AirTags: Hidden Stalking Menace or Latest Overblown Urban Myth?

Originally published at: AirTags: Hidden Stalking Menace or Latest Overblown Urban Myth? - TidBITS

Mainstream and technology media report that stalkers and criminals use AirTags to track unsuspecting people and aid in car theft. Do a handful of anecdotes truly reveal a broader pattern?

I purchased AirTags for my wife and me to keep track of our car keys. I often run errands with my wife’s car, and I’ve been getting the warnings that an AirTag that doesn’t belong to me is moving with me.

That’s fine, but the notification never appears until I return home with the keys. If a bad actor were tracking me with an AirTag, wouldn’t that mean that they would discover where I live before notifying me about it?

I’ve considered getting an AirTag for my teenage daughter’s backpack since she brings her MacBook Air to school. But I’m holding off due to the privacy issue.

As I understand it, that is the correct behavior. The notification doesn’t happen until you arrive home or to a location iOS has identified as a frequent location for you. I assume this is to prevent false-positives that may result from casually being near another AirTag user (e.g. traveling on a bus or train near someone with his own tags devices).

See also Here's when and where Apple will alert you to an AirTag used for stalking | AppleInsider

As for what this means for a stalker, yes, this may be a concern. If he is using “Find My” to track the tag, then it would be reporting the tag’s currently location. But I don’t know how often this information updates, so it may not be real-time.

WRT your daughter, I don’t think it should affect your decision to get her a tag. The concern here is if someone else slips a tag into her bag, not about her using a tag for her own bag.

That makes sense… Thanks for the thoughtful reply!

Find one that is suspicious? Take a pict of it, Put it in a shielded bag or tin. (EZpass bags or static bags that have metallic coating should cancel signal out). Then notify authorities. Do not open at a home. Or if you want, stick it on a mail truck or amazon van. Or HD rental truck. Have fun, right? (I am being humorous here)

Note: it has removable CR2032 battery so, might even disable with removing it.

I’m curious about “other” tags, e.g. Milwaukee TICK. Like Airtag, the battery is replaceable. I mean, do we all have that One-Key App (might want to)? Its cheaper than Apple ($20 vs $30). Less obvious (black). And has screw eyes for fastening/ziptie. I was considering a pack of 4 @ ~$78, to put on tools my neighbor “borrows”. Especially the pricier tools, like portable miter and flooring nailer. Considering using some doublesided-VHB adhesive to attach.

But here’s the question: its likely community tracking. That is, whomever has the app (or with Airtags, iphone 11 & up with latest iOS) and within 100’ of tracker -also see iBeacons, it will use them to notify via nearest bluetooth device.
How does it track if no iphone or enable bluetooth 4.0 device is near, updating a server? What if someone steals your car? Might it be wise to have an Apple Tag or TICK on it somewhere (that perp won’t find? or would a clever one have an iphone to sweep and note if such? Ofcourse if car is that valuable, there is LoJack…). Would one put “Car has AirTag. Do not attempt theft” label?
Thanks for this article and thoughts about it being myth or menace!

FWIW, we also store our car keys in a homemade Farraday cage (an aluminum box lined with an extra layer of foil) when we’re at home to prevent anyone from cloning the keys - car thieves will clone keyless entry keys by using a signal booster from outside the house - it’s a thing here.

When AirTags are offline for too long, they will sound off once they are connected again.

The link in the article to When You’re Told an AirTag Is Moving with You - TidBITS has detail straight from the horse’s (Apple’s) mouth on this, too. Apple says the notification typically appears in these cases:

• You’ve arrived home, as determined by the address set for the Me card in Contacts.
• You’ve arrived at a “significant location,” explained below.
• It’s the end of the day (whatever that means), even if you haven’t gone home or to a significant location.

I don’t think there’s a guarantee it only appears in those circumstances, but it’s part of Apple’s efforts to reduce false positives. The bad part about this is that someone could obviously track you to your house if you arrive home and then receive the alert. I think Apple might consider suppressing relaying within some radius (maybe half a mile or a mile) of your significant locations until you’re alerted, too.

I keep trying to remember to research the best one of these. Apparently some of the ones that are sold in great numbers don’t actually provide the Faraday cage function, which is a very sad state of affairs.

Only tracks within Bluetooth range; no crowdsourced network.

Tile offers a crowdsourced network, but it’s pretty thin on the ground, so they haven’t had a stalker problem to contend with at scale. (Tile was just sold to a larger company in November, btw: Tile is selling its Bluetooth tracking business to Life360 for $205 million - The Verge )

My wife and I are experiencing the reverse problem. It appears you can’t FamilyShare an AirTag. If we both want to track our car, apparently we each need our own AirTag in it as I cannot find a way to give her access to an AirTag I originally paired with my iPhone and then dropped in our car even though we use Family Sharing for all our other stuff. In fact, we can even share our iPhone locations with each other (which we use a lot to find each other in crowded areas), but not the AirTag.

Yes, the tags rely on device-based end-to-end encryption. Find My device uses simple iCloud encryption. You’ll note that you can’t find family devices, like Macs, via crowdsourcing either, only if they’re on the internet.

I fashioned my own. I had a metal box that I received from Volkswagen when I leased my Golf. I glued a layer of aluminum foil to the inside. When I put the keys with AirTags attached in the box they are undetectable when the box is closed. If you can find an old cigar tin, that would probably work too.

I think this adds to the discussion on Faraday bags, including some information on the variable effectiveness of different solutions.

https://www.mattblaze.org/blog/faraday/

It is interesting to read in any case.

That was the one I read and forgot who had written it. Matt is a very smart egg and I trusted his experiments.

Thanks. I was surprised to see how poorly the metal tin did.

I wonder if it would work any better if the tin was electrically grounded. Of course, doing that would also make it immovable, so that would only be practical for some kind of built-in installation.

It should also be noted that a “shield” that is not properly enclosed could end up reflecting signals, causing them to be stronger in some directions.

I remember many years ago when I was using an old TRS-80 computer that this computer interfered with nearby TV reception (including the TV it was using as a display!) pretty significantly. I found that if I put a metal tray table over the top of the computer, it blocked the interference in the room really well. But it created a lot more interference for the TVs downstairs.

I guess what I’m trying to say is that RF is really complicated. Don’t think you can improvise something if you have a serious security concern, because you probably won’t be able to get it completely correct and a mistake may end up being worse than doing nothing at all.

I think for most applications the shield doesn’t need to be perfect. From what I have read the car thieves who clone keys use some kind of booster to pick up the unique signal. This assumes that most people keep their keys near the front door. On top of using the box, I keep the keys towards the centre of the house.

How can a car owner test whether their attempt at protecting their keyless entry fob is working? Remote keyless systems use much lower frequencies than the 2.4GHz range Bluetooth uses. I don’t know if containers effective at blocking Bluetooth are also effective at blocking the keyless entry signals, Matt Blaze’s tests didn’t include low enough frequencies.

I took my improvised box to my car, the door unlock function wouldn’t open, nor would the starter if the box was closed.

I’m sure there’s some signal leakage, but it wasn’t strong enough for the receiver in the car to detect it. Anyone trying to grab the signal would probably have difficulty reading it without sophisticated equipment.

Will each new brand of item tracker also require you to load its notification app? That would be A Very Bad Thing. At the same time, I can see 3rd party trackers proliferate, with probably less concern than Apple on use cases and facilities for identifying unwanted trackers.

It’s not AirTags that scare me here, it’s -everything else- with similar technology. Of course, that is subtlety that we’ll not get from tech journalists or newspapers, where “bad news about Apple” generates the clicks.

Same here. I can’t open the car from there and in the box the car can’t be opened or started. I bet it’s still not perfect, but it sure is good enough for me.