people near object that uses iphone.
> Those are not problems that needed to be solved.
An AirTag might help me find my keys if they fall out of my pocket in a restaurant restroom. A cellular-based tracker won't because (1) it will be out of battery, and (2) it won't have a GPS signal.
I guess its a good key finder, maybe best key finder there is. But we are seeing people explore other posibilities. Can it track vehicles, people, or pets?
Some people say that this key finder is revolution. I dont think so.
Because it's a proof of concept using an ESP32, not because that battery capacity is fundamentally necessary for the idea to work.
It could easily be optimized for power and size. Sure, it will have to use more power than a vanilla airtag, because it's doing (slightly) more, but not enough to make a significant difference.
You also need a way to communicate back the tracking results, which presumably implies a SIM card and thus more opportunity to get detected (and linked back to you). But yes, in theory you can (and always could) do that.
The barrier to entry would be a lot higher though, as all that's needed here is 'microcontroller with Bluetooth'. And that really makes it dangerously easy.
> You also need a way to communicate back the tracking results, which presumably implies a SIM card and thus more opportunity to get detected (and linked back to you). But yes, in theory you can (and always could) do that.
I think gp included the lorawan for that purpose. No SIM required.
But most importantly, I doubt you could build a LoRaWAN tracker as compactly as an AirTag. A beacon would use significantly less electricity and therefore require a smaller battery.
Below is one of the smallest LoRaWAN modems on the market, which by itself is marginally bigger than an AirTag. Now add batteries, GPS, antennas, and an SoC to drive the whole thing.
There are some groups building 'armageddon' mesh-based hand-held communicators like Meshtastic. Converged hardware is already there. The network probably is too in more and more metros if you're not within a few km of what you're trying to communicate with/track.
Ah right, I had overlooked that, never having seen the word "lorawan" before.
I honestly have no idea how widespread LoRaWAN is, but I would be very surprised if it came anywhere close to the coverage you can achieve using Apple users carrying your uplinks around unwittingly. (Especially if you are attempting to track an Apple user.)
