The AirTag Conundrum: Apple Needs to Fix This!

Written by Dom Kirby

Former MSP Owner, CyberSec Practitioner, Modern Work Pro, Evangelist, Husband & Father

December 19, 2021

At first I thought it was a fluke, surely they didn’t release a product like this. I’m not one of Apple’s loyal fans but they used to think out the consequences of their products a little more carefully. It seems those days are gone. In this case specifically, I’m talking about AirTags. When they came out, I thought of it as a pretty good idea just like Tile. The idea of attaching a little tag to luggage, keys, or something prone to being lost and being able to find it was cool. And then I learned that they will communicate with random iPhones so that they can continually update their location and my thoughts changed pretty rapidly.

My brain went into cybersecurity dork mode and I thought “someone is gonna find ways to pass malware through that.” That could be remediated though. I didn’t think about the literal danger to life the product would create, until the stories started to crop up. There was a time that if one wanted to be a creeper and track someone down, you needed fancy spy hardware. You needed to James Bond something into a purse or under a car. AirTags completely changed that for the worse. A recent tweet from Sega__JEANAsis on Twitter inspired the post, because once is a fluke and multiple times is a pattern.

Hi friends. So something kinda terrifying happened to me last night— someone attached an Apple AirTag to the underside of my front wheel well while I was inside a bar. (1/3)

-Sega__JEANAsis on Twitter


Credit: Sega__JEANAsis on Twitter; Apple’s “AirTag Found” notification.

What’s going wrong?

As (bad) luck would have it, an entirely different kind of threat actor is taking advantage of the ability of AirTags to continuously update their location. Instead of a cyber-attack, this is a very human attack. We’ve realized that, in essence, Apple has made it extremely convenient to stalk individuals with GPS level accuracy. The premise of the attack in the tweet, and other stories, is that all I really need to do is slip one of my AirTags into a purse, pocket, luggage, on a car, something that’s going to follow my target. From there, every time that AirTag passes an iPhone (even the victim’s iPhone), it’s going to send a ping. In essence, I can attach a GPS tracker to any victim and they aren’t that likely to spot it.

Apple has tried to rectify this with the alert pictured above. And it does do something, it alerts someone that there is an AirTag “moving with them.” This is the “detect” phase in cybersecurity terms. Here’s the problem, it’s very hard to remediate. If you’re one of those people (whom are smarter than I) who ignores their phone while driving, you won’t see this until you get home. At which point “home” has been leaked to the attacker. Further, if you do spot this while on the road, you now have to pull over while still unwillingly sharing your location and try to find it. It could be virtually anywhere on your car, in your belongings or pockets, anywhere really. On most cars there are dozens of places where this small tag could be hidden.

With a small device like this, it’s not hard to plant it. It’s not the bulky GPS trackers of yesteryear that need a data plan.

An Apple AirTag, they are about the size of a quarter. Source: Apple.com

How can this be fixed?

This is a tough question. The whole pitch of the product is that I can attach it to my valuable and track it’s location. In essence, it takes “find my phone” and expands it to virtually anything. The most obvious, and frankly correct way to repair this would be to allow iPhone owners to prevent AirTags from using their device as a ping. They could even implement it in such a way that after the same tag pings a certain number of times you can block it. There needs to be some sort of mecahnism to prevent an AirTag from using your iPhone as a relay.

The only catch is that it changes the value of the product. It makes it hypothetically easier to steal an AirTag equipped valuable item. However, Apple (and all manufacturers of these products) has to fix this problem, before it becomes headline news in a horrific crime.

You May Also Like…

Data Classification for All

Data Classification for All

I figured I would expand on my Purview Information Protection information by creating a general guide around...