AirTags are used to find lost keys again. But you can also track people with it. Now you can easily protect yourself from this with a new app, developed by students from Darmstadt.
With AirTags you can easily spy on victims unnoticed
They look inconspicuous: About like an overgrown peppermint candy. AirTags attached to a keychain or suitcase, should help to locate things you have lost. Apple invented the small parts, but meanwhile there are comparable products from other manufacturers, like Samsung. The tracking technology is also already installed in bicycles and other devices.
Locating via Bluetooth
AirTags use a technology that was already available for Apple devices before. This makes it possible to locate certain devices even if they have no connection to the Internet via WLAN, nor via corresponding mobile phone connections such as 2G to 5G.
The devices use the Bluetooth standard, explains Alexander Heinrich in an interview with Deutsche Welle. Heinrich is a doctoral student at the Secure Mobile Networking Lab, Darmstadt Technical University. "The devices send out Bluetooth signals at regular intervals and all iPhones in the vicinity then act as "finders", says Heinrich.
Your data, our business!
In the received Bluetooth signal is a public key, and the foreign links it with its location data, which it has calculated via its GPS sensor or via a GSM triangulation.
Then it sends the whole data package to a server at Apple. This can also be done with a time delay – for example, only when the phone has WLAN access.
If you own an iPhone and haven’t turned the feature off by itself, you won’t notice any of this, Heinrich says. But hardly anyone likes to switch off the function: "If you want your own iPhone or your own AirTags to be found in case of loss, you have to help to find other things as well."
That’s why the function is always activated in the default setting on Apple devices as long as Bluetooth is switched on.
How accurate is the tracking really?
The person who owns the AirTag or the lost Apple device can check the last location at any time. "Although Apple writes on its website that they "only save the locations of the last 24 hours", says IT expert Heinrich "but in fact with Apple a course of seven days is stored."
His research group also found a way to get this data and published it.
His team also tried out how accurate the tracking is. "We tested this in Frankfurt and there were a large number of iPhone users who then sent a relatively accurate location", Heinrich reports.
"Then we correlated the data until it gave an accurate path. And there we found out that a location can be calculated to 30 meters exactly."
But Heinrich and his team are not satisfied with that yet. You also wanted to know if it’s possible to use a week’s worth of location data to uniquely identify the wearer of a tag. The answer is yes!
"If I have five locations and times from an AirTag, I can always identify the person associated with it – worldwide" says Heinrich.
Can I spy on someone undetected?
This is easily possible if you put the AirTag in the pocket of a victim undetected. Actually, Apple has built in protection against this, and it’s a speaker. "The AirTag has a gyroscope sensor and notices when it moves. Then, when it’s nowhere near its owner’s device, it’s supposed to make a sound so people who don’t have iPhones realize they might be being chased by an AirTag" says Heinrich.
"But it’s no problem to unscrew the AirTag, disconnect the speaker and screw it back on". And already the AirTag doesn’t make a sound anymore, but still works as good as before."
Even if the loudspeaker has not been removed, it is far from certain that the AirTag really makes a sound. Editors of the specialist portal Heise had to wait eight days before the device made a sound in an experiment.
In addition, savvy tinkerers – and government intelligence agencies, of course – can create their own, even smaller AirTags. Even on the technology market the boards are already for sale. "Even before the AirTags came out, we had published how you can participate in the system and virtually build your own AirTag without cooperating with Apple", says Heinrich.
The circuit board for this self-built AirTag was bought by the Darmstadt students for little money.
"With the data it is not recognizable for iPhones whether it comes from a certified device or from a replicated device".
The solution: AirGuard – an app that detects AirTags
Anyone who suspects that someone could be tracking him or her with AirTags, however, is no longer defenseless.
Heinrich has developed the app AirGuard for this purpose with his colleague Niklas Bittner, who is studying at SEEMOO.
"It works completely in the background. You only have to activate it once and then it scans every 15 minutes to see if these Apple devices are nearby", Heinrich reports. "Whether this is an AirTag or something similar, it doesn’t matter for now."
All devices that the app detects, it stores in a database. And if the same device follows someone to different places, the app sends an alert to their smartphone. "Then the locations to which the device has followed you will also be displayed", says Heinrich. "And if the sound is not disabled by hardware manipulation, you can force the AirTag to play the sound". The app is available for Android.
Citizen Science: How urgent is the problem?
Basically, every case of stalking or spying using AirTags is one too many. But the app’s creators would like to know how acute the abuse problem actually is.
Those who install the app can help with research and volunteer to participate in a study. "When you do that, the app sends anonymous data to us.", says Heinrich.
Here’s what the researchers collected in their study: how many devices were found (but no identifiers as to which devices they actually were)? How many of them were AirTags? How many times were people notified that they were potentially being stalked?
"People can then send feedback to us, for example, that this was a wrong notification", says the IT researcher. So far, about 800 participants are taking part in the study. But that is still very little.
"Obviously, it would be good to have as many people as possible using the app so that our data can become as meaningful as possible", wishes the Darmstadt scientist.
Heroes of the net world: Ingenious hackers
The Messiah
He’s probably the most famous fictional hacker – Neo, the hero from the Matrix trilogy (center/Keanu Reeves). He is the "chosen one, which is to free mankind from the clutches of an overpowering artificial intelligence. In the virtual reality of the Matrix, the hacker fights against protective programs that, in the form of agents, try to eliminate human revolutionaries like him.
Heroes of the net world: Ingenious hackers
The Eccentric
The novel character Lisbeth Salander was penned by Swedish star author Stieg Larsson. In his Millennium trilogy, he describes her as an unusual loner with a tragic past. Salander makes a living hacking computer programs and eventually uses her extraordinary skills to solve murders.
Heroes of the net world: Ingenious hackers
The lunatic
Elliot Alderson is at the center of the U.S. series "Mr. Alderson. Robot". He suffers from personality disorders and anxiety, but is an ingenious hacker. He was supposed to use his knowledge to protect his employer’s computer systems. But then a certain Mr. Robot persuades him to switch to the other side.
Heroes of the net world: Ingenious hackers
The avenger
Hackers are not only the protagonists in movies and novels. In the computer game "Watch Dogs" the hacker Aiden Pearce sets out on a vendetta. He wants retribution for an attack on his family that killed his niece. To take out his enemies, he uses not only conventional weapons, but also his hacking skills.
Heroes of the net world: Ingenious hackers
The NSA hacker
Kevin Mitnick caused a sensation in the 1980s and 90s when it became known that the young man from California had hacked into the computers of the Pentagon and the NSA. At the age of 25 he was in prison for the first time for this – further sentences followed. His story was published in 2000 under the title "Takedown" filmed.
Heroes of the net world: Ingenious hackers
The hacktivist
His unbelievable story also became material for Hollywood. In "Inside WikiLeaks – The Fifth Estate" plays actor Benedict Cumberbatch (li.) Julian Assange, the Australian hacker-activist and co-founder of the world’s most famous disclosure platform. Because Assange is facing criminal trials in several countries, he has been living in the Ecuadorian embassy in London since 2012.