116 makezine.com
SKILL BUILDER: Find My Trackers
requires the user to perform an “active scan” via
the app while being tracked. AirGuard, released
by the OpenHaystack team, is an alternative app
that also supports continuous scanning in the
background.
As a side effect of trying to prevent this misuse,
AirTags also lose their appeal for recovering
stolen items, as thieves will also be notified of an
AirTag and can even trigger sounds to locate and
remove it.
Both Apple’s and AirGuard’s detection methods
rely on the fact that an unmodified AirTag is only
changing its public key once per day and can
therefore be “tracked” by nearby devices for a
limited time. We can bypass their detection by
rotating over many public keys and only sending
one broadcast per public key (or waiting long
enough until repeating one key). This basically
emulates thousands of different AirTags and, to a
detection app, makes carrying this tracker almost
indistinguishable from going through a busy area
with many different AirTags quickly passing by,
which should not trigger an alert.
I created such a “stealth” AirTag clone and
confirmed it working in a real-world experiment,
where I tracked an iPhone user (with their
consent of course) for over 5 days without them
receiving any notification. The stealth tracker is
also not detected by an active scan with Apple’s
Tracker Detect app for Android (Figure
J
).
The modified firmware and a macOS retrieval
application optimized to handle thousands of
virtual trackers can be found in the Find You
repository on our GitHub, github.com/positive-
security/find-you.
Potential Use Cases
The possibility to piggyback on the Find My offline
finding network with AirTag clones enables many
use cases that were infeasible or much more
expensive before:
• Adding loss/theft prevention to anything:
AirTags inform thieves of their presence by
playing a sound and triggering tracking alerts.
Once found, an AirTag can simply be removed and
deactivated.
An AirTag clone would not have this problem
and could stay hidden for longer. Devices that
J
already have Bluetooth onboard (e.g. Bluetooth
speakers or some 2FA devices) could simply also
send out Find My broadcasts (in stealth mode)
to make them locatable. For others, a small
Bluetooth beacon could be embedded in the
product itself (e.g. in a suitcase, purse, or e-bike
battery).
After publishing the Find You research, we were
also contacted by a security engineer who wanted
to use such stealth trackers to fight the rising
number of kidnappings of children in their area.
• Industrial/large-scale usage: The Find My app
limits the number of AirTags to 16 per account,
and the raw location reports are not exposed to
the user. When using OpenHaystack, no such
limits exist and it’s possible to have a fleet of
thousands of low-cost trackers whose location
reports can be further processed in an automated
way. This could make it attractive, for example,
for rental car companies to fit their cars with
Fabian Bräunlein, Daniel Dakhno
NOTE: The data transmission and stealth mode
modifications can in theory also be implemented
in an actual Apple AirTag, by updating its firmware.
Check out the paper “AirTag of the Clones:
Shenanigans with Liberated Item Finders”:
github.com/seemoo-lab/airtag/blob/main/woot22-
paper.pdf.
M83_110-17_SB_AirTags_F1.indd 116M83_110-17_SB_AirTags_F1.indd 116 10/11/22 12:08 PM10/11/22 12:08 PM