A worrying Etsy listing reveals the stalking potential of Apple’s AirTags
In April of 2021, Apple introduced AirTags to the world, making the small tracking devices—similar to a Tile— available for purchase at the end of that month. The circular, coin-like product is designed to be attached to or placed in objects that are commonly lost, such as keychains, wallets, purses, backpacks, etc.
You can track an AirTag with your iPhone in some powerful ways, enabling you to locate a set of keys that has fallen down between the cushions of a couch, for example. You can see its location on a map, and if you’re close to it, you can get a directional signal on newer iPhones. It can be put into lost mode, enabling someone who finds it to tap it with their phone and get information you supply, such as a phone number to call.
Sounds great, right? Everyone who has ever had something stolen—a laptop bag, for example—has fantasized about being able to track it down and get their property back. (The reality is a bit grittier. It’s not hard to find news stories of people using things like Find My iPhone to follow their stolen property directly into danger, being shot at when they approached the thief they’d tracked down.)
Unfortunately, there’s a dark side to AirTags: stalking.
Why are AirTags so good for stalking?
Although they are conceptually similar to a Tile, AirTags have far more stalking potential. A Tile that isn’t near you can only be tracked if it comes into proximity of someone with the Tile app open and active on their phone. If the Tile app can detect the Tile, it can report the location and the owner of the Tile can see where it is.
However, an AirTag’s location can be tracked any time it comes into proximity of any iPhone. The number of iPhones out there moving around in the world is substantially higher than the number of phones with a Tile app open and active. iPhones form a massive tracking network for AirTags that can be quite difficult to get away from. Long-time Mac expert and writer Kirk McElhearn sent an AirTag through the mail, as a test, and was able to follow its progress quite successfully.
AirTags are also rather small. They’re easily hidden in a bag, a vehicle, or anything else you might carry with you. There have been stories of people finding AirTags in their bags, various places on the exterior of their cars, hidden inside the frame of their bicycles, and more. Keep in mind, these are all folks who don’t actually own the AirTag in question!
Sounds terrifying! How can I avoid being tracked?
Apple has taken some measures to prevent AirTags from being used for stalking. Unfortunately, these measures are not 100% effective.
First, if you have an iPhone and an unknown AirTag is detected moving along with you for some period of time, your iPhone will notify you. (It’s unclear exactly how long it takes for this message to appear.) This is a reasonable measure, but there’s one major flaw: not everyone has an iPhone. Apple did recently release an Android app that can be used to help find unknown AirTags moving with you, but that requires you to take action proactively, and many probably will not do so.
If you don’t have an iPhone or the Android app, AirTags were, at the time of release, designed to start playing a sound periodically after they’d been separated from their owner for 3 days. After much criticism about this being far too long an interval, Apple shortened it to between 8 and 24 hours (the exact time is apparently random).
Unfortunately, there are a couple problems with this. For one, the sound isn’t that loud, and could easily be muffled if it were buried inside a bag, or completely inaudible if it were somewhere on the exterior of a car and you didn’t happen to be there when the alert sounded.
Another problem is that this only works when the AirTag has been away from its owner for at least 8 hours. This may work well in some situations, but it won’t work in the case of intimate partner abuse, in which the victim is in regular contact with their abuser. It also won’t work if the stalker only needs to track you for a few hours before getting the information they’re interested in, such as the location of your home.
Recently, yet another problem has arisen. It was discovered that someone was selling a “silent AirTag” on Etsy. The claim was that the seller had modified the hardware in order to disable the speaker, and was reselling it for a higher price. Fortunately, it appears that Etsy has taken this listing down, but the fact remains that if one person is doing these modifications, others are as well, and there’s nothing Apple can do about it.
We asked Eva Galperin for her thoughts, and as she told us, “This was very easy to see coming. I am absolutely not surprised and probably neither is anyone at Apple. Tiles have not been modified in a similar way because Tiles do not beep in the same way AirTags do.”
What do I do if I find an AirTag in my stuff?
Assuming you have an iPhone, you can unlock your phone and touch the back of the top of your phone to the AirTag. A notification should appear, offering to open found.apple.com in Safari. Tap the notification to open that site, and you’ll see some info about the AirTag as well as a link to instructions on how to disable it.
This advice is different for survivors of domestic abuse, though, because disabling an AirTag could alert an abuser. Similar to instances of stalkerware, domestic abuse survivors should consider their own safety planning before immediately disabling forms of digital stalking. The National Network to End Domestic Violence has many specialists trained on technology-enabled abuse, and can help those who need a safety plan before taking action.
If you don’t have an iPhone, or don’t have it with you, or just don’t feel comfortable scanning an unknown AirTag like this, the instructions to disable the AirTag aren’t very complicated. You simply press down and twist counterclockwise on the back of the AirTag. (The back is the shiny side with the Apple logo.) This should open the battery compartment cover, allowing you to remove the battery. Once the battery has been removed, the AirTag can no longer be tracked.
Note that scanning the AirTag gives you the serial number and the owner’s phone number, which may help in the event of legal action against a stalker. The phone number could be a fake one, but the AirTag has to be linked to someone’s Apple ID in order for them to track it. The serial number should help Apple identify the owner’s Apple ID.
I fully understand why Apple created the AirTag. People like Find My for locating lost or stolen devices, and they like being able to share their locations with friends and family via Find My. (“They” in this case meaning people in general… obviously, there are individuals who dislike such things.) There is a customer need for something like an AirTag. This need has sustained Tile for years.
That said, there’s a significant difference between AirTags and anything that came before them. iPhones are not cheap, so though you can track them in the same way as an AirTag, you wouldn’t exactly want to plant one in someone’s bag or on their car. Tiles are cheap, but can’t be tracked as thoroughly as an AirTag.
The fact that AirTags are cheap, disposable, and can be tracked with decent precision makes them an ideal tool for stalkers. Apple was aware of this, and to their credit, they put a lot of thought into prevention of such usage. However, it’s also obvious that Apple failed in the area they so often fail at: consulting with experts outside Apple. It wasn’t until after the release that Apple was informed, by experts in the fight against stalking, of some of the device’s flaws. Like, for example, the former 3 day interval before it starts making noise after being separated from its owner.
Apple’s secretive nature often makes Apple its own worst enemy. Most people these days know that having a diverse set of opinions and inputs makes for better decisions. By keeping itself so isolated, Apple loses the opportunity to learn from and collaborate with experts in the field.
Apple also missed the boat for folks who don’t own iPhones. According to Galperin, “Apple’s AirTag anti-stalking measures are not enough. The next step required cooperation between Apple and Google to get the same levels of protection from AirTags on Androids as you have if you own an IPhone.” We couldn’t agree more, yet neither are we surprised that Apple and Google didn’t work together to solve this problem.
If you choose to buy and use AirTags, I can’t blame you. After all, I own one, and I like the way it works for my purposes. However, I’m still conflicted about owning one, since I know how much potential harm they can cause.
The post A worrying Etsy listing reveals the stalking potential of Apple’s AirTags appeared first on Malwarebytes Labs.