Fabian Bräunlein's ESP32-Powered "Find You" Tag Bypasses Apple's AirTag Anti-Stalking Protections

from hackster.io

Security researcher Fabian Bräunlein has demonstrated a way to produce a device trackable within Apple's AirTag ecosystem, which bypasses all the protections the company has put in place against unauthorized tracking — and calls for the company to revise its threat model.

Apple launched its AirTag trackables, designed to add arbitrary objects into the Find My platform previously used to locate lost iPhones, iPads, and MacBooks, in April last year. The compact devices are roughly trackable over Bluetooth and via ultra-wideband (UWB) to a high level of accuracy — but their compact size and relatively low cost have made them popular with those looking to track a person without their authorization.

In response to reports that people were finding AirTags on or about their person, Apple added the ability to detect and alert when an unknown AirTag was found to be travelling with you — something Bräunlein claims his Find You project bypasses.

"Admittedly, I might be slightly more familiar with AirTags than the average hacker (having designed and implemented a communication protocol on top of Find My for arbitrary data transmission)," Bräunlein explains, "but even so I was quite surprised, that when reading Apple's statement I was able to immediately devise quite obvious bypass ideas for every current and upcoming protection measure mentioned in that relatively long list."

Bräunlein's work builds on OpenHaystack, an open-source project to allow for the creation of Bluetooth devices compatible with Apple's Find My network — using as its base the BBC micro:bit or another Bluetooth-capable microcontroller platform. Bräunlein's version turns an ESP32 into a "stealth AirTag clone," that, the researcher claims, is undetectable by Apple's anti-stalking countermeasures.

The ESP32-based Find You, powered by a USB battery pack, works by constantly rotating its public key — effectively appearing as not one tag seen multiple times but 2,000 tags seen on time each. "For the experiment," Bräunlein notes, "I chose to iterate through 2000 key pairs and send one beacon every 30 seconds (a public key will therefore be repeated every ~17 hours.) Instead of a finite list of keypairs, a common seed and derivation algorithm could be used on the AirTag clone and in the Mac application to generate a virtually never-repeating stream of keys."

Bräunlein's Find You device bypasses current protections revolving around unique per-tag serial numbers, audible feedback from an on-board beeper, tracking notifications on iPhones and on Android devices with an app manually installed; additionally, it is expected to bypass upcoming protections including audio and display-based alerts.

To prove the concept Bräunlein tracked a volunteer, whose iPhone was configured to alert to possible unauthorized tracking, for five days: No alert was raised. Neither did Apple's Android app, Tracker Detect, find the device — though AirGuard, an Android tool for detecting AirTags and other Find My devices, was able to detect the cloned tag during a manual active scan.

"The main risk does not lie in the introduction of AirTags," Bräunlein notes, "but in the introduction of the Find My ecosystem that utilizes the customer’s devices to provide this Apple service. Since Apple in the current Find My design can't limit its usage to only genuine AirTags (and official partner’s devices), they need to take into account the threats of custom-made, potentially malicious beacons that implement the Find My protocol (or AirTags with a modified firmware)."

Bräunlein's full write-up is available on the Positive Security website; source code for the Find You device has been published to GitHub under the reciprocal GNU Affero General Public License 3.