Thieves Using AirTags to “Follow” Cars

From Ontario and not surprising:

Since September 2021, officers have investigated five incidents where suspects have placed small tracking devices on high-end vehicles so they can later locate and steal them. Brand name “air tags” are placed in out-of-sight areas of the target vehicles when they are parked in public places like malls or parking lots. Thieves then track the targeted vehicles to the victim’s residence, where they are stolen from the driveway.

Thieves typically use tools like screwdrivers to enter the vehicles through the driver or passenger door, while ensuring not to set off alarms. Once inside, an electronic device, typically used by mechanics to reprogram the factory setting, is connected to the onboard diagnostics port below the dashboard and programs the vehicle to accept a key the thieves have brought with them. Once the new key is programmed, the vehicle will start and the thieves drive it away.

I’m not sure if there’s anything that can be done:

When Apple first released AirTags earlier this year, concerns immediately sprung up about nefarious use cases for the covert trackers. Apple responded with a slew of anti-stalking measures, but those are more intended for keeping people safe than cars. An AirTag away from its owner will sound an alarm, letting anyone nearby know that it’s been left behind, but it can take up to 24 hours for that alarm to go off—more than enough time to nab a car in the dead of night.

Tags: , , , ,

Posted on December 6, 2021 at 10:25 AM54 Comments

Comments

Leo December 6, 2021 10:36 AM

Isn’t the criminal leaving behind a huge, uniquely identifiable, digital footprint every time they steal a car? Their apple id, app store login, credit card number – all things that should make it very easy to determine who the criminal was after the fact.

Beatrix Willius December 6, 2021 10:48 AM

For what do the thieves need an AirTag? Can’t they – like – drive around residential areas without AirTags to find a car to steal?

Peter A. December 6, 2021 11:27 AM

Hmm, thieves depending on some i-device which works only if a bigger i-device is nearby? Standalone GPS trackers (some even cheaper than an i-bug) are out of fashion now?

This is i-diotic, but somehow works in the widely i-nvigilated society.

Andy December 6, 2021 11:37 AM

Does the thief know how to unlock only particular models even when they’re locked? If so AirTags help locate the “needle in the haystack”.

Will December 6, 2021 12:00 PM

How is this any different from using a pet gps collar with a magnet. While not as small as an air tag, they are more than small enough to hide on a car with a magnet.

The only difference is this involves a big tech company name in the news titles to drive clicks.

Jim December 6, 2021 12:21 PM

“The anti-stalking measures [are] intended for keeping people safe [rather] than cars”… Wouldn’t stalking a particular car also stalk the driver of that car? Though, as others have said there are already countless other devices that provide the same functionality.

JonKnowsNothing December 6, 2021 1:01 PM

@ Andy @All

re: Does the thief know how to unlock only particular cars

There are 2 access points: External Doors and Starting the Engine.

For the Door they use a large screwdriver or other tool. They can force down a window. Older cars had a full frame around the window, new cars have no frame and the window rolls up against a pliable gasket.

For Starting the Engine, they use a common code box to connect to the “diagnostic connector”. That’s the one that dealers use to plug in their box and get the diagnostic code for what’s wrong. That’s same connector at the center of the Right to Repair. Once they are plugged in, they reprogram the car to accept a new key and once the new key has been authenticated they can open the doors and start the engine and drive off.

They have the firmware code for the types of cars they are interested in.

Essentially, they steal your password [keyfob] to the car and reset it to their own.

Tom December 6, 2021 1:53 PM

A locking fuel shut off valve would certainly slow them down. A friend in the 70’s installed one in his new van.
They’d have to get under the car and re-plumb the fuel line before they could even start it.

Another option is convert the OBD2 to a different 16 pin connector (you’d have to also make an adapter for legitimate use).

Ted December 6, 2021 2:16 PM

One of the nightmare scenarios IMO is that someone could scan for the AirTags and find things of value that would have otherwise been invisible… like wallets, keys, etc.

Chris December 6, 2021 3:43 PM

My understanding is that every Apple device scans for UWB transmissions to listen for AirTags. Meaning that Apple has programmed all its devices to aid anyone who uses AirTags. Including helping criminals steal cars.

I’m not a lawyer, so can someone explain to me why that isn’t Racketeering?

ResearcherZero December 6, 2021 4:48 PM

For Racketeering you need to prove that a party knowingly conspired to engage in criminal activity with other parties. I assume Apple does not know the criminals and has not conspired to assist with any criminal acts.

Ted December 6, 2021 4:57 PM

@Chris

Meaning that Apple has programmed all its devices to aid anyone who uses AirTags.

It sounds like someone could opt out of the Find My network.

When your device participates in the Find My network, it can both be located by the network and anonymously help locate other missing devices. You can choose to have your iOS or iPadOS device not participate in the Find My network by going to Settings > [your name] > Find My > Find My [device] and tapping to disable Find My network.

https://www.apple.com/legal/privacy/data/en/find-my/

SpaceLifeForm December 6, 2021 5:33 PM

TLO (Time, Location, Observation)

AirTag only works if there other devices nearby that are LISTENING on Bluetooth, AND they REPORT over another CHANNEL.

What likely occured in the Toronto area, was that the vehicle was ‘tagged’ in downtown Toronto, but then stolen in the suburbs (York, to the north. Can not go south).

And, once located, remove AirTag, Disable the AirTag, and go.

Maybe another hidden AirTag could help, but this sounds like a sophisticated group, so they probably move to an even more rural area, and then scan for hiiden. Moving to a more rural area likely would mean that there would be no LISTENER that could REPORT.

Using an iPhone with Cell and Bluetooth both enabled simultaneously, well, you may be inadvertantly helping crooks.

Ted December 6, 2021 8:01 PM

hi friends. I found an interesting technical video on youtube that talks a bit about the cryptographic and privacy technologies in the AirTag. Can anyone make sense of this? Good? Bad?

NO STALKING — AirTags & Find My Privacy Explained!
https://m.youtube.com/watch?v=jGgkYXa5YWc

I’d like to find a paper, but maybe later. (Still at work.)

Clive Robinson December 6, 2021 8:23 PM

@ Ted, ALL,

hi friends.

Though less used of late “the usuall suspects” was a way to refere to the more regular posters and readers of this blog.

If you are wondering where the term comes from watch the film Casablanca.

Where the French Police Inspector tells a subordinate to “Round up the usuall suspects”.

David Leppik December 6, 2021 8:36 PM

@Leo:

Apple has designed the tracking protocol to minimize the knowledge that Apple has about the locations of devices. It’s possible that Apple cannot tell who the owner is, even if they are in physical possession of the AirTags.

Ted December 6, 2021 9:23 PM

Alright. At least there is something in words.

AirTags — Are They Private & Secure?

And that works because, your AirTags have been been broadcasting on Bluetooth Low Energy. Just stealthily, silently, pinging away. Yes, one ping only, at least at a time. They’re not just tags, they’re FindMy Beacons. Pinging away.

And that ping is based on your symmetric key which, because of P-224, is 28 bites, and fits ever so nicely inside the 32-bite packet limit for Bluetooth 5.0.

https://reneritchie.net/airtags-are-they-private-secure/

https://reneritchie.net/apple-vp-answers-your-airtag-questions/

Ted December 6, 2021 9:29 PM

@Clive

Where the French Police Inspector tells a subordinate to “Round up the usuall suspects”.

There are so many movies I need to see!

JonKnowsNothing December 6, 2021 10:11 PM

@ResearcherZero, @All

re: For Racketeering you need to prove that a party knowingly conspired to engage in criminal activity with other parties.

IANAL

Over on Marcy Wheeler’s site she’s been following our Dec 37 drama. bmaz has been augmenting some about the legal issues with “conspiracy”.

It’s not as straight forward as I had thought.

The part about “knowingly conspired” and “direct involvement” may not be a requirement to be included in the conspiracy group.

iirc(badly) You don’t need to have been in the group that physically knocked down the door, you just need to have known that the group might knock down the door, even if you stopped being in contact with the group for some time before they did the knockdown.

It’s the “knowledge of” part that’s tricky and it seems a number of our Dec 37th revelers are finding that out too.

iirc(badly) Racketeering RICO covers different aspects.

ymmv IANAL but bmaz is…

Ted December 7, 2021 12:46 AM

Your iPhone will alert you if you have an unknown AirTag with you when you arrive home. It knows your home’s location “of course based on your address book or learned from prior travel patterns.”

This is good?

Then you get instructions on how to disable it, by taking out the battery, for example.

Okay good.

Every AirTag has a unique serial number. And that serial number is tied back to the AppleID it was paired with. The serial number is printed on the tag and is also accessible to any standard NFC reader.

This is good, I think.

Apple’s Ron Huang, Senior Director of Sensing and Connectivity has more. (April 2021)

Disclosure: This was my attempt at paraphrasing one part of one article. 👍

https://reneritchie.net/apple-vp-answers-your-airtag-questions/

Ted December 7, 2021 12:52 AM

@SpaceLifeForm

And, once located, remove AirTag, Disable the AirTag, and go.

Connect the dots. Think outside the box. No signal is signal.

Firmware. Updates. $29.

This device is secure; I can hold it in my hands. Said no one ever.

JonKnowsNothing December 7, 2021 2:07 AM

@All

The functionality of the tracking system is similar to the LoJack system.

The police had a GPS Map & Tracer device that would guide them to the source of a LoJack signal.

Matthias U December 7, 2021 3:01 AM

The problem is one of externalized cost, as usual: it’s not the car maker’s problem if your car is stolen. Quite the opposite, they get to sell another car.

I can immediately think of a bunch of ways to alleviate this problem:

The car’s alarm should go off when the thief forces the window / door, and there should be a mandatory lock-out.

The car should impose a waiting period before a new key works.

As the owner, you could add a hidden switch somewhere that must be pressed to physically connect the ODBC cable.

Givon Zirkind December 7, 2021 3:55 AM

If they can get in, why wait to steal the car? Why need a tracker? Do they steal the cars at night, to gain time to chop shop it and disconnect Lojacks, whatever?

Peter A. December 7, 2021 4:54 AM

@Givon Zirkind: the original text says they’re planting tags at malls etc. and stealing from driveways. So it is a delayed watering hole attack.

It is much easier to locate targets at malls while not raising suspicions: 1. lot of cars on a small area; 2. lot of people wandering around and driving in and out. The other method would require taking time to drive through vast “nice” neighborhoods, using mostly the same cars. Such neighborhoods sometimes employ private security and/or have cameras, and usually get more attention from the police. A random car driving around will rise suspicion and possibly elicit a traffic stop with possibly unpleasant consequences. A random person walking in a mall’s parking lot – not likely.

The described method of stealing takes time. There are lots of eyes, both natural and electronic, at shopping malls and a lot of traffic during daytime – somebody will likely notice and react. Not so much vigilance is present during nighttime in some suburban area. There’s more time to perform the deed before someone sees and reacts.

The only thing needed is to connect two points of spacetime: shopping at a mall and parking in a driveway. (Use your garage to store your valuable car, not useless rubbish. Oh, you have three cars and one garage. Poor you. Maybe erect some fence and a lockable gate? Oh, zoning rules, damn it.)

Clive Robinson December 7, 2021 7:28 AM

@ Bruce, ALL,

Is it now time to mention that it is not only Apple that make such tags?

Apple in effect was a late entrant into this “MESH Network”[1] remote location game, as are Amazon (Sidewalk), Google and Samsung (SmarTag).

The crowd funded Startup “Tile” has been doing what some call “Smart-tag 2.0” since around 2013 nearly a decade ago. Their “Tile Network” is their “MESH Network” remote location equivalent.

Tile were recently purchased for around 200million by Life360[4].

But the technology trail blazers on all of this goes back a long way[2] I got proffessionaly involved in the early 1980’s and had some theoretical and practical experience of the ideas back in the 1970’s.

Look up the likes of Phil Kan (KA9Q) and his predecessors and pre TNC modems,

https://en.wikipedia.org/wiki/KA9Q

What has held back takeup of the ideas and technology for nearly 80years is the size and cost of practical technology and thus the range available. Also the issues with UN controled Radio Spectrum managment via the ITU and the “squable” of arguing state representatives doing politics and spy craft in equal measure.

[1] MESH Networking has been common knowledge in the tech sector all of this century. Originally it became a known in a wider social scale by “disidents” using it in Hong Kong. There are now even “prepper products” that alow “Off Grid” usage of your mobile phone to send SMS’s over distance when there is no cell service.

https://en.wikipedia.org/wiki/Mesh_networking

https://en.m.wikipedia.org/wiki/Category:Mesh_networking

[2] Obviously once a base communications system like mesh networking is “in place” you can do just about what you want to ontop. The trick is getting various things right. One major issue is “coverage” and it’s complex due to the use of “shared resources”. The important rule of thumb though is the more users the less range is required. So higher frequencies with grater bandwidths and lower power result if people look up ARDEN you will see systems with more bandwidth than most mobile broadband. Back when I started we built NE565 or 4046 PLL circuits to generate FSK modems at 75baud for use on HF and VHF using SSB radios… The “home computing” brought the price of microcontrolers down into the “just affordable” range. Just a few years later I was writing DFT and “Numerical Oscillator” code for Z80 systems that did “Piccolo” all in software and worked reliably below Signal to noise ratios where even the best Morse code operators struggled. These days we have Nobel Prize winners writing software that gets even deeper into the noise.

[3] Unknown to many the Amateur/Ham Radio fraternaty has been doing mesh networking since before the term was invented. By using APRS since the 1980’s and other systems earlier, with the ISS taking it into space,

https://amsat-uk.org/beginners/how-to-work-the-iss-on-aprs-packet-radio/

So APRS is now not only globe circling but globe spanning with it’s own “remote location web” sites like,

https://www.aprsdirect.com/

But the person who has the best claim to have come up with the idea was Gorden Welchman, who thought it up as part of his seminal work that gave us “Traffic Analysis” back at Bletchly Park in WWII. With his thinking it gave us not just the mesh concept but remote location updating, and also gave us the Internet that came directly out of his further development on highly falut tolerant millitary networks whilst working at US “think tank” Rand Corporation.

[4] https://gizmodo.com/tile-is-being-acquired-after-apple-s-airtags-made-locat-1848110596

neill December 7, 2021 8:48 AM

an Audi executive said in an interview that technically they are able to prevent car theft almost 100% but they won’t since you would see more carjackings afterwards, and they rather loose a car than a customer **

**(which obviously would buy another one later)

this is from memory, 20 some years ago

ffff December 7, 2021 2:37 PM

I was thinking of what Clive R said about large mesh networks and did a quick search on Range of Air Tags. Wikipedia as a fairly good write up on UWB and the Air Tag. With a high number of iphone users it could be much more than 100 meters. I then just search for Air Tag range and found this:

“… like the Tile Pro… or Samsung Galaxy… have a maximum range of 300 feet or 100 meters. Apple’s AirTag matches this in basic bluetooth range, plus AirTags have an effectively unlimited range due to Apple’s global Find My network of iOS devices. Does that mean you need to walk or drive around with your iPhone in your hand until you are within 300 feet 100 meters of your lost bicycle with AirTags in order to find it? Nope. The best part about finding something with an AirTag is that it uses the network of Apple products and users to help you find your lost item (the so-called “Find My network”)… so you really just need anyone with an iPhone to be within 300 feet or 100 meters of your lost bike and you’ll be able to find it. With already nearly a billion Apple devices in the Find My network worldwide, someone will walk by your bike soon and you’ll find your AirTags-tracked device quickly… [also see Tracking an AirTag from 3,500 miles away].” -airtagreviews

see: hxxps://airtagreviews[.]com/?p=863

I Then realized various 3 letter agencies may have sensitive equipment on cell towers and Drone aircraft that may be able to track Air Tags of journalist or other people “of interest”. This could also be used by debt collectors and private investigators and so on. I will say that it is unlikely but anything could happen.

PS: Excuse all of the mistakes I had to bang this out. Above link bronken to hinder bots. My handle is a variation of my old handle used here years ago.

Sofa December 7, 2021 4:05 PM

John Gruber’s perspective, from DaringFireball:
Canadian Police Claim AirTags Are Being Used by Thieves to Track Cars They Intend to Steal

Five incidents out of 2,000 is not exactly a trend, but the basic idea here is interesting. I’m interested in knowing how the police figured out that AirTags were used in this way. Let’s say a thief hides an AirTag on your car while it’s in a public parking lot. Then you park the car in your home’s driveway. The thief comes in the middle of the night and steals your car. You call the police and they come to your home to investigate. How would they know an AirTag had ever been involved?

  • Sofa

Ted December 7, 2021 4:24 PM

@Sofa

How would they know an AirTag had ever been involved?

Omg Sofa. Totally.

I watched a video yesterday about a guy who put an AirTag on his friend’s car and tracked him. So this was to track a human, and not a car.

What if you want to know where someone lives? Or want to follow someone after they leave a jewelry store or a McDonald’s if you really love cheeseburgers. Are the police going to be able to request location data for these?

The video I watched was called:
“I TRACKED my friend using Apple AirTag WITHOUT him knowing! And he was on iOS 14.5!”

SpaceLifeForm December 7, 2021 6:48 PM

@ Sofa, Ted

How would they know an AirTag had ever been involved?

It’s not a problem if you catch a perp and get a warrant. The crooks are not that smart.

SpaceLifeForm December 7, 2021 7:38 PM

@ Ted

I watched a video yesterday about a guy who put an AirTag on his friend’s car and tracked him. So this was to track a human, and not a car.

Incorrect. It tracked the car.

Person A could have switched cars with Person B. Person B could have driven Random route for some time, until Person A and Person B met up again, and then switched cars back.

Ted December 7, 2021 8:21 PM

@SpaceLifeForm

Incorrect. It tracked the car.

Okay. You got me. It did track the car. However it was on his friend’s car for 18 hours. And his friend never received any kind of notification. Nor did he know it was there until the end of the experiment.

The guy was able to see his friend drive to Popeye’s for dinner. And the following day was able to find his friend at a pawn shop (after he asked his friend to drive to an unknown destination for a YouTube video).

His friends’s thoughts? Creepy

I hope they are still friends 😂

However, how hard would it be to track someone for any other reason? Want to see where your kids are going? Your partner? The person at the bar? Put in on their car, or in their purse or backpack?

How is this not going to get abused?

From what I read you can run up to 16 AirTags per each Apple ID account.

Clive Robinson December 7, 2021 8:28 PM

@ SpaceLifeForm, Ted,

Person A could have switched…

Aye, a wee story that goes back to the troubles in the aptly named Ireland.

There was a “Person of Interest” in the north, who knew that they were being followed around. So they started wearibg a pair of those “Micky Mouse ears” that came from Disneyland. Then the same old long trench coat baggy trousers and boots. Every day out he would go at the same time into town to get a bottle of milk then home then out again into town in the afternoon for a walk and a paper.

A team followed him day after day, week after week, month after month, come snoe, sleet, rain or shine.

Photos got taken reports written and all got collated and filed. The same with others from other parts of the North and more, discreetly in the South. Then one day a junior analyst with fluff under his chin noticed something odd in a photo from the south. There at the edge of a picture in profile was the spitting image of the man in the north.

The young analyst joked about it with a grey beard who was in the office with a “Hey look XXX has a twin”. The picture was passed and a cold hard stare and a very load curse was sworn, and gray dashed from the room.

Turns out there were two sets of Disney Ears, coat, baggy pants and boots in that quiet village in the north were nothing ever happened.

The moral, be sure that you are following what you should be following, and not something that looks the same.

Be it a car or clothes what is inside could be a different person.

A lesson that certain analysts should have been cognizant of when stupidly as their boss put it “we kill people based on meta-data”…

https://www.justsecurity.org/2014/05/12/video-clip-director-nsa-cia-we-kill-people-based-metadata/

Ted December 7, 2021 8:43 PM

@SpaceLifeForm, Sofa, Clive

It’s not a problem if you catch a perp and get a warrant. The crooks are not that smart.

Is it illegal to track a person with a bluetooth tracker?

Also, do we know for sure if Apple receives and stores any of the location data for the AirTags?

@Clive
Do you know what groups are “allowed” to track people? Surely it wouldn’t be permissible for any Tom, Dick, or Sally.

Ted December 7, 2021 9:01 PM

@Clive, SpaceLifeForm

“we kill people based on meta-data”…

Bet he didn’t get the job to comfort the children when they had nightmares. Jeez.

JonKnowsNothing December 7, 2021 9:49 PM

@Ted, @All

re: Do you know what groups are “allowed” to track people?

It depends on which country you live in.

Each country has it’s own laws regarding their citizens and persons living inside their borders (tourists, guest workers etc) and those who are outside their borders (foreigners).

Some countries have governments that track everyone inside, such as China.

Some countries have corporations that track as many people as they can such, as Verizon changing their default tracking to Opt-In even for those who have set Opt-Out, because they changed the name of their tracking app and so felt justified in overriding the setting to Opt-In for everyone.

Inside the USA there are 2 main LEO groups that have authority to track: Law Enforcement both Federal and State and the 3LetterJobs.

For the 3LetterJobs the place to start is the FISA Court. A basic summary is this:

  • The proceedings of the court are secret
  • The judges on the court are appointed by SCOTUS (Supreme Court of the US)
  • There is a line between “internal protected” and “external unprotected” communications.
  • Communications outside the borders of the US are open season.
  • Communications that have mixed ends: one inside the USA and one outside the USA are FISC areas.

It is the internal line that gets blurred by FISC. That’s their job.

eg:

  • Communication between APerson in Los Angeles and BPerson in Dallas is supposed to be protected internal communication inside the borders of the USA.
  • If the communication pathway endpoint in Los Angeles is routed through Canada and back to an endpoint in Dallas, this maybe open to FISA because the path exits the US border and re-enters from a foreign country (Canada).

The process is secret and exactly what’s tracked or harvested is often hard to determine.

===

h ttp s://e n.wi kiped ia.org/wiki/Federal_law_enforcement_in_the_United_States

h ttp s://en. wikiped ia.or g/wiki/List_of_United_States_state_and_local_law_enforcement_agencies

ht tps://en.wi kipe dia.org/wiki/Foreign_Intelligence_Surveillance_Act

h ttp s://en.w ikipedi a.or g/wiki/United_States_Foreign_Intelligence_Surveillance_Court

Ted December 7, 2021 10:27 PM

@JonKnowsNothing, ALL

Verizon changing their default tracking to Opt-In

Yes, wow. Did you see that? Peeps were not happy.

From Ars Technica:

https://arstechnica.com/information-technology/2021/12/verizon-ignored-users-previous-opt-outs-in-latest-push-to-scan-web-browsing/

And from the Twitter-verse:

I do not understand how many times companies need to be told this, but people absolutely DO NOT want to be tracked!

Especially via a method which isn’t brought to the forefront.

Especially, when it’s automatic and would have been discarded in an email!

@Verizon [bleep] off!

Clive Robinson December 7, 2021 11:11 PM

@ Ted, SpaceLifeForm, ALL,

Okay. You got me. It did track the car. However it was on his friend’s car for 18 hours. And his friend never received any kind of notification.

Because of a failure of simple logic that Apple’s people made because they did not think things through sufficiently.

And it’s one of those “Oh kick me to wake me up moments” when you realise or get told, but then when you think a little more you realise it’s a problem that,

“You can not simply solve”.

The basic problem is using “a contact” counter or timer to minimise resource issues on raising alarms without false positives.

First a little “scene setting” so you can see how the problem occurs,

Most days people broadly “do the same thing” it’s called “routien” and anyone who has ever done “close protection work” knows it gets you killed.

So you have an a-tag on your keys and hundreds of others have them on their keys or bags. You all pass by randomly and two people might walk down the same road together, or even drive down it and their courses intersect for a while. Obviously you don’t want an alarm being sounded every time that happens.

But another person lets call her Teddy has an a-tag on her bag. You both go to town by public transport. You sit on the same bus or in the same train carriage for upto say half an hour or even more. Again obviously you don’t want an alarm being sounded every time that happens.

How about a two hour or more plane flight?

Likewise again you obviously don’t want an alarm being sounded every time that happens…

How about if Teddy is your new squeeze, or prospective squeeze? And you spend the evening walking to a movie, and having drinks or dinner? Do you realy want a “stalker alert” to come up on her phone from your a-tag? It would be a bit of a mood killer, not to say a little creepy… But then saying on a first date,

“Hi you look great, you’ve a lovely smile, you don’t mind if I ask if you have an a-tag do you? It’s,just so I can register it with my phone so an alarm does not ruin our date?”

Yeah right that one went the way the birds did in autumn…

So the 64,000 dollar question, how long does an a-tag have to be in range of your phone before some algorithm decides it’s not your a-tag but it is being used to track you?

That’s the simple “timer” case…

The slightly harder “counter” case of how often does any particular a-tag have to be in range of you before it decides it’s a “stalker?”

How does that “counter” get effected by that commute to work, or walk to the coffee shop or waiting in the line at the deli at lunch every work day?

So you can see why Apple might set the thresholds way high to stop false alarms.

Now back to your car problem…

Let’s start the day with it in the parking garage under your appartment block.

I know you come down to drive your car to work at seven in the morning so I slip the a-tag out of the Evidence RF proof bag and under the rear bumper of your car just before then. You drive to work for ~45 mins then park up and walk away out of range of the a-tag. In case you don’t get out of range, I follow find your car and remove the a-tag and put it back in the RF proof evidence bag and slap a WiFi “game camera” up on a lamp post etc to watch your car from around the corner in my vehicle etc. I do this over several days till I know your morning routien and probable leaving work routien. Now lets say I know a little about electronics I take an a-tag and take the battery out and put a little timer circuit in their to turn it on and off at certain times that are shorter than Apples time thresholds but long enough to track you…

Now how about at the weekend… I bug your car shortly before you go shopping in the morning. You drive to the market park up and walk away from your car and go out of range of my a-tag. You come back drive to meet a friend and you walk away from your car again out of range of my a-tag. Lets say you go to the gym you park up and walk away from your car and my a-tag. You go out in the evening you park up and walk out of range of my a-tag…

Knowing a little about RF I know where to place my a-tag on your car so it’s range is not upto 300m but 10meter or less… Guarenteeing that when less than 15seconds walk from your car your iPhone is out of range of my a-tag.

The chances are you would stay out of range of my a-tag enough that it does not get triggered because of the false alarm counters have not reached their trigger values…

Yes a more complicated algorithm could work out that it was on your car. But the same algorithm would get falsely triggered by you commuting on public transport.

When you think about it, what ever timer or counter based “false alarm” prevention algorithm is used even quite normal activities would alow a window in which you could be tracked.

How’s that “Kick me” feeling?

Let’s take it up a notch,

If I was a semi-smart stalker I’d have half a dozen a-tags in little RF proof evidence bags, and when ever you stopped up and were out of sight I’d swap one a-tag with another I’d not used recently in some faux-random sequence.

That would stop most more complex algorithms dead in their tracks. But with a little thought you realise that as an attacker there is a slightly better stratagy with a-tag swapping that would stop even quite complex and resourse intensive algorithms dead, which I don’t need to go into.

Because it’s time to look at the issue a different way,

My real objective as the adversary is to fool your iPhone into tracking a variety of tags I have, without causing it to get close to any of the alarm thresholds. But what does that realy mean?

Let’s analyze the issue a bit,

I, knowing where my tags are, know where your phone may probably be, thus where you are. By a process of what is averaging I work out what your travel routien is without triggering any alarms.

But think a little further and you will realise that I can also work out using my own iPhone what the thresholds Apple have set are…

So I can “game the system” as long as it is sufficiently simple.

The next thought is can Apple make the system more complex? The answer to that is “yes but…”. Where the “but” is comprised of,

1, The number of tags(M)
2, The number of phones(N)
3, The average number of contacts(C)

And the resources required for each contact threshold alarm. As this is a C(N^M) problem you can see why they would want to keep the resorces required down by keeping things as simple as they can get away with without raising false alarms.

That is the entire system is designed to minimise it’s ability to recognise what we humans would call “BAD” surveillance “person tracking” whilst maximising “GOOD” remote “property location”.

The problem is technology wise the “GOOD” and the “BAD” are in most cases effectively the same due to the way the technology works.

Untill you get into the more sophisticated “gaming of the system”, where things get a whole lot more interesting. Because beyond a certain point, you start to use multiple tags…

That is it changes what you do as an adversary of the system. Because it becomes not the tags position you are locating but, the anonymouse phone on the user, that is locating the tags for you.

It might sound like an almost hair splitting difference but actually it makes a very significant difference as to what you can get away with without triggering any alarms.

That is look on it as a graph of a tree problem, it’s not the terminal nodes or leaves you are tracking but the penultimate node before the leaves. The more leaves you can present to the penultimate node, the more they look “random” rather than “purposeful” signal to it. But to you, the more it averages the supposadly anonymous penultimate node out from other penultimate nodes and makes it visable. This asymmetry works in the attackers not defenders favour.

Something very few would realise unless it’s specifically pointed out.

Oh and there is a whole bunch of maths just ready made to help become an uber-adversary. Look into “Low Probability of Intercept”(LPI) systems, Digital Watermarking, “Direct Sequence Spread Spectrum”(DSSS), “Frequency Hopping Spread Spectrum”(FHSS), Matched Filters and the real fun MIMO systems. Also “Electronic Counter Counter Measures”(ECCM) or “anti-jam” systems. Even basic “Digital Signal Processing”(DSP) gives information about things like “sampling” which altough on the face of it looks entirely different, is actually very relevant mathmatically you just have to see “sampling” in a more generalised way (think about it in another domain than the time domain).

Ted December 7, 2021 11:22 PM

“In her TikTok, which has over 16 million views, Estrada holds up the AirTag to her camera and says, “I’m literally f****** shaking — look what I just found on my car.””

https://www.intheknow.com/post/apple-airtag-tracking-device/

And another one:

“She then went to a police station to file a report, but said the officers told her that what had happened was not illegal.

“They would not take a report because there’s ‘nothing to report,’” she claimed. “I’m [supposed] to call them when someone shows up. That’s when they can help me.””

Surely not??

https://www.intheknow.com/post/airtag-stalking-allegations/

Ted December 7, 2021 11:49 PM

@Clive, SpaceLifeForm, ALL

“Hi you look great, you’ve a lovely smile, you don’t mind if I ask if you have an a-tag do you? It’s,just so I can register it with my phone so an alarm does not ruin our date?”

Hahaha!

Now lets say I know a little about electronics I take an a-tag and take the battery out and put a little timer circuit in their to turn it on and off at certain times that are shorter than Apples time thresholds but long enough to track you…

Interesting. A g@d dam smart person is hard to stop. I was wondering if someone could disable the AirTag speaker, and apparently this can be done:

On a side note, iFixit says it discovered multiple methods of disabling AirTag’s speaker — the plastic shell doubles as an audio output source — which could thwart an anti-stalking feature that alerts people nearby to its presence.

More from iFixit.

A full list of visible chips is provided:

  • Apple U1 ultra-wideband transceiver
  • Nordic Semiconductor nRF52832 Bluetooth low-energy SoC w/NFC controller
  • Likely Winbond serial flash memory
  • Maxim Integrated MAX98357B class AB digital audio amplifier
  • Texas Instruments TLV9001 1-MHz, rail-to-rail I/O operational amplifier
  • ON Semiconductor FPF2487 over-voltage protection load switch
  • Texas Instruments TPS62746 300 mA DC-DC buck converter
  • Likely ON Semiconductor DC-DC converter
  • Likely Texas Instruments DC-DC converter

https://appleinsider.com/articles/21/05/02/x-rays-show-how-apple-tightly-packed-airtags-internals/amp/

Clive Robinson December 7, 2021 11:54 PM

@ SpaceLifeForm,

I know you like to “join the dots” or think about things in an abstract way.

Well potentially a newish one for you.

I know you are aware of the,

1, Amplitude Domain
2, Time Domain
3, Frequency Domain

And possibly the,

4, Sequency Domain

And how they relate to “side channels” both overt and covert.

Well, finally someone has put the,

5, Event Domain

Into the Open Knowledge pool, why this has taken so long I don’t know but it now means we can talk about it more openly in a generalised way.

The problem of the Frequency and to a certain extent Sequency domains is that they are strongly linked to the Time domain mathmatically. Great if you are doing Fourier or Walsh transforms but otherwise limiting.

The Event domain is simply “time independent” that is events can be considered “random” certainly with regards short time scales but as “events do happen” they do average out over longer times and so might show trends that are not directly indicative.

There is some maths that relates to it, that is via the joys of “impulse response” but whilst you can make sound predictions about the results of individual events, you can not apply the usual sum or product rules as they have an implicit regular thus predictable component such as time.

But as an “event” is by definition “work” there is an “energy” or “mass” component that remains that is amenable to integration etc in a constrained environment or one in which inertia applies.

Any way it will be interesting to see if anyone picks it up and runs with it in the security knowledge domain.

Ted December 8, 2021 12:01 AM

@JohnKnowsNothing

If the communication pathway endpoint in Los Angeles is routed through Canada and back to an endpoint in Dallas, this maybe open to FISA because the path exits the US border and re-enters from a foreign country (Canada).

Seriously?

JonKnowsNothing December 8, 2021 12:55 AM

@Clive, @Ted, @SpaceLifeForm, @ALL

re: Because of a failure of simple logic that Apple’s people made because they did not think things through sufficiently.

Eons ago, I got tasked to setup an alarm for a specific network error.

  If X Event Then BELL

Most of my colleagues considered this trivial request, but after a while one gets the sense that there’s something other than Camembert in the closet.

And that was precisely what the problem was:

  The equipment was sitting in closets, not on some rack or in a data center, but shoved into a broom cupboard other forgotten location.

You can BELL all you want but in a broom closet, no one will hear the Equipment Scream.

SpaceLifeForm December 8, 2021 4:59 AM

@ Ted, JonKnowsNothing

Jon was joking

this maybe open to FISA

about the ‘maybe’ part.

Been happening since y2k.

Hope there is a good player at First Base.

JonKnowsNothing December 8, 2021 11:47 AM

@ SpaceLifeForm @ Ted @All

re: Jon was joking about the ‘maybe’ part.

I didn’t want to frighten the horses….

The US Committees that handle the FISA laws and the official sanitized reports have a hierarchy of who-gets-to-know. To get into the holy-of-holy group you have to forswear telling or revealing anything to anyone forever and ever.

A few members refuse to this arrangement. Those are the ones that press the more interesting questions. Due to the secrecy constraints they have to go a long way around a topic to try to get the official to divulge what’s really happening.

The officials have no issues with less-than-accurate or less-than-exact responses; they are masters of word re-definitions.

  • Relevant means All

General Hayden was far more entertaining than his successors.

===

ht tps://e n.w ikipedi a.or g/wiki/Michael_Hayden_(general)

WhiskersInMenlo December 23, 2021 12:14 PM

Another report involves tracking women (and others) to their home.

Predators, jealous,

There is an application for both Apple and Android …
that might notice the tracker.
That application requires bluetooth which is another risk set.

Jury tampering? Official intimidation.

Battered women shelter location discovery.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.