The linked article discusses each anti-stalking feature and how it can be bypassed in theory. Fabian then goes on to describe how he implemented those ideas to build a stealth AirTag and successfully tracked an iPhone user (with their consent of course) for over 5 days without triggering a tracking notification.
The goal of this blog post is to raise awareness of these issues, to hopefully also guide future changes. In particular, Apple needs to incorporate non-genuine AirTags into their threat model, thus implementing security and anti-stalking features into the Find My protocol and ecosystem instead of in the AirTag itself, which can run modified firmware or not be an AirTag at all (Apple devices currently have no way to distinguish genuine AirTags from clones via Bluetooth).
AirTags have certainly posed a dilemma between owners abusing the use of their own AirTags, but also with warning a thief if they have deliberately stolen an item you are tracking. I do have my AirTags set to alert me if I'm parted from them when away from home, but I must say I don't normally hear the alert tone, and only realise I have left the item behind a little later when I actually look at the visual notifications. Of course, anyone wanting to track someone without their knowledge could use Samsung or Tile tags, or one of the miniature GPS transmitters. But nevertheless, this is still an interesting article.
See
Find You: Building a stealth AirTag clone | Positive Security#
technology #
privacy #
airtag #
tracking #
findyou We built an AirTag clone capable of silently and continuously tracking someone. The device accomplishes this by sending just one beacon per generated public key, thereby staying invisible to tracking notifications for iOS users and Apple’s Tracker Detect Android app.