Apple AirTag

In December last year, a story went viral on Twitter about the Apple AirTag. A lady named Jeana recounted how she discovered an AirTag had been stuck underneath the front passenger wheel well of her car.

It’s not confirmed that the AirTag was definitely intended to be used for stalking the woman, but it is a distinct possibility.  Recently, AirTags have been reportedly associated with luxury car thefts, where criminals are apparently tagging expensive vehicles that they know they can break into — and use the AirTags to simply follow them home.

At the time AirTag was launched, in April 2021, Apple was keen to stress the anti-stalker measures it has taken:

If an AirTag you don’t own moves with you (and the owner is not also doing so), an alert pops up on iPhones. This alert appears when you arrive home, or at a frequently-visited location.

If you don’t own an iPhone, an audible alarm will eventually be triggered.

If you find an unknown AirTag on you, you can scan it with either an iPhone or Android phone and it will take you to an Apple webpage which explains how to remove the battery to disable it.

Every AirTag has a serial number, so law enforcement can obtain owner details from Apple by presenting a court order.

However, groups who work with victims of domestic abuse say that these protections are inadequate in general, and especially so in the case of someone who lives with an abusive partner. (A number of factors, from fear to financial dependence, can make it difficult for a victim of domestic abuse to leave.)

In particular, three days is a very long time to be tracked without your knowledge if you are an Android user. Additionally, for a stranger stalker, they would be able to track you to your home address or another location you frequently visit, before you are alerted – in other words, after the damage is done.

An AirTag starts a three-day countdown clock on its alarm as soon as it’s out of the range of the iPhone it’s paired with. Since many victims live with their abusers, the alert countdown could be reset each night when the owner of the AirTag comes back into its range.

Also troubling: There’s an option in the Find My app to turn off all of these “item safety alerts” — and adjusting it doesn’t require entering your PIN or password. People in abusive situations don’t always have total control over their phones.

The only protection for Android users is the audible alert after three days, and it’s already been shown that the speaker can be disabled. The piece reiterates calls for Apple to work with Google as it did with COVID-19 contact tracing to develop a standard that gives Android users the same pop-up alerts as iPhone owners. It does also seem a no-brainer to require authentication to turn off the privacy alerts.

Always be vigilant and search your personal belongings.  For more advice / guidance, please contact us at E: security@valkyrie.co.uk | T: +44 (0) 20 7499 9323

Valkyrie Updates

News

Stay informed with the latest insights, expertise and innovations in the world of security with Valkyrie’s news, reports and white papers