AirTag stalking concerns continue to be voiced, regardless of the fact that Apple’s tracker isn’t a viable option for this purpose. Nevertheless, security researchers have designed a clone of Apple’s AirTag, in an effort to prove to the company that the tracking protection features of Find My network can easily be bypassed.
Recently, AirTag has been under fire due to numerous reports of the technology being involved in thefts and stalking despite Apple including features to limit its fallacious usage. However, in response to the increasing criticism over the technology’s misuse, Apple recently said that it will be introducing several changes to the Find My network feature to address the privacy concerns of the users.
An earlier blog post published by the security researcher, Fabian Braunlein of Positive Security, presented some obvious bypass ideas for some of the current and upcoming protection measures, which the researcher claims can all be put into practice.
Following the post, and in order to check the claims, a cloned AirTag was developed. The reports regarding the Airtag shared that it was able to track an iPhone user for over five days, without triggering even a single tracking notification.
While Apple is working to decrease the delay before the AirTag beeps after separation from a paired Apple device from over 3 days to somewhere between 8 to 24 hours, the clone perfectly works around it by not having a functional speaker.
In terms of notifications to a potential stalking victim, the researcher notes that Apple is trading off privacy in two ways. While it wants AirTags to be indistinguishable from others over Bluetooth to prevent identification of a specific tag, the company also wants to be able to identify specific AirTags over time to distinguish between tags traveling with the user or one merely passing by.
However, regarding the upcoming changes, items such as privacy warnings during setup, AirPods alert changes, and updated support documentation were considered irrelevant to the clone. Precision Finding using Ultra-Wideband can also not be covered here, since the microcontroller used didn’t include a UWB chip.
Making The Clone
To build the clone itself, Braunlein based the system on OpenHaystack, a framework used for tracing Bluetooth devices using the Find My network feature. The system further included using an ESP32 microcontroller with Bluetooth support, a power bank, and a cable, to create a non-AirTag clone.
During testing, the Android Tracker Detect app did not detect the cloned AirTag at all. However, AirGuard, an Android tool that is used to scan nearby Find My devices, was able to keep tabs on the cloned device.
Over the five days, the clone AirTag was able to track via a macOS tool modified for the project, while neither the subject nor an iPhone-owning roommate reported receiving any tracking alerts during the period.