Does this mean that Apple is failing to validate the capability of things that purport to be AirTags? Or that the BLE protocol is just not powerful enough to have Apple signatures on each broadcast public key?
If it's the latter, it might mean that the entire AirTag product line is dead in the water.
The mental model I had is that AirTags are manufactured with a private/public key pair burned into them that allows Apple to validate the thing you are linking to your account on initial setup is really a legit AirTag.
It appears none of that was ever true and you can register just anything as an AirTag that speaks the right BLE with no secrets required for a world full of iPhones to start tracking them.
So yeah, expect chinese clones to show up within a month, for five dollars each and certainly no speaker included.
I feel that if the stalker is buying dedicated stalking gear online there are “better” options - you can get actual compact GPS trackers that report over cellular for $10-20.
Stop comparing AirTag to GPS trackers, it's absurd. GPS is an incredibly faint signal that is entirely attenuated in any indoor spaces and most clever hiding places you could come up, all the while being very obviously inferior to the multitude of strategies smartphones use to determine their position.
Can you really? I live in a place with a lot of coyotes so we bring our cat inside every day an hour or 2 before sunset. We bought a Tile (AirTag competitor) for her, but it's really not lived up to what we were hoping and I'd love for the possibility of getting an actual GPS device
Even if it's just for a few days so we can get a sense of what her typical route are so we could know where to look for her other days
But we couldn't find any such GPS device that was anywhere near the pricepoint of an Airtag or Tile unless it came with a really pricey subscription
For your use case wouldn’t something that has a GPS receiver and just records position every minute or so be fine? You can download the map offline later, no need for continuous cell signal.
Not with anything like the battery life or small sizes as an AirTag.
Those sort of devices are a reasonable choice for mounting in your own vehicle, where you can provide relatively unlimited power (and many of them have the ability to implement engine kill). But you aren’t going to slip one of those into someone’s pocket unobtrusively as you bump into them going past. Or attach it to their car in a car park.
More than battery life or small size, I think the most important cost is the cellular plan. With AirTag, the find my network acts as the communication backbone and it tracks the AirTag in literally every country, at no cost. On the other hand, cellular is expensive AF.
> If it's the latter, it might mean that the entire AirTag product line is dead in the water.
The average consumer, or even 99.9% of consumers, don't care at all.
They want to find their things. AirTags help them find their things. They don't care how it works. End of story.
It's not a popular opinion on HN where everyone wants to understand every technical detail of how every product works, but in the real world it doesn't matter. Consumers buy products to solve problems. That's all.
AirTag is one of many ways you can be stalked. Perhaps it’s the cheapest or most well known method at the moment, but you can already buy GPS + cellular trackers that aren’t much more expensive or larger, and they’re only going to get better and cheaper over time.
This problem will need to be addressed though other means than a single company intentionally crippling their own product.
I think the problem is people have to decide "I'm not going to buy this because if nobody buys this then people won't be able to buy this and use it to stalk people." In other words, the consumer gives up a product they want in exchange for a common good they get an infinitesimal benefit from.
Obviously not, given what their smartphone apps and browsers are doing. The real question is whether the though of being stalked by an individual rather than by corporations will make any difference.
Yeah I don't understand this. Surely airtags have to be registered, and when an iPhone sees tag 3957375967 Apple's servers look that up and say "oh it's registered to Billy Bob; I'll tell them".
But if your fake airtag rotates through 2000 IDs how do you register them all?
Apple apparently stores every reported location in a database and allows people to query whether a certain public key was received with or without the key being registered to a specific user since they change on a regular basis so one can’t track a specific device.
Seems like the end-game for this is to change things around like this:
1. you can't track items outside of some distance from you in real-time
2. items marked as lost would need to be sent to a review team inside apple (contractors I imagine) that would then log your information, require you to explain what the item is, and generally make it very cumbersome to get the actual location or history of the location
3. then very likely a neutral 3rd party would have to go to the location to determine if the claim seems to be legitimate, or this is a case of somebody stalking somebody else or something
4. likely would require police getting involved somehow
The idea that people can be vigilante's and track down their own stolen bike is a great idea, but it basically equates to "stalking somebody".. any work-arounds for android users and iphone users will either only work in certain circumstances (what if you only live 1 mile away from the bars downtown -- then now the stalker knows where you live and the device was with you a super short period of time -- maybe 2-5 mins depending upon method of travel)... the only way around this is to block people from being able to get the raw information -- sure the data might be collected, but giving it directly to the customer is both the best and worst thing about this.
The Apple strategy would be that it works fine and then 6 months in they release an update that specifically targets these devices and they are instantly worthless.
Apple will probably say something to the effect of, "we didn't have to put anti-stalking technology in, and it works well for the 99% of use cases." The common stalker will not have the technical skills to build their own custom-firmware version of a BLE-enabled system. I don't think this revelation will kill the product line.
After reading more about this on the attached repo, I think we're going to see some AliExpress clones popping up pretty quick. AirTags appear to be pretty minimal tech - much less complex than I had thought if you exclude the high-precision location finder.
It is a difficult technical problem for Apple to solve all of the corner-cases. The article shows the screenshot of seemingly 100 unique FindMy devices around this guy's personal residence... there may be some characterization work that can help solve that so an iPhone user would get the alert message. But Apple will continue to promote it and dismiss or downplay these security concerns.
> The problem is easy to solve, just store copies of all public keys of each air tag you send out.
that kills the privacy aspect of it, because it also means apple knows about the exact whereabouts of each tag. airtags are specifically designed/marketed so apple can't do that.
Software (and I guess hardware too) is about tradeoffs. The tradeoff here is that in not being able to validate if a device is a valid Airtag is that Apple has created a massive, completely uncontrollable surveillance network. The fact that anyone can interrogate the network to track devices that aren't even guaranteed to be running the official firmware or have the official hardware is insane. Not having Apple be able to know the location of the tags is pretty much irrelevant in the face of this downside.
It basically operates like dead drops. Airtags broadcast their location using a public key that constantly rotates. Apple maintains a mapping of public key to location. Anyone can look up the location of a public key, but the search space is so big that it's not worth bruteforcing. Even if you did, all you'd end up is a heatmap[1] of airtags, not very helpful. However, if you know the corresponding secret, you can predict what the public key will be and know the exact whereabouts of a particular device.
A core selling point of Airtags is that other people's iPhones help you find your AirTag. That's also what makes them effective trackers. It's a bit of an unsolvable problem.
Yes, and Apple 100% has the capacity / ability to filter out "fake" AirTags on their back-end. All they need to do is setup a manufacturing process that captures the public keys.
So the phones will still relay the beacons to Apple, who can then do things and just reject messages from these fake tags.
(I worked for a Medical Device Company that set all of this up within our supply chain).
If they haven't been doing this so far, it seems like it will be a tough job to record them after the fact. Perhaps they could interrogate each device and require it to be re-adopted, then record the data at that point but it seems like an arms race they won't win.
Yes, you could do attestation schemes for hardware - such as a single manufacturing-time private key for large batches (say 1M+ AirTags) or something like Direct Anonymous Attestation.
Apple likely would go toward batch keys - in addition to being simpler crypto, it doesn't give them the capability to use other mechanisms to potentially correlate location reports.
That said, AirTags work solely within BLE advertisements, which are payload size limited to 31 bytes. Apple is currently using 30 of those bytes.
Since the AirTag emits the message, that message would either contain:
- a static signature, which could then be copied and mimic'd by imposters (replay attack)
- store the private key on the AirTag device, which could then sign the a continuously changing nonce like the current datetime. But this means the private key could then be extracted from one device, and used to sign messages on an imposter device. So unless every device had a separate private key, this method would immediately be compromised as well.
So why doesn't Apple have a unique private key for each device? Well it appears it actually does, and has them constantly changing their private keys. But there appears to be some kind purposely implemented anonymity features that is designed to prevent Apple's servers from associating a ping with ever having to decode the contents, and thus of associating your account/device with the emitted location.
If you build in validation to write to the network ping database that goes "here's a ping with a signature ABC and let's lookup if it's valid, oh it is, that must be from AirTag Bob bought last month with private key XYZ, let's declare this ping valid" then Apple is only a logfile-write-of-this-information away from being able to perfectly stalk everyone who has purchased a device. So instead, the tradeoff they made is they don't keep track / purposely blind themselves to their device-in-circulation keys to truthfully say they actually can't track you. That leaves open the ability of imposter devices to transmit information through the network by creating their own known keys which look indistinguishable from authentic device pings.
I didn't fully grep the article, but assuming the src is public and hardware is trivially built - I wouldn't put it past someone packaging this up and selling it. It doesn't need a huge number of people to be bad enough PR for Apple to have to do something - much like 99.9999999% of people are not using them for stalking but it's all that's talked about in the media with these tags.
My memory is a little fuzzy, but iirc after required tags in the advertising packet you had ~28 bytes that could be tagged 0xFF - mfg data. Then there is also BLE5 which adds advertising extensions to get to 240-250bytes. And the scan response packet which was under 30 all the time. But I could be wrong about all of that, been a little while since I was that deep in BLE.
Point for me is that Apple absolutely could do supply chain verification but… for some reason don’t?
I've read a bunch of different numbers around 30, but I've never used beacons personally. I pulled out my copy of the O'Reilly book on BLE (covers up to Bluetooth 4.1), which says this
> Each advertising packet can carry up to 31 bytes of advertising data payload, along with the basic header information (including Bluetooth device address).
I didn't know about advertising extensions, thanks for the info. Without that I'm not sure if supply chain verification is feasible? I also wonder if there's a significant battery impact to broadcasting more data. I suppose they could overload the device address uuid?
4.1 is before packet extensions, but that shouldn’t matter here.
The reason you’ll see different numbers is that not everyone considers the overhead the same. Some count it, some don’t. I do because it just isn’t usable.
If it's the latter, it might mean that the entire AirTag product line is dead in the water.