AirTag clone developed by researchers works around Apple’s anti-harassment measures


AppleInsider is supported by its audience and is eligible to earn an Amazon Associate and Affiliate Partner commission on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Security researchers have created a clone of Apple’s AirTag, in an attempt to prove to Apple that the device and the Find My network’s tracking protection features can be circumvented.

The AirTag has been the subject of numerous reports involving tracking and personal security, it is used for theft and harassment while Apple includes features to limit usage in this way. Following criticism of abuse, Apple said on February 10 that it needed to introduce several changes to the Find My network to address the harassment issue.

In a blog post published Monday by security researcher Fabian Braunlein of Positive Security, several “pretty obvious workaround ideas” for current and upcoming safeguards were posted. Braunlein thinks anything can be done.

To test the hypothesis, a cloned AirTag was produced. The report claims that the stealth AirTag was able to track an iPhone user for more than five days, without triggering tracking notifications.

The researcher offered ideas to counteract a number of elements of Apple’s planned changes, starting with Apple’s claim that each AirTag has a unique serial number associated with an Apple ID. The concept does not apply here because the clone does not use an AirTag serial number, neither for hardware nor for software, and it has not been associated with an Apple ID.

While Apple reduces the delay before the AirTag beeps from separating a paired Apple device older than 3 days to between 8 and 24 hours, the clone gets around it by not having a working speaker. Moreover, this aspect has already been defeated by the sale of AirTags whose speakers have been removed or disabled.

Regarding notifications to a potential victim of harassment, Braunlein notes that Apple trades privacy in two ways. While it wants AirTags to be indistinguishable from others over Bluetooth to prevent identification of a specific tag, Apple also wants to be able to identify specific AirTags over time to determine between tags traveling with the user or those that just pass.

In Braunlein’s workaround example, a list of over 2,000 preloaded public keys was used, with the clone broadcasting every 30 seconds.

For upcoming changes, things like privacy warnings during setup, changes to AirPods alert issues, and updated support documentation were deemed irrelevant to the clone. Finding precision using Ultra Wideband is also not covered here, as the microcontroller used did not include a UWB chip, so it cannot be found that way.

Make the clone

To build the clone itself, Braunlein based the system on OpenHaystack, a framework for tracking Bluetooth devices using the Find My network. Using an ESP32 microcontroller with Bluetooth support, a power bank, and a cable, a non-AirTag clone was created.

The clone used custom ESP32 firmware that constantly rotated public keys, sending one periodically, with the list repeating approximately every 17 hours. However, it is believed that a common seed and derivation algorithm used on the clone and a Mac application used to track it could create a “virtually never-repeating keystream”.

Additionally, using an irreversible bypass function and crushing the seed with the release of the next round would make it impossible for law enforcement or Apple to obtain the previously released beacon public keys, even if they had physical access to the clone.

During testing, the Android Tracker Detect app did not show the cloned AirTag at all. AirGuard, an Android tool that could be used to search for nearby Find My devices created by the TU Darmstadt lab behind OpenStack, was able to track the cloned device, which appears multiple times due to the public key change.

Five days of tracking data produced using the AirTag clone [via Positive Security]

Five days of tracking data produced using the AirTag clone [via Positive Security]

Over the course of five days, the AirTag clone could be tracked, with the target displayed at home and during occasional out-of-home trips via a macOS tool modified for the project. Neither the subject nor a roommate with an iPhone reported receiving any tracking alerts during the time period.

A hope for change

Summarizing the tests, Braunlein thinks the main risk is not with the AirTags themselves, “but with the introduction of the Find My ecosystem that uses customer devices to deliver this Apple service.” Since the current iteration of the Find My network cannot be limited to just AirTags and hardware officially licensed to use the network, Braunlein thinks Apple should consider beefing up its security.

“They should consider threats from custom, potentially malicious tags that implement the Find My protocol, or AirTags with modified hardware,” Braunlein writes. “With a cheaper power bank and ESP32 than an AirTag, this might be an added incentive for some to build a clone themselves instead.”

The researcher concludes “While we do not encourage abuse, we hope that sharing this experience will bring positive changes to the security and privacy of the Find My ecosystem.”


Comments are closed.