AirTags can be used to determine when a house is empty, warns researcher

Piracy. Disinformation. Monitoring. CYBER is Motherboard’s podcast and feature story on the dark underbelly of the Internet.

A security researcher has found another creepy and potentially dangerous way to use AirTags, Apple’s new little tracking devices, to track people down and find out when a house, apartment, or office is empty.

Apple markets the AirTag, a 1.26-inch Bluetooth-enabled Apple-branded button, as the safest and most reliable way to track any item you don’t want to lose, such as a backpack, keys, a purse, wallet, or even a pet.

Privacy activists have already sounded the alarm bells about the AirTag’s potential for use as a stalking device. Lukasz Krol, digital security specialist at Internews, has now found another way to misuse them.

By design, an AirTag updates its owner of its location and the last time it transmitted its location through the Find My iPhone app. In practice, this means that an AirTag tells its owner when there is an iPhone nearby, which they use to report their location. The AirTag interface looks like this:

Screenshot 2021-05-14 at 12.44.07 PM.png

The owner of an AirTag can deduce on the basis of this interface the last time his AirTag was near an iPhone. Because iPhones often travel with their owners virtually everywhere, the absence of an iPhone in one location might suggest that there is no one around, and not only shows where people have come and gone, but also how long they’ve been away.

This means that if someone leaves an AirTag near a relatively secluded house, that is, there aren’t many iPhones, the AirTag owner might know when they’re not. nobody at home. This obviously only works if you know that the inhabitants of a house are all iPhone users.

In a blog post he posted on Monday but shared with Motherboard ahead of time, Krol explained how he tested his hypothesis. He said he left an AirTag at a friend’s house, which is far enough away from other homes that the AirTag does not ping other iPhones. When his friend was at home, the AirTag reported his location. When there was no one at home, the AirTag did not send a beacon at all.

“Fixed AirTags, if they are intelligently located, can give a lot of data on the movements of iPhone owners,” Krol told Motherboard in an online chat. “Not only that, but they can do it while still looking completely harmless and also offering a lot of plausible deniability.”

By this, Krol means that once they are ubiquitous, it won’t be difficult for a malicious person to leave an AirTag in a place of interest and pretend it was a mistake.

Krol said there are easy ways for Apple to mitigate these risks. The company could decide not to display the precise time at which an AirTag updated its position, or to replace the expression “last updated” with “last trip”, or to hide the last times moved.

Are you looking for vulnerabilities in Apple products? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, the OTR chat at [email protected], or by email at [email protected]

As another example, Krol said he was renting an Airbnb in Krakow. He left an AirTag in the apartment, then went for a walk and immediately saw that the AirTag was updating its location through the neighbor’s iPhone, thus deducing that someone was at home in the apartment. ‘next to.

Obviously, these risks are mitigated in densely populated cities, where there can be a lot of iPhones, making it difficult to know when an apartment is actually empty, Krol explained.

Apple did not respond to a request for comment.

Just weeks after they were released to the public, several security researchers and hackers discovered security and privacy issues with AirTags.

Albert Fox Cahn, founder and executive director of the Surveillance Technology Oversight Project (STOP), and Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and one of the world’s leading stalkerware experts, argued that AirTags are “A gift for stalkers. “because they can be easily hidden in someone’s car or bag and used to follow them wherever they go.

Especially like The Washington Post reported, the anti-harassment measures put in place by Apple are not enough to stop this threat. AirTags are programmed to sound an alarm if they are separated from their owner’s iPhone for more than three days, which in theory could alert someone who is being harassed that there is a hidden AirTag nearby. But “the audible alarm only sounded after three days, then it turned out that there was only 15 seconds of light chirping”, as the To post‘s Geoffrey A. Fowler wrote. The other anti-harassment feature designed by Apple is to have an iPhone alert its owner if an unknown AirTag has traveled with it. But of course, that won’t help the millions of people who use Android phones.

Thomas Roth, a hacker who uses Stacksmashing online, tore up an AirTag, jailbroken it, and was able to make it into a Rickroll iPhone nearby. Roth believes it’s possible to abuse the accelerometer and turn the AirTag into a listening device. Fabian Braunlein, security researcher at Positive Security, managed to force an AirTag to broadcast arbitrary data to nearby Apple devices via the Find My protocol.

These can all be growing pains from a new product. But the ball is now in Apple’s court to make some minor but crucial changes to its new gadget.

Subscribe to our CYBER cybersecurity podcast, here.

Comments are closed.