Researchers have cloned “AirTag” from Apple in order to demonstrate to the company that the security features can be bypassed. To provide evidence for this claim, researcher Fabian Braunlein of “Positive Security” produced a cloned AirTag, which was able to track a user iPhone for over five days without activating any tracking notifications.
The researcher has in fact circumvented some elements that according to Apple are used to identify an AirTag. First of all, the unique serial number associated with an Apple ID: in fact the clone does not use any serial number (nor for hardware or software). Even on privacy, the researcher expressed some doubts. Apple, in fact, wants to identify specific AirTags over time to distinguish the tags that travel with the user from a simply passing one.
During this example, a list of over 2,000 preloaded public keys was used , with one transmission by the clone every 30 seconds. In detail, the clone was based on the firmware ESP32 which often rotated the public keys, sending one periodically, with the list repeated every 17 hours.
Also, using an irreversible derivation function and overwriting the seed with the next round's output would make it impossible for law enforcement or Apple to obtain the previously transmitted public keys of the tag, even if they have physical access to the clone. During the tests, among other things, no Android app, as well as no iPhone, was able to find the cloned AirTag. Only “AirGuard” was able to report the cloned device.
In any case, through this experiment, the researcher charges that Apple makes changes to both the security and privacy of the network , especially to limit any episodes of stalking caused by the use of AirTag.
