AirTags can be used to tell when a house is empty, researcher warns

Piracy. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reports on the dark underbelly of the internet.

A security researcher has found another creepy and potentially dangerous way to use AirTags, Apple’s new little tracking devices, to track people down and determine when a house, apartment or office is empty.

Apple is marketing the Airtaga 1.26 inch Bluetooth-enabled Apple-branded button, as the safest and most reliable way to track any item you don’t want to lose, such as a backpack, keys, purse, wallet Where even a pet.

Privacy activists have already sounded the alarm over the AirTag’s potential to be used as a stalking device. Lukasz Krol, digital security specialist at Internews, has now found another way to abuse it.

By design, an AirTag updates its owner of their location and the last time they transmitted their location through the Find My iPhone app. In practice, this means that an AirTag lets its owner know when there’s an iPhone nearby, which it uses to report its location. The AirTag interface looks like this:

Screenshot 2021-05-14 at 12.44.07 PM.png

The owner of an AirTag can deduce from this interface the last time his AirTag was near an iPhone. Because iPhones often travel with their owners virtually anywhere, the absence of an iPhone in a place could suggest that there is no one around and shows not only the whereabouts of people, but also how long they have been away.

This means that if someone leaves an AirTag near a relatively isolated house, i.e. there are not many iPhones, the owner of the AirTag could know when no one is there. is at home. This obviously only works if you know that the inhabitants of a house are all iPhone users.

In a blog post he published on Monday but shared with Motherboard ahead of time, Krol explained how he tested his hypothesis. He said he left an AirTag at a friend’s house, which is far enough from other homes that the AirTag won’t flag other iPhones. When his friend was home, the AirTag reported his location. When no one was home, the AirTag did not send a beacon at all.

“Stationary AirTags, if tracked intelligently, can give a lot of data on iPhone owners’ movements,” Krol told Motherboard during an online chat. “Not only that, but they can do it while looking totally harmless and also offering plenty of plausible deniability.”

By this, Krol means that once they become ubiquitous, it won’t be difficult for someone with bad intentions to leave an AirTag in a place of interest and pretend it was a mistake.

Krol said there are simple ways Apple can mitigate these risks. The company could decide not to display the specific time an AirTag updated its location, or replace the phrase “last updated” with “last moved”, or hide the times of the last move.

Do you research vulnerabilities in Apple products? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at [email protected], or email [email protected]

Another example, Krol said he was renting an Airbnb in Krakow. He left an AirTag in the apartment, then walked around and immediately saw the AirTag updating his location via the neighbor’s iPhone, inferring that someone was home in the apartment. ‘next to.

Obviously, these risks are mitigated in densely populated cities, where there can be lots of iPhones, making it difficult to determine when an apartment is actually empty, Krol explained.

Apple did not respond to a request for comment.

Just weeks after they were released to the public, several security researchers and hackers discovered security and privacy issues with AirTags.

Albert Fox Cahn, founder and executive director of the Surveillance Technology Oversight Project (STOP), and Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and one of the world’s leading stalkerware experts, argued that AirTags are “a giveaway for stalkers” as they can be easily hidden in someone’s car or bag and used to follow them wherever they go.

Especially, as The Washington Post reportedthe anti-harassment measures that Apple established are not enough to stop this threat. AirTags are programmed to trigger an alarm if they’re separated from their owner’s iPhone for more than three days, which could in theory alert someone being stalked that there’s a hidden AirTag nearby. But “the audible alarm only sounded after three days, then it turned out there were only 15 seconds of soft chirping,” as the Postwrote Geoffrey A. Fowler. The other anti-harassment feature designed by Apple is to have an iPhone alert its owner if an unknown AirTag has traveled with it. But of course, that won’t help the millions of people who use Android phones.

Thomas Roth, a hardware hacker who goes through Stacksmashing online, ripped an AirTag, jailbroken it and was able to Rickroll an iPhone nearby. Roth thinks it’s possible to abuse the accelerometer and turn the AirTag into a listening device. Fabian Braunlein, security researcher at Positive Security, was able to force an AirTag to broadcast arbitrary data to nearby Apple devices via the Find My protocol.

These can all be growing pains of a new product. But the ball is now in Apple’s court to make some minor but crucial changes to its new gadget.

Subscribe to our CYBER cybersecurity podcast, here.

Comments are closed.