The first report is from Albert Fox Cahn, founder and executive director of the Surveillance Technology Oversight Project, and Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation.
In it, they write that although AirTag isn’t the first tracking device, it is the one with the biggest network. Apple’s Find My location network uses its billion-plus peer-to-peer network of devices to boost tracking.
Apple did create anti-stalking measures for the AirTag. It uses Bluetooth signal identifiers that frequently change, and iOS devices can detect an unknown AirTag in close proximity. Additionally, an AirTag separated from its owner for an extended period of time will play a sound when moved to draw attention to it.
But what if the victim has an Android smartphone? In that case, the AirTag can’t be detected, although the device will still produce a sound after 72 hours of being separated from its owner. It’s not a loud sound and abusers who live with their victims can just reset the countdown clock.
If the abuser is also knowledgeable they could hack the AirTag to make it do things not approved by Apple, in the second report from Lorenzo-Franceschi-Bicchierai. One particular hack is theoretical, but hardware hacker Thomas Roth (Stacksmashing) believes the AirTag could be modified to use its accelerometer as a microphone, turning it into a bugging device.
Another researcher, Fabian Bräunlein, was able to broadcast data to nearby Apple devices using the Find My network, achieving this capability by “spoofing many AirTags and encoding data in which AirTag is active.”
Like it’s other products, Apple is sure to make improvements to AirTag in further versions. At the very least, Mr. Bräunlein said the AirTag is “cryptographically well designed.”