Stalking You Is Easier. Let's Celebrate.
- By Stefan Hammond
- February 03, 2022
Here's an idea: leverage an existing network to help an ecosystem of users track their valued possessions. Roll out reasonably priced tracking devices.
Apple's new AirTag devices seem an obvious solution to the problem of lost pets or overcurious toddlers. "AirTag is a supereasy way to keep track of your stuff," says Apple on their website. "Attach one to your keys, slip another in your backpack. And just like that, they’re on your radar in the Find My app, where you can also track down your Apple devices and keep up with friends and family."
Cupertino has the best intentions with their USD29 devices, which leverage the Find My (iDevice) functionality baked into iOS. But after their release into the wild last year, the innocuous devices have been deployed by less-than-salubrious actors.
How it works
The Find My app is designed to provide basic functions for remote devices in case of compromise, like playing sounds on said devices or wiping them remotely. It's a powerful tool and has proven to work.
In a 2011 incident, “LAPD officers investigating an armed holdup used the iPhone 'Find My Phone' application to locate the suspect, who was still carrying the stolen device," wrote the Los Angeles Times.
Officers responded to an armed robbery call where "the victim told officers that a man had robbed her at gunpoint and ran off with her purse, which contained her Apple iPhone," said the LAT article. "Luckily for her, the Find My Phone tracking application was installed, and a local citizen let officers use his computer to track the cellphone."
The gendarmes detained a man matching the suspect's description. "Officers dialed the woman’s cell number and recovered the phone from the suspect's pocket." Further: "Investigators say the ability to track and locate items minutes and hours after the crime occurs are critical to their recovery."
But there's a flipside.
Bugged
Last month, a woman in the U.S. city of Baltimore reported a strange incident via Twitter. “She said she started getting alerts on her iPhone as she drove away from the bar that an AirTag was found moving with her — even with no other cars on the road," said tomsguide.com. "I checked all my things, like my purse, my trench coat pockets, my wallet — couldn't find anything," @Sega__JEANAsis wrote [on Twitter]." The problem? An AirTag attached to her vehicle without her knowledge or consent.
"Recent reports have come from Toronto, Detroit, and Houston of car thieves using AirTags to follow prospective vehicles from public places to locations where they can be more easily stolen," said the article.
The key is network awareness
Fortunately, @Sega__JEANAsis had access to an iPhone and scoped out the unwelcome tracking device. Earlier, Apple took steps to boost the security profile of their product, according to CNET. "Apple is adjusting its approach to its AirTags sensors, changing the time they play an audible alert when separated from their owner," said CNET. "The company is also creating new ways to warn people if an unexpected AirTag or Find My network-enabled device is nearby."
Another step: Apple's December 2021 release of an Android app called "Tracker Detect" — one of six apps Cupertino offers for its competing mobile OS platform (among them is one titled "Move to iOS"). "Tracker Detect looks for item trackers that are separated from their owner and that are compatible with Apple’s Find My network," says the app's description on the Google Play store. "These item trackers include AirTag and compatible devices from other companies. If you think someone is using AirTag or another device to track your location, you can scan to try to find it."
As is often the case, further issues remain.
The 'Good Samaritan'
Security researcher Brian Krebs outlined a scheme targeting the proverbial 'Good Samaritan' who finds a missing device. "The new USD30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner's phone number if the AirTag has been set to lost mode," wrote Krebs. "But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page — or to any other malicious website."
Krebs says that a “weaponized AirTag tracking device could be used to redirect the Good Samaritan to a phishing page, or to a website that tries to foist malicious software onto her device.”
Lesson for stakeholders
Apple's AirTag devices and similar tracking devices like those from Tile present opportunities and pitfalls for consumers and CDOs alike. Who tracks your network, and why? What are your options if a rogue operator latches onto a networked device?
The key is network awareness. And score a plus for AirTag devices — knowing that users can insert a trackable device in a wireless network should make CDOs and other stakeholders more aware of potential vulnerabilities within their employees' WFH networks.
Stefan Hammond is a contributing editor to CDOTrends. Best practices, the IoT, payment gateways, robotics, and the ongoing battle against cyberpirates pique his interest. You can reach him at [email protected].
Image credit: iStockphoto/Aycan