The article misses one of the design goals that's pretty obvious if you look at the reverse-engineered Airtag protocol: they don't do any public key cryptography at all on the tag itself. And the reason for that is that it would wreck their battery life.
Anything that relies on "attestation" violates that constraint.
Of course, another possible approach would be to JUST NOT HAVE THE NETWORK...
> The article misses one of the design goals that's pretty obvious if you look at the reverse-engineered Airtag protocol: they don't do any public key cryptography at all on the tag itself. And the reason for that is that it would wreck their battery life.
>
> Anything that relies on "attestation" violates that constraint.
Article author here. Thanks for making this point.
I agree that you want to minimize the amount of ECC on the tag and certainly you don't want each advertisement to require a separate EC op. However, I don't think the requirement is no crypto on the tag.
1. Each time you change keys (every 15 minutes in detached mode) you have to some EC crypto ops.
2. You could require attestation only prior to reporting, thus keeping the cost fairly low. Note that this does allow a nearby attacker to force you to do crypto but they can also cause you to run the speaker, which consumes power.
There is a paper called BlindMy that points out you can have Apple do the attestation using blind signatures over the tag broadcasts, then store the signed messages on the tag. Requires more RAM but the blind signing protocol actually can be run by a phone, so doesn’t really stress the system. Particularly when the identifier only changes once per day, so only 365 signatures per year. https://petsymposium.org/popets/2023/popets-2023-0006.php
PS Changing the identifier once per day is very bad for privacy.
The vast majority of the value of the Tiles I own isn't figuring out where my keys might have been moved by someone else since I lost them, it is noticing (and remembering) when (and where) I left them and then helping me zero in on them once I am back there, something that can be done entirely using just my phone. The remaining product once you support those two features--neither of which require a "network"--has only niche applications to edge cases involving losing things and stalking people (as well as adding a bunch of difficult-to-avoid third-party surveillance).
I am responding to "Without the network, you don't have much of a product." and believe that my comment correctly and directly disproves that assertion.
Interesting that the OP doesn’t consistently get the “stalker” warning. I see it consistently within 30-45 mins when I’m with a dog whose tag is registered to someone else and they leave
my vicinity.
It’s a shame Apple had to kill the theft use case to prevent stalking. I assume thieves are well aware of this now.
I use AirTags to help keep track of my young kids at busy places, and the "safety" measures interfere with that as well (when thinking of a hypothetical abduction).
Personally I think the stalking fear is overblown, and it's unfortunate that they interfere with other use cases to prevent that one.
> Personally I think the stalking fear is overblown
I used to think that, but I know one woman who was stalked with an AirTag and I personally know too many women who were stalked even before these tags came along.
The one thing I have learned in life: as a large male, I simply view the world through a completely different lens than a small woman does.
There are many things that we accept in the US that have both beneficial and harmful uses: guns, cars, knives, alcohol, Tylenol. Many of those kinds of things disproportionately impact one sex (or category) of people, but that their overall utility outweighs the risks and downsides. Our solution is to ban the abuses (murder, assault, stalking) but not the product itself. I don’t see why this one needs special treatment.
I would take a $1000 bet with you that stalking cases by a known adversary outnumber child abduction by strangers. Not sure how to find the stats though.
I can tell that’s the case without looking at any stats, I’ve been monitoring AMBER alerts here in Canada for the past 4 years, and 100% of the cases are just parents taking their kids back, wasting a whole system resources for that ..
AMBER is generally a waste because it's oriented towards kidnappings by strangers. But kidnappings by parents aren't always no big deal: parents sometimes lose custody because they're a serious risk towards their children.
Talk to somebody who works at a women’s shelter. These days pretty much all domestic abuse involves a technological component, and tags are definitely included in that.
> Depending on the design of the tag, it might be possible to rewrite the firmware to violate the requirements in this document, for instance by rotating the MAC address frequently to evade detection (oddly: this document says "The accessory SHOULD have firmware that is updatable by the owner", which is the opposite of what you want here.)
One part of me supports this Stallman-esque proposition as self-evident: of course the owner should have the ability to update the firmware. Another part of me is deeply concerned about the potential for misuse, including modifications that explicitly evade detections of stalking. Tracking another human and violating their privacy shouldn't have been so easy.
There are two sides here that should not be confused. One on side we have "the network", i.e. the ability for these tags to be tracked through a myriad of iPhone owners that are not even aware that they are doing the tracking. On the other hand, we have the broadcasts emitted by the tag itself, which can announce the presence of the tag to a _nearby_ stalker.
What actually makes these tags interesting, I think, is the network.
While changing the firmware of the tags makes it (probably) easier to track nearby ones "locally" with specialized software, it will not change its interaction with the Apple network whatsoever -- it will not make it easier nor harder to stalk long-distance.
And if you are only interested in "local area stalking", I presume there are much smaller, cheaper and even more conspicuously looking trackers than an Apple AirTag.
> What actually makes these tags interesting, I think, is the network.
I mean, that mostly only makes them more interesting for the stalking use case, no? If you left your wallet at a restaurant, you don't need the network: you need your phone to notice it lost the connectivity to the wallet when you left the restaurant and you need the ability to find where in the restaurant it might be once you go back there to get it. I've been using Tile for years and have been extremely happy--hell: I end up using it every couple days to find something--despite never once having an interest in their "network".
How sensitive is the phone's "I'm being tracked" algorithm? It doesn't go by tag owner but by Bluetooth Mac.
If I I buy 4 tags, register them all to me, overwrite the firmware on one so it rotates between 4 IDs, once every 15 minutes, then the phone won't see the tag as following it. Hell, you could glue 4 of them to transistors, a power supply, and a circuit to turn them on and off in rotation without modding the firmware.
It might! I don't know what's in Apple's closed source blob that implements the "am I being stalked" behavior and what parameters actually trigger it. Maybe you need to rotate between 60 tags, or 600.
Oh for the love of... can we please address the giant pink elephant blowing fire rings doing a hula dance on a tricycle in the room?
"Stalking" was possible 15+ years ago with $5 worth of sketchy hardware off Ebay or Aliexpress. AirTags didn't all of the sudden invent a new problem.
What worse is every crypto dork at these companies is pretending like the main use case _isn't_ recovering your stolen stuff. Lets be real: "finding your lost stuff" is a secondary use case. "Theft Recovery" is the primary use case.
The protocols need to somehow cover theft, as theft is a much much bigger problem than stalking.
> "Stalking" was possible 15+ years ago with $5 worth of sketchy hardware off
No, it was not possible 15 years ago with 5USD equipment. The airtags are not just using bluetooth for close range detection, but uses all apple devices in the world so its also locateable over long distances. While that could be build 15 years ago it would not be as cheap and as small.
> What worse is every crypto dork at these companies is pretending like the main use case _isn't_ recovering your stolen stuff. Lets be real: "finding your lost stuff" is a secondary use case. "Theft Recovery" is the primary use case.
I regularly used Tiles to find lost stuff. Then I got better at not losing things and stopped. I've never considered using them for theft recovery. Sounds illegal. Are you just showing up at random people's apartments and threatening them or something?
Someone stole my car last year - luckily, I had an AirTag stashed in a side compartment. I tracked it down to the other side of the city and stole it back from the parking lot of the shopping center while the thieves were busy shopping. Or shoplifting, more likely, given their treatment of my car. It’s not illegal to take something that’s yours back from someone who’s stolen it.
oh it was definitely dangerous, we rolled up to the parking lot ready to fight... and I am incredibly relieved that it wasn't necessary. my buddy was like "let's wait for them to come out of the store!" - like no dude, I just want my car back.
It's not about what it's worth - although obviously, I'm attached to my car, I've had it a while and I'm fond of it - it's about what's right. My car belongs to me. Someone took it from me. I have to take it back. That's just how it works for me. Otherwise, what good is property or privacy? What good are boundaries that you don't enforce?
You do realise that things can evolve and thus become bigger problems than what they originally were, right?
A few examples:
* cars. They've been a thing since the late 1800s/early 1900s, yet they didn't become a problem until they were prevalent, forcing urban planning to accommodate them at the expense of everything else, and their pollution became a global problem.
* porn online: great for the consumers and producers, until it became easy to upload whatever one wants, bringing in a torrent of revenge and/or unconsenting content
* guns: groups of people having a rifle for self-defence/hunting is perfectly fine. Every random person having automatic rifles and pistols and shotguns with all the ammo they could want leads to unstable people going on murder sprees.
* Misinformation and targeted propaganda: yeah it was bad when your local newspaper was run by a piece of shit that lied for money/engagement/to further their own interests, but as we've seen today, it's drastically worse when anyone anywhere in the world can have their words heard and believed. We had ISIS recruitment, political meddling, serial murders and neo-nazi/adjacent terrorists all inspired by hateful words read anonymously online from faraway places (e.g. the piece of shit in New Zealand or the other one in Norway, or the Qanon idiots in Germany).
* AirTags: yes, stalking has existed for a long time, and tools to enable it have too. That doesn't mean that AirTags don't make it drastically easier to do so - it's something everyone has heard of, can easily pick up/buy, have an excuse for what it's for, etc. vs the harder, but still possible route of buying random hardware off AliExpress. Like suicides, access to guns make attempts easier and more lethal; most people won't put in too much effort.
Oh, and vigilante "justice" is something dangerous for everyone involved that shouldn't be encouraged. In the stealing back your car example, what if the thieves saw that, and opened fire? Is anyone seriously willing to die over a car?
"Bluetooth wardriving" has promising google results, e.g. [1] [2] [3]. That would involve either driving around with such a setup, or planting a couple of them, depending on your coverage and update requirements.
Anything that relies on "attestation" violates that constraint.
Of course, another possible approach would be to JUST NOT HAVE THE NETWORK...