{"id":23957,"date":"2025-03-28T04:46:19","date_gmt":"2025-03-28T08:46:19","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=23957"},"modified":"2025-03-28T12:52:46","modified_gmt":"2025-03-28T08:52:46","slug":"protecting-from-tracking-via-findmy-airtag","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/protecting-from-tracking-via-findmy-airtag\/23957\/","title":{"rendered":"How to track anyone via the Find My network"},"content":{"rendered":"

AirTags are a popular tracking device used by anyone from forgetful key owners to those with malicious intent, such as jealous spouses<\/a> and car thieves<\/a>. Using AirTags for spying is simple: a tag is discreetly placed on the target to allow their movements to be conveniently monitored using Apple Find My<\/strong>. We\u2019ve even added protection from AirTag-based tracking<\/a> to our products for Android<\/a>.<\/p>\n

But a recent study<\/a> by security researchers has surprisingly found that remote tracking doesn\u2019t even depend on buying an AirTag or ever being physically near the target. If you manage to sneak special malware onto someone\u2019s Windows, Android, or Linux device (like a computer or phone), it could use the device\u2019s Bluetooth to send out a signal that nearby Apple devices would think is coming from an AirTag. Essentially, for Apple devices, the infected phone or computer effectively becomes an oversized AirTag \u2013 trackable via the Find My<\/strong> network, which boasts over a billion Apple phones and tablets.<\/p>\n

Anatomy of the attack<\/h2>\n

The attack exploits two features of the Find My<\/strong> technology.<\/p>\n

Firstly, this network uses end-to-end encryption \u2013 so participants don\u2019t know whose signals they\u2019re relaying. To exchange information, an AirTag and its owner\u2019s phone rely on a pair of cryptographic keys. When a lost AirTag broadcasts its \u201ccallsigns\u201d via Bluetooth, Find My<\/strong> network \u201cdetectors\u201d (that is, any Apple device with Bluetooth and internet access, regardless of who owns it) simply transmit AirTag\u2019s geolocation data to Apple servers. The data is encrypted with the lost AirTag\u2019s public key.<\/p>\n

Then, any device can ask for the encrypted location data from the server. And because it\u2019s encrypted, Apple doesn\u2019t know who the signal belongs to, or which device asked for it. The crucial point here is that one can only decrypt the data and find out both whose AirTag it is and its exact location by having the corresponding private key. Therefore, this data is only useful to the owner of the smartphone paired with this AirTag.<\/p>\n

Another feature of Find My<\/strong> is that detectors don\u2019t verify whether the location signal indeed originated with an Apple device. Any devices that support Bluetooth Low Energy (BLE) can broadcast it.<\/p>\n

To exploit these features, the researchers came up with the following method:<\/p>\n

    \n
  1. They install malware on a computer, phone, or some other device running Android, Windows, or Linux, and check the Bluetooth adapter address.<\/li>\n
  2. The attackers\u2019 server receives the information and uses powerful video cards to generate a pair of encryption keys specific to the device\u2019s Bluetooth address and compatible with Apple\u2019s Find My<\/strong><\/li>\n
  3. The public key is sent back to the infected device, and the malware then starts transmitting a Bluetooth message that mimics AirTag signals and includes this key.<\/li>\n
  4. Any nearby Apple device connected to the internet receives the Bluetooth message and relays it to the Find My<\/strong><\/li>\n
  5. The attackers\u2019 server uses the private key to request the location of the infected device from Find My<\/strong> and decrypt the data.<\/li>\n<\/ol>\n

    How well does the tracking work?<\/h2>\n

    The more Apple devices nearby and the slower the victim\u2019s movement, the better the accuracy and speed of the location tracking. In typical urban environments like homes or offices, the location is typically pinpointed within six to seven minutes and with an accuracy of around three meters. Even in extreme situations, such as being on an airplane, tracking can still occur because internet access is now widely available on flights. The researchers obtained 17 geolocation points throughout a 90-minute flight, allowing them to reconstruct the aircraft\u2019s flight path quite accurately.<\/p>\n

    Naturally, the success of the attack hinges on whether the victim can be infected with malware, and the details are slightly different depending on the platform. On Linux devices, the attack only requires infecting the victim\u2019s gadget due to the specific Bluetooth implementation. By contrast, Android and Windows employ Bluetooth address randomization, meaning the attacker needs to infect two nearby Bluetooth devices: one as the tracking target (the one that mimics an AirTag), and another to obtain its adapter address.<\/p>\n

    The malicious application needs Bluetooth access, but this isn\u2019t hard to get. Many common app categories \u2013 like media players, file sharing tools, and even payment apps \u2013 often have legitimate reasons to request it. It\u2019s likely that a convincing and functional bait application will be created for this type of attack, or even that an existing application will be trojanized<\/a>. The attack requires neither administrative permissions nor root access.<\/p>\n

    Importantly, we\u2019re not just talking about phones and computers: the attack is effective across a range of devices \u2013 including smart TVs, virtual-reality glasses, and other household appliances \u2013 as Android and Linux are common operating systems in many of them.<\/p>\n

    Another key part of the attack involves calculating cryptographic keys on the server. Due to the complexity of this operation \u2013 which requires leasing hardware with modern video cards \u2013 the cost of generating a key for a single \u00a0victim is estimated at around $2.2. For this reason, we find mass-tracking scenarios that target, say, visitors inside a shopping center, to be unlikely. However, targeted attacks at this price point are accessible to virtually anyone, including scammers or nosy co-workers and spouses.<\/p>\n

    Apple\u2019s response<\/h2>\n

    The company patched the Find My<\/strong> network vulnerability in December 2024 in iOS 18.2, visionOS 2.2, iPadOS 17.7.3 (for older devices) and 18.2 (for newer ones), watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2, and macOS Sequoia 15.2. Unfortunately, as is often the case with Apple, the details of the updates have not been disclosed. The researchers emphasize<\/a> that this tracking method will remain technically feasible until all Apple users update to at least the above versions, though fewer devices will be able to report a tracked device\u2019s location. And it\u2019s not impossible that the Apple patch could be defeated by another engineering trick.<\/p>\n

    How to protect yourself from the attack<\/h2>\n