Apple’s AirTag Promises to Help You Find Your Keys

Originally published at: Apple’s AirTag Promises to Help You Find Your Keys - TidBITS

Apple’s long-rumored AirTag has finally arrived to help Apple users find their car keys via the familiar Find My app. You can track down one of the little metal discs in your couch via Bluetooth and Ultra Wideband. Elsewhere in the world, you can find an AirTag using Apple’s vast Find My network, which leverages nearly a billion in-use Apple devices to relay a tag’s location across town or the globe.

To repeat the security and privacy concerns from this month’s Cryptogram from Bruce Schneier

Abstract: Overnight, Apple has turned its hundreds-of-million-device ecosystem into the world’s largest crowd-sourced location tracking network called offline finding (OF). OF leverages online finder devices to detect the presence of missing offline devices using Bluetooth and report an approximate location back to the owner via the Internet. While OF is not the first system of its kind, it is the first to commit to strong privacy goals. In particular, OF aims to ensure finder anonymity, untrackability of owner devices, and confidentiality of location reports. This paper presents the first comprehensive security and privacy analysis of OF. To this end, we recover the specifications of the closed-source OF protocols by means of reverse engineering. We experimentally show that unauthorized access to the location reports allows for accurate device tracking and retrieving a user’s top locations with an error in the order of 10 meters in urban areas. While we find that OF’s design achieves its privacy goals, we discover two distinct design and implementation flaws that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, which could deanonymize users. Apple has partially addressed the issues following our responsible disclosure. Finally, we make our research artifacts publicly available.

There is also code available on GitHub, which allows arbitrary Bluetooth devices to be tracked via Apple’s Find My network.

Can somebody explain to me what I’m missing here, because I don’t get it.

If you are within bluetooth range of something like a backpack you ought to be able to see it.

If you are out of range (e.g. your backpack was left on a train) it won’t help, right?

So what use is this?

If you’ve lost your keys somewhere, any iPhone (or iPad or Apple Watch or Mac with a network connection) with Bluetooth enabled can report on their proximity to the AirTag.

I’ve been looking up the specs on AirTags and … wow, 8mm thick. That seems … pretty thick, to be honest. Enough that sticking one in (for example) my wallet might be problematic.

I do understand that they have to be thick enough to hold a 2032 battery, which is not exactly thin itself. (The “32” part of the battery number indicates that it’s 3.2mm thick.)

If you read the paper, it seems that Apple already mitigated the problem that could allow a malicious Mac app to access location history with macOS 10.15.7. So that’s not likely an issue anymore.

Second, although Apple didn’t respond to the other problem reported, the vulnerability there is that Apple (and only Apple) could determine that two or more Apple device users had been in close proximity if and only if the victims requested the location of their devices via Find My. There are certainly some theoretical concerns there, but it’s hard to imagine anything serious in the real world. And that’s assuming that Apple hasn’t fixed the problem in iOS 14.5 and macOS 11.3, which will be required for AirTag use.

In short, unless you’re deeply concerned about your personal safety based on location due to being an activist or journalist in hostile territory, this feels like a non-issue.

If you want to be concerned about location tracking and privacy, there is much lower hanging fruit.

Previously I bought my partner a Tile device and attached it to her keys. It was used a few times a week until the battery died, but it certainly saved a lot of time when she had to leave for some appointment but couldn’t remember where her keys were (in a backpack, a purse, a coat, or maybe that coat, or that purse, or on an end table, etc. etc.). The keys were never “out of range” because they were somewhere near the front door, but where was often in dispute.

Somebody else’s iPhone who happens to be passing your lost keys in the park or wherever?

Exactly. It’s part of Apple’s updated Find My network. Julio’s article explains this well. See the link in the first post.

If it’s beyond the reach of any of my devices, but within reach of an unknown 3rd party with an iOS 14.5 device, will it still show up in my Find My? Or do I have to put it into Lost Mode for that to work? If it’s not in Lost Mode and they find it, what can they do with it? Does tapping it against their iOS device do anything for them? For me?

Wow! So, it’s powered by a replaceable battery?

I think that all of that is answered here:

My tabcat tracker, which is attached to my cat’s collar and uses a simple RF transponder for finding it is only slightly thicker than the CR2032 inside, so hopefully pet tracking will also be possible with AirTags assuming some sort of splash-proof jacket for it. That would be a primary use for me.

According to Apple, Airtags have significant water resistance (last footnote on the Airtag page):

1. AirTag is splash, water, and dust resistant and was tested under controlled laboratory conditions with a rating of IP67 under IEC standard 60529 (maximum depth of 1 meter up to 30 minutes). Splash, water, and dust resistance are not permanent conditions and resistance might decrease as a result of normal wear. Refer to the Safety and Handling documentation for cleaning and drying instructions.

Amazing, isn’t it?

Seriously, I think it would be far more trouble for users to try to recharge these things, than just letting them change a battery. Apple made the right call there.

An AirTag separated from its owner for an extended period will, when moved, play a sound to draw attention to itself.

I was thinking about getting some AirTags to track my boat, car and motorbike in case of theft by hiding one in them. Reading this I wonder, is that going to work?

Feh!

The one thing I lose regularly is the Apple TV remote. Why didn’t the new one come equip with a built in AirTag? Talk about couch diving!

Things I misplace like my phone, watch, and EarPods do work with the Find My app, but the best the app can tell me is they’re somewhere in the house. I can usually ping my watch and phone and locate the ping (although it can be hard. Especially if I misplace my phone in my pocket which I’ve done multiple times). However, finding the EarPods via pointing them is impossible. I simply don’t hear them. Is iOS 14.5 going to let me find them via that arrow interface?

John Gruber reports that at the start the separation time before a sound is made will be about three days, but that could change. It would be nice if we could choose what behavior we wanted.

An AirTag is only 11 grams, versus 6 for the Tabcat tracker, so that seems reasonable. For us at least, I’m not sure it would work all that well, since we live in a rural area, so it’s highly unlikely that an AirTag on our cat would be picked up by any other Apple devices if she was out of Bluetooth range. I’m sure it would work better in an urban environment. I don’t have a sense of what the effective Bluetooth range will be. And course, cats move frequently (well, hopefully), so that might make it harder to zero in on a cat’s location.

I’m sure someone will try it soon enough, though!

Yes, range is definitely an issue, I think. I’m in a north London “village”, but the airwaves are thick with Bluetooth and Wi-Fi–I don’t know if that’s a good thing or not for this sort of device, but I suspect there would be a trade-off for discoverability. It’s not an especially upmarket area, so the iPhone demographic is not so large. On the other hand, Tab (yes, that’s really her name–long story) does not tend to wander far. She’s certainly agile despite her age though, and even with the Tabcat she can be surprisingly hard to pin down. It’s mostly insurance for me, I think Tab is more than happy to come home. The days of days-long absenses and accidental trappings are, I think, probably behind her.

Anyway, I’ll probably be giving it a shot once I’ve done a few experimental runs to see how locating the tags work.