Skip to main content

AirTag stalking ‘frighteningly easy’; multiple problems identified

A new report today says that AirTag stalking is “frighteningly easy” thanks to a number of weaknesses in Apple’s privacy protections.

It reveals several ways that an abusive partner could circumvent the measures Apple takes to alert stalking victims …

Background

At the time AirTag was launched, Apple was keen to stress the anti-stalker measures it has taken:

  1. If an AirTag you don’t own moves with you (and the owner is not also doing so), an alert pops up on iPhones. This alert appears when you arrive home, or at a frequently-visited location.
  2. If you don’t own an iPhone, an audible alarm will eventually be triggered.
  3. If you find an unknown AirTag on you, you can scan it with either an iPhone or Android phone and it will take you to an Apple webpage which explains how to remove the battery to disable it.
  4. Every AirTag has a serial number, so law enforcement can obtain owner details from Apple by presenting a court order.

However, groups who work with victims of domestic abuse say that these protections are inadequate in general, and especially so in the case of someone who lives with an abusive partner. (A number of factors, from fear to financial dependence, can make it difficult for a victim of domestic abuse to leave.)

In particular, three days is a very long time to be tracked without your knowledge if you are an Android user. Additionally, for a stranger stalker, they would be able to track you to your home address or another location you frequently visit, before you are alerted – in other words, after the damage is done.

AirTag stalking test

The Washington Post‘s Geoffrey Fowler carried out his own test, allowing a colleague to plant an AirTag on him to find out for himself.

AirTags are a new means of inexpensive, effective stalking. I know because I tested AirTags by letting a Washington Post colleague pretend to stalk me. And Apple’s efforts to stop the misuse of its trackers just aren’t sufficient […]

 To put Apple’s personal security protections to the test, my colleague Jonathan Baran paired an AirTag with his iPhone, slipped his tag in my backpack (with my permission), and then tracked me for a week from across San Francisco Bay […]

After placing an AirTag in my bag, my colleague was able to find my whereabouts with remarkable precision. Once he associated the AirTag with his iPhone, the tag’s location showed up in an iPhone app called Find My, included free with iPhones. (It started as a way to find lost Apple products and has now expanded to other things.)

When I was riding a bike around San Francisco, the AirTag updated my location once every few minutes with a range of about half a block. When I was more stationary at home, my colleague’s app reported my exact address.

The pop-up alert on his iPhone worked well, he says, as he was alerted multiple times. However, given that alerts only appear at home and other primary locations, that may not protect against an abusive partner.

An AirTag starts a three-day countdown clock on its alarm as soon as it’s out of the range of the iPhone it’s paired with. Since many victims live with their abusers, the alert countdown could be reset each night when the owner of the AirTag comes back into its range […]

Also troubling: There’s an option in the Find My app to turn off all of these “item safety alerts” — and adjusting it doesn’t require entering your PIN or password. People in abusive situations don’t always have total control over their phones […]

In many abuse situations, the alarm might never go off at all.

The only protection for Android users is the audible alert after three days, and it’s already been shown that the speaker can be disabled. The piece reiterates calls for Apple to work with Google as it did with COVID-19 contact tracing to develop a standard that gives Android users the same pop-up alerts as iPhone owners. It does also seem a no-brainer to require authentication to turn off the privacy alerts.

Photo by Tamas Tuzes-Katai on Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear