Hunted by an AirTag: how an Apple device can be used to stalk you

AirTag, like any other Apple device, is under close scrutiny, as American tech giant boasts about security and privacy. An experiment by CyberNews revealed that, besides being useful to find your bag or wallet, AirTag makes it alarmingly easy to stalk another person.

In April 2021, Apple announced AirTag - a small $30 device looking like a bag tag designed to attach to personal items, such as bags, wallets, or keys. Once connected to your iPhone, it appears on the “Find My” app and lets you locate the personal belongings it is attached to.

AirTag is a super-easy way to keep track of your stuff, Apple brags. AirTag sends out a Bluetooth signal that can be detected by nearby devices in the “Find My” network. With iPhone 11 or its later versions, precision tracking is enabled, meaning that you will even see the distance to your lost belongings and the direction to head in for them. The location information is encrypted, and Apple says it designed the device to discourage unwanted tracking by sending notifications each time an unrecognized device is near you. But it is not as flawless as Apple makes it sound.

While it may be very handy for people who keep losing stuff, AirTags can also be potentially misused. As the CyberNews experiment revealed, it makes it fairly easy to track someone’s location without the victim even being aware (s)he is being tracked.

During the experiment, Amy placed an AirTag device on her colleague’s backpack and gave her a 5-minute head start before starting to stalk her. Now, Kotryna knew she was being stalked, and it gave her an advantage - she was moving quite fast so that the stalker (Amy) could not catch up with her.

The stalking experiment went on for more than two hours. During that time, Amy was able to see Kotryna’s location on her phone, but only after Kotryna sat down to grab a quick cup of coffee was Amy able to catch up with her.

Kotryna uses an Android phone, and they reportedly work with AirTags only with limited capacity. A cameraman, who was filming Kotryna during the experiment, also claims to have not received any notifications about an unwanted device despite being very close to it the whole time.

It proves that you can follow a person at least for a couple of hours without him/her suspecting anything. Could you do that for a week or more? Kotryna brought Amy’s AirTag home on Thursday, after the experiment, and only on Sunday, it gave away its presence by starting to beep. Interestingly, Amy’s AirTag was quite far away from her as Kotryna took it with her to the seaside (more than 300 km away from Amy). The beep, Kotryna recalled, was quiet and short, so a victim might not even notice that.

During those couple of hours, Kotryna did not receive any notification suggesting that someone’s AirTag is on her, nor did the device beep at any point.

The Washington Post journalist recently carried out a similar experiment. He reported the same problems - the device gave itself away only three days after a colleague slipped it in his backpack. The chirp, he described, was light and didn’t last long, so you could easily miss that in a noisier environment. Now, a journalist got a notification that an unknown AirTag device was moving with him. But this is an easy moment for an abuser to circumvent as roughly half of Americans use Android phones and would not get any notification.

If Kotryna had an iPhone, she would have received a notification, once she was home, that an unknown AirTag was with her. It should also give instructions on how to disable the AirTag device that is not hers. Yet, as she has an Android device, her stalker (Amy) was able to see Kotryna’s locations at all times. Was this not an experiment, Kotryna would have been unaware of someone following her.

More from CyberNews:

We destroyed three laptops to see if their SSDs would still work

The future of work: job roles that might not exist in 10 years

If you had the chance, would you sell your privacy or disappear from the grid? 

Report: how cybercriminals abuse API keys to steal millions

Quarter of cybersecurity experts have the same password for work and personal use – report 

Crypto boom: what you need to know before diving in

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked