Cybersecurity researchers have managed to build a clone of Apple Airtag that circumvents the anti-stalking protection technology built into its Find My Bluetooth-based tracking protocol.
The result is a stealth AirTag that can successfully track an iPhone user for over five days without triggering a tracking notification, Positive Security’s co-founder Fabian Bräunlein said in a deep-dive published last week.
Find My is Apple’s asset tracking app that allows users to track the GPS location of iOS, iPadOS, macOS, watchOS devices, AirPods, AirTags as well as other supported third-party accessories through a connected iCloud account. It also enables users to view the location of others who have opted to share their location.
This is far from the first time weaknesses have been uncovered in Apple’s Find My system. In March 2021, the Secure Mobile Networking Lab at the Technical University of Darmstadt, Germany (SEEMO) disclosed design and implementation flaws in the protocol that can lead to a location correlation attack and unauthorized access to users’ location histories
Then in May 2021, Bräunlein followed it up by sharing details of a communication protocol built on top of Find My that enables arbitrary data to be uploaded from non-internet-connected devices by sending “Find My” Bluetooth broadcasts to nearby Apple devices that can carry out the data upload.
images from Hacker News