newsletter banner

ISSUE 19.10.F • 2022-03-07

In this issue

PUBLIC DEFENDER: Look who’s stalking 2: Apple responds to AirTag security threats

Additional articles in the PLUS issue

LANGALIST: Do external hard drives make sense in the cloud-storage era?

LINUX: Linux malware is on the rise. What should you do?

PATCH WATCH: Understanding the zero days

Become a Plus Member today!
Get MS-DEFCON Text Alerts! Gift Certificates now available!

ADVERTISEMENT
My Computer Works Home & Business Computer Repair | My Computer Works

My Computer Works keeps your technology running smoothly. With computer repair support and tech solutions for home and small business, we’re the fast, friendly experts you can count on.


PUBLIC DEFENDER

Look who’s stalking 2: Apple responds to AirTag security threats

Brian Livingston

By Brian Livingston

The Apple AirTag, a $29 tracker the company started selling last year, has been criticized by experts for its weak protections against criminals who use the device to stalk people and pinpoint vehicles to steal. In response, Apple posted last month a response that promises only minor upgrades to the gadgets’ software.

Meanwhile, a developer announced recently that he had built — using a few dollars’ worth of electronic parts — an AirTag-like clone that takes full advantage of Apple’s free and worldwide Find My communication network. As an illustration of the weakness of AirTags, the clone easily defeats all of Apple’s existing security and detection systems, including the new features the corporation said last month it was planning to implement in the future.

Apple’s existing system automatically notifies users of iPhones and other Apple devices of unwanted trackers. But Apple hasn’t made an equivalent app available for Android, which runs 70% of the world’s phones, according to StatCounter data. Instead, Apple released in December a limited Android program that users have to fire up manually to search for unwanted AirTags. The Android app can’t alert users automatically.

Fortunately, a university-based security team has posted a free app of its own design. This gives Android users the same automatic warnings iPhone users have been receiving for almost a year.

That’s a lot of news to unpack! You can get the backstory from my January 10, 2022, column on AirTag problems. But reading that piece isn’t necessary for you to understand the following explanation of today’s situation and how we can protect ourselves.

Apple promises that a few changes are coming

As I stated in my previous column, AirTags have many legitimate uses. For a dirt-cheap price — less than older GPS-based devices and with no monthly subscription fees — AirTags can show you where you may have left a missing key ring, bicycle, or suitcase.

iPhone warning

But that very ease of use and minimal cost have attracted ex-girlfriend stalkers, auto thieves, and all manner of criminals. In its February statement, Apple responded to the bad press about this, promising to upgrade the following features of its proprietary Find My software (without mentioning any specific dates):

1. Clearer warnings of “AirTag detected near you.” The Find My app previously displayed to iPhone users the message “Unknown Accessory Detected” if an AirPod or other device was seen (see Apple screen cap at left). This wording could be confused with an AirTag warning. So the alerts will now specify “AirPod,” “AirTag,” or the name of whatever particular device was detected.

2. Setup will caution against illicit use. When setting up an AirTag, users will see a caution that says tracking people or vehicles “is a crime in many regions around the world.” That’ll scare those crooks! (This wording is already included in the fourth beta of iOS 15.4, which was released last month.)

3. New text in documentation. Apple’s support document HT212227 was updated to include additional wording about unwanted tracking.

4. Alerts will be displayed visually, in addition to tones. When an AirTag is far from its registered owner, the device will emit a tone at random intervals 8 to 24 hours apart to warn potential victims. Soon, AirTags will also display a visual alert in an iPhone or other device. (You wouldn’t notice the little beep if someone had planted an AirTag underneath your car and you didn’t happen to be right there.)

5. A slightly louder beep. Apple says it will adjust the 8-to-24-hour warning sound to use “more of the loudest tones.” Unfortunately, an AirTag might have been planted by someone in your household. In that case, Apple’s support document says, “you won’t be able to play a sound” from an AirTag “if the item is within range of its owner.” Good luck if you have a control freak for a boyfriend!

6. More precise directions to unwanted AirTags. Even if you’ve been notified that an AirTag has been deviously planted in your belongings or attached to your car, it can be devilishly hard to find the button-sized tracker. You can always use Find My to make an AirTag play a tune. But that may not be enough if the device is taped to your car’s dark underside, squeezed behind a license plate, or wherever. But if you have an iPhone 11, 12, or 13, your phone may be able to use Apple’s U1 Ultra Wideband chip to show you the approximate distance and direction to the AirTag you’ve been warned about.

Be aware: Apple’s documentation tells you how to disable an unwanted AirTag by removing its battery or shutting it down via the app. But the company fails to mention that you should do this away from your home or office. The stalker is notified when an AirTag has been disabled. Its last reported location may act as a signal: “They’ve found the tracker — do the deed tonight, before they move the Ferrari.”

A homemade device is all that’s needed to defeat Apple’s security

As you might notice from the preceding list, the steps Apple is proposing to take won’t do much to protect you. All of us — whether we use an iPhone or not — can still be stalked by jealous suitors and tracked by car thieves. (Midnight movers attach AirTags to high-value autos in public parking places and then steal the vehicles from more-secluded neighborhood streets.) In addition, Apple still isn’t promising Android users an official app that would run in the background and provide alerts without the need for you to constantly check manually.

AirTag clone

A new device, based on an ESP32 “system on a chip,” easily defeats all existing and planned AirTag security features. (See prototype at left.)

Consisting of nothing but a tiny ESP32 board (wiki), a USB cable, and a battery, the “stealth AirTag clone” is a proof-of-concept developed by Fabian Bräunlein, a co-founder of the Positive Security consultancy.

The prototype doesn’t look like much. It’s sure a lot more nerdy than an AirTag’s shiny, dollar coin–like disc. But the clone seamlessly communicates using the free bandwidth of the 1 billion or so Apple devices that the company has quietly enlisted into its global Find My network. And it completely bypasses every security feature that Apple has already implemented, plus the wish list the company has proposed to add at some point in the future.

While publicly demonstrating the weakness of Apple’s security, Bräunlein has (to his credit) withheld the Python script that enables the clone’s stealth features. Unfortunately, malicious hackers won’t take long to duplicate the clone’s bypassing of Apple’s tracker protection — if they haven’t figured out the code already.

Welcome to the future! It’s not just Big Brother — now Big Everyone can track you.

All of this is explained in a Positive Security blog entry. In that revealing exposé, Bräunlein reveals a withering disdain for the world’s most valuable corporation having mass-produced low-cost tracking devices with barely-there security features:

They introduced the first-ever system for easy, cheap, worldwide tracking into a world where “unwanted tracking has long been a societal problem,” applaud themselves for implementing broken anti-stalking features, and now coerce others into also implementing protection against the tracking network they have rolled out.

Apple representatives did not respond to my requests for comment.

Unfortunately, Apple is not the only problem. Samsung sells Galaxy SmartTags, but its app doesn’t proactively warn people of unwanted devices, and the so-called Scan and Secure app for Tile trackers isn’t expected until later this year, according to a CNET article.

A free app gives Android users automatic warnings of unwanted trackers

Apple, Samsung, and competing manufacturers of iOS, Android, and other phones should work together to ensure that all users receive an automatic notification whenever a tracking device they don’t own is moving around with them or their vehicle.

AirGuard

Until that day comes, the free AirGuard app is the solution for Android users. (See screen cap at left.)

Developed by the Secure Mobile Networking Lab (SEEMOO) of the Technical University of Darmstadt, Germany, AirGuard runs in the background on Android devices. It automatically notifies you of trackers, including AirTags as well as stealth AirTag clones.

If a tracker is detected, AirGuard can make an AirTag beep to help you locate it. You can also view a map that shows the point where the tracker was initially detected and its locations in connection with you thereafter. The diagram might help you correctly guess where someone had first planted the tracker in your belongings or your vehicle.

Warning: An AirTag may not have a working speaker that enables it to play its notification ring tone. It’s easy for a malicious person to disconnect the speaker. An AirTag doesn’t notice the malfunction and deactivate itself — a serious security flaw. Instead, it continues to silently report your location to a stalker, as Bräunlein notes in his blog.

If you think no one has noticed the AirTag’s ease of use for stalking people and tracking high-value vehicles, note that entrepreneurs have been disabling speakers and selling “silent AirTags” for months on eBay, Etsy, and elsewhere, as Bräunlein’s blog illustrates and PCMag reports.

Being a mere app, AirGuard also cannot protect you from other security holes that the developers at Apple naïvely baked in. For example, any owner of an AirTag can report it to Apple as “lost” and enter a phone number to be called by any Good Samaritan who finds the device. But the phone-number field — in a novice-level mistake — is not limited to numbers. It accepts computer code that can infect people’s devices with a Trojan horse, as security writer Brian Krebs explains.

OK, so AirGuard can’t magically keep you safe from every form of malware. But it’s a lot better than the half-baked Android app that Apple’s developers put out. You can get AirGuard from SEEMOO’s GitHub page, Google Play, or F-Droid.

Apple could easily provide true security for AirTags

Apple probably has some free-market right to put out mediocre products and services. But it would be so simple for Apple to fix the glaring defects in its AirTag hardware and software that you wonder why the Cupertino giant doesn’t simply make things right:

  • All iOS, Android, and other operating systems should have automatic notification of unwanted tracking devices built in and turned on by default. Apple devices enjoy automatic notification when first turned on. The company could easily work with Google, Samsung, and other providers to make auto-alerts a feature of every smart device.
  • Apple should make the identity of an AirTag-using criminal immediately available to someone who has found a tracker attached to their belongings or vehicle. At present, according to Apple’s law-enforcement guidelines (PDF), “With a serial number, Apple may be able to provide the paired account details in response to a subpoena or greater legal process.” In this case, a subpoena would be issued by a police department and “greater legal process” means a court order.
  • Anyone who discovers an unwanted AirTag can easily discover its serial number, as Apple’s support document describes. Armed with this number, a person who’s in imminent danger of being assaulted or having their vehicle stolen shouldn’t have to suffer any legalistic delays to find out who is threatening them.
  • Any lowlife who plants a tracker on someone or their vehicle — without their consent — has already committed a serious crime under US law, as BrickHouse Security explains. A criminal who is planning to do someone harm shouldn’t have any privacy rights that override a victim’s right to know who’s tracking them.

As you’ve heard many times, every technology can be used for good or for evil. But the tracking devices by Apple and others don’t have to be so easy to repurpose as criminal tools. AirTags and their competitors can be made much safer than they are today, with little expense to the companies responsible for widely distributing them.

Talk Bubbles Do you know something that we all should know? Tell me about it!
Send your story in confidence to publicdefender@askwoody.com.
Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

The PUBLIC DEFENDER column is Brian Livingston’s campaign to give you consumer protection from tech. If it’s irritating you, and it has an “on” switch, he’ll take the case! Brian is a successful dot-com entrepreneur, author or co-author of 11 Windows Secrets books, and author of the new fintech book Muscular Portfolios. Get his free monthly newsletter.


ADVERTISEMENT
Wildgrain

Stories in this week’s Plus Newsletter
Become a PLUS member today!

LANGALIST

Fred Langa

Do external hard drives make sense in the cloud-storage era?

By Fred Langa

With effectively infinite storage available online, is there any point to storing files and backups locally, on external hard drives? A subscriber’s question prompts today’s first item.

The second item looks at a PC electrical glitch. A subscriber has a battery-backed uninterruptible power supply and an emergency generator. Trouble is, they won’t work with each other! Here’s what’s probably going on, and how to correct it.

Last, you’ll see ways to connect to an unknown, potentially compromised, public USB charging port — without risking your device’s data!

LINUX

Sandra Henry-Stocker

Linux malware is on the rise. What should you do?

By Sandra Henry-Stocker

Threats to Linux systems used to be relatively mild because Windows was such a larger target, outnumbering Linux systems by a huge percentage.

Not any longer. Linux has become a much bigger target due to its increasingly significant role on Internet of Things (IoT) devices, virtual machines, containers, cloud services, and supercomputers.

PATCH WATCH

Susan Bradley

Understanding the zero days

By Susan Bradley

If you take a look at the known, exploited vulnerability listing as put out by the Cybersecurity & Infrastructure Security Agency, you’ll find that the list is long and confusing. Even if you cut it down to just Microsoft and Apple, it’s still a bit overwhelming, to say the least.

I’m going to focus on two bugs, to showcase differences in how the attacks occur on Windows and Apple and what the attackers are going after.

You’re welcome to share! Do you know someone who would benefit from the information in this newsletter? Feel free to forward it to them. And encourage them to subscribe via our online signup form — it’s completely free!


RoboForm box

Enjoying the AskWoody newsletter?

Become a PLUS member and get it all!

Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, and Susan Bradley’s popular and sought-after patch advice. PLUS, these exclusive benefits:

  • Every article, delivered to your inbox
  • MS-DEFCON Alerts, delivered to your inbox
  • Access to MS-DEFCON text alerts delivered to your phone
  • Total access to the archive of nearly two decades of newsletters
  • No ads
  • Identification as a Plus member in our popular forums

We’re supported by donations — choose any amount for a one-year membership.

Join Today button


The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody, AskWoody.com, Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2022 AskWoody Tech LLC. All rights reserved.