Apple AirTags are great for keeping track of your wallet or phone.
They’re also great for stalking.
Apple designed the tiny tracker—small enough to fit in the palm of the hand—to help people find personal objects. Stick it in your wallet or on your keys and then you can use Apple’s “Find My Devices” tool to see where the tag is located.
But it’s also easy to slip AirTags into bags or the backseat of a car, leading to people being tracked without their knowledge. There’s currently a class-action lawsuit against Apple claiming that stalkers and abusers have weaponized the $29 devices to track and harass their victims. The suit has 37 plaintiffs.
Apple has tried to address this: iPhone users around an AirTag that isn’t registered to them will get a notification after a few hours that tells them they’re around an unknown device. But Northeastern researchers found these alerts can come too late and even be bypassed.
“There was an increase in the number of cases for threatening and harassment (due to AirTags),” said Narmeen Shafqat, a Ph.D. student at Northeastern University studying cybersecurity and researcher on the project. “You get all these good (stories) that people have found their luggage because they had an AirTag, but I believe the AirTag is a double-edged sword. For anyone who’s trying to track someone, like their ex-girlfriend or partner, this can have very grave implications.”
AirTags work thanks to Bluetooth technology, explained Aanjhan Ranganathan, an assistant professor at Khoury College of Computer Sciences who was the lead faculty adviser on the research. AirTags transmit Bluetooth signals continuously. All nearby phones can pick up these signals and send them to Apple servers, so the AirTag owner knows exactly where their device is located.
“The problem is that the owners have full control over these AirTags,” Ranganathan explained. “You can basically place it under the car. You can hide it very well and even drop it into handbags and start tracking people. This is not a good thing.”
Apple made it so that if your phone is continuously hearing messages from an AirTag that is not associated to you, they send a notification that an AirTag that does not belong to you is following you. Users then have the option to see where the device is located and disable said AirTag. Apple also does this with other devices such as AirPods, Ranganathan said.
The researchers looked primarily at how Apple sends notifications to iPhone users when around an AirTag that isn’t theirs. They did this by pairing an AirTag with a master device and leaving said device in one place. They then would bring the AirTag plus an unassociated iPhone around with them to see how long it’d take the notification to kick in. They tested the devices at different times of day and in different locations, like on a remote beach in Nahant, to see if the presence of others affected the alert.
The study, published as part of the Proceedings on Privacy Enhancing Technologies, found that notifications about unknown AirTags can take anywhere from 30 minutes to nine hours to come in. The researchers found alerts came in more quickly at night when it was more likely users were around someone stalking them or when the victim was within 4 meters of the main device, explained Nicole Gerzon, a fifth-year cybersecurity student involved in the study.
Apple also sent alerts more quickly when users were in a place they frequent like their home or work.
“That was definitely something we weren’t initially expecting,” Gerzon said. “But it was something Apple took into account.”
Researchers also found it’s possible for users to reconfigure AirTags to bypass these safety methods, allowing people to be around an unknown AirTag for months without ever receiving an alert.
“So now, you can just put it in any belonging of the victim and they can move around here and there and they won’t get that notification,” Shafqat said.
The team reported this to Apple but the company did not get back to them for several months. However, the company has teamed up with Google to figure out ways to alert users to the presence of unwanted tracking devices. Northeastern researchers are offering input on this following their study.
“Once it’s an industry-wide standard, we hope that these attacks come to a low level,” Shafqat said.
But Ranganathan said the issue will likely be difficult to solve. If phones start sending more notifications about unwanted tracking devices, people may start getting notifications every time they’re on public transit or walking down the street.
“I think it’s an extremely hard problem to solve without annoying the users,” he added.
Gerzon said the research team does hope though that Apple will make efficient changes which will lead to other developers using better mechanisms when making tracking devices.
“One of the reasons why we chose to study AirTags is because Apple offers one of the highest levels of protection against stalking in the market,” Gerzon said. “Proactive alerts aren’t offered by the majority of smart tracking groups. If Apple’s having these issues despite all their hard work, then there’s clearly something going on on a baseline level. … I think that if consumers are more aware (of this), we’re able to keep big companies like Apple more accountable to make secure software.”
Narmeen Shafqat et al, Track You: A Deep Dive into Safety Alerts for Apple AirTags, Proceedings on Privacy Enhancing Technologies (2023). DOI: 10.56553/popets-2023-0102
Apple AirTags can track a lost suitcase, but slow to alert for stalking, researchers say (2023, October 24)
retrieved 25 October 2023
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no
part may be reproduced without the written permission. The content is provided for information purposes only.