Security Bits Logo no alpha channel

Security Bits – 06 March 2022

Feedback & Followups

Deep Dive — Apple’s Other AirTag Problem

We’ve discussed how Apple’s AirTags have built-in protections from abuse in quite a few recent segments. In summary — AirTags have better anti-stalking protections than any other trackers, and they’re making news because the protections work and actually alert victims that they’re being tracked and because Apple makes good click-bait. AirTags have had protections from day one, but Apple are continuing to expand and improve them.

A second story has been simmering away under the hood for a few months now, and it’s not gotten nearly as much attention because it’s literally more hidden and more difficult to understand and explain. A subset of the security community has been focusing their attention on the networking protocols that power AirTags and other compatible Apple and third-party trackable devices — Apple’s Find My Network.

Fundamentally, there are many aspects of the Find My Network that are extremely well designed, and have stood up well to scrutiny, but some weaknesses have been found around the edges.

Let’s start with the good news — Apple have developed a cryptographically enforced system that allows devices to be tracked in a privacy-protecting way. All the location pings are protected by regularly cycling keys and identifiers that are derived from a private key that’s securely stored in your iPhone’s secure enclave. Without the private key, it’s impossible to identify which location pings are from your tracker, let alone read their contents. Apple can’t track your AirTag, the people around your AirTag who’s phones are relaying its location pings can’t track your air tag, and neither can someone eves-dropping on messages being relayed within the Find My network. None of this has been broken — only you can track your AirTag’s location.

Note: (The only thing Apple can do is tell law enforcement which Apple ID matches which serial number, hence they can help find the owner of a tracker in the physical possession of the police.)

So what cracks have been found?

One of the leading security researchers in this field is Fabian Bräunlein from Berlin. A few months ago he managed to find a way to piggyback messages of his own on the Find My network which he humourously dubbed Send My. The bandwidth is really small though, about 20 bits per second (20 baud), and the latency is huge, about an hour! But, in theory, at least, an attacker could exfiltrate a small amount of very valuable data uncovered in a hack through the Find My network. This would be a very difficult to detect backchannel and would bypass firewalls and other existing DLP (Data Leak Protection) solutions. Because the bandwidth is so low this wasn’t really a practical attack, it was more of an intellectual badge of honour than anything else. The biggest take-away was that while Apple have done a good job securing the legitimate traffic on their network, they haven’t prevented the network being abused to transmit other data.

The week before last Bräunlein returned with details of a new and much more significant problem, which he’s dubbed Find You. Again, no legitimate use of the networks has been compromised in any way — attackers can’t break the encryption, de-anonymise AirTags, inject false data, or anything like that. But, Bräunlein found a way of building his own tracking hardware that can participate in the Find My network and successfully report location data to its owner, but without ever being noticed by Apple’s existing stalking protections. In other words, he has developed a truly stealthy AirTag.

The way it works is really quite clever — he’s developed a single hardware device that can switch between thousands of logical identities in a predictable way. Remember, a simplified description of how AirTags work is that the tracker has a public key, and its owner has the matching private key. The AirTag uses the public key to encrypt its location pings, and only the matching private key can identify and decrypt the location pings to read the actual locations.

The hardware the Bräunlein created stores thousands of public keys, and he has all the matching private keys. The firmware on his custom tracker is programmed to switch between all its public keys in a random-seeming but predictable way. This means that Bräunlein can always use the appropriate private key to decrypt the location pings his device is sending, but to every other device on the Find My network, his one device appears as thousands of separate trackers.

In effect, it’s like having a stack of two thousand AirTags taped into one big ball, with only one of them having battery power at any one time. Each one is using the network legitimately, with all the privacy protections in place and working correctly.

How does having a virtual ball of AirTags get around the stalker protections?

To know if an AirTag is following you, you need to remember every AirTag you’ve seen recently and count how long each stays near you. When the number for any specific AirTag crosses a threshold, a warning is triggered. You can only keep a count for so many recently seen tags, and you have forgotten each seen device when there have been no more sightings of it for some amount of time. The virtual ball of AirTags can change identity so often that it either overflows the number of counters iPhones keep, or, has such long cycles that each counter has been timed out before it’s seen again, or both.

Basically, by changing identity more often than Apple’s algorithms can currently handle, iPhones are not noticing that they’re being followed.

Apple may need to consider adding some kind of authentication into the network which stops pings from unauthorised private keys being relayed on the work at all — this would stop both the piggy-backing and identity switching attacks, but that may be easier said than done. Apple could also deal with the virtual ball of AirTags problem by tweaking their algorithm and storing more IDs for longer in their cache of recently seen tags.

Links

❗ Action Alerts

Worthy Warnings

Notable News

Interesting Insights

  • 🎧 As part of their response to the Joe Rogan/Spotify disinformation controversy, the Spotify-owned Science VS podcast has continued to publish shows on their pre-Spotify public feed that use science to directly address the issues. Their first such episode examined the actual science around COVID19, and all the ways the Joe Rogan show got it very very wrong indeed, but their most recent one is very relevant to this segment – they examined the measured effectiveness of different approaches to fighting mis and dis-information online: Science VS: Misinformation – What Should Our Tech Overlords Do? — overcast.fm/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top