AirTags: Hidden Stalking Menace or Latest Overblown Urban Myth?
The plural of anecdote is not statistics. In the absence of hard data, however, anecdotes often stand in. That seems to be the case with the risk of unwanted tracking associated with Apple’s AirTags, cited in several recent news stories and some police reports as a vector for stalking and car theft.
If we take all reported incidents at face value, the total known incidents number no more than a couple dozen across the United States and Canada. Why the outrage and heavy coverage? The fear of what’s known is just the tip of the iceberg. That’s normal anxiety in regular times and accentuated in a pandemic era, in which our calibration is so far off it can be hard to understand how to judge risk and reaction.
Tracking the Unknown
Let’s review how an AirTag and the similar Chipolo ONE Spot work (see “Apple’s AirTag Promises to Help You Find Your Keys,” 20 April 2021, and “Chipolo Ahoy! The ONE Spot Find My Network Tracker Arrives,” 24 August 2021). These small, low-power Bluetooth-based items continuously broadcast an encrypted Bluetooth identifier that can be picked up within a range of up to hundreds of feet by Apple devices running recent operating systems. The Bluetooth ID changes at regular intervals to avoid reverse tracking: a static ID would allow someone to track the broadcasting item. (Apple adapted this approach for the system that it and Google provide for COVID-19 exposure tracking.)
Any Mac, iPhone, or iPad with an Internet connection and the Find My network enabled combines its currently known location with any Bluetooth network identifier that fits the pattern for a Find My item. This pairing of location data and Bluetooth ID is uploaded to Apple. Apple can’t use those location pings to determine the identity of any given device because the Bluetooth ID encryption allows only a native Find My app that’s part of an iCloud-linked account to request and decrypt the data. All AirTags and Find My items are paired using a single iPhone or iPad, and their encryption keys are shared among that user’s other devices.
Because of its compact size, intermittent Bluetooth transmission, regular ID change, automatic signal relaying, and long battery life, an AirTag would seem to be an ideal device to track someone without their knowledge. And it would be, except for the safeguards Apple has put in place to alert people who have an AirTag near them. I wrote an article that describes all the cases in which someone is alerted—see “When You’re Told an AirTag Is Moving with You” (4 June 2021). In brief:
- If an AirTag or other item relays consistently through your iPhone or iPad as you move across locations, you should receive an alert. That alert provides a lot of advice to the device owner about how to proceed.
- An Android user with Apple’s new Tracker Detect app installed can manually scan to detect AirTags and Find My items near them, but only on demand—not in the background as with iOS and iPadOS.
- After a random interval between 8 and 24 hours apart from an owner’s devices, a Find My item will produce a loud noise at regular intervals.
Those safeguards leave a fair amount of room to squeeze around the edges of notification. As I described in “13 AirTag Tracking Scenarios” (15 May 2021), a malicious person could put a tracker in a vehicle or bag owned by a partner and ensure that partner’s iPhone had the Find My network disabled. As long as the vehicle or bag was back near the stalker within about 8 hours, its alarm might never go off.
The issue of unwanted tracking is exacerbated by the squishiness around nearly every aspect of AirTags. We don’t know how many AirTags and similar Chipolo ONE Spot Find My trackers have been sold. We don’t know the number of alerts people receive daily about trackers traveling with them. Of that number, we don’t know how many are false positives: the times that a tracker incidentally near someone provokes an alert that has nothing to do with them.
Most important, we don’t know what number of Find My trackers are being used to attempt to track adults or non-custodial children without their knowledge and consent. (The issue of tracking your children or those you have guardianship over gets into more complicated legal issues that vary by state.)
What do we know?
- It’s feasible to use AirTags to track someone without their knowledge. It’s cheap and easy, but fraught with the chance of discovery and tracing it back to the AirTags’ owner.
- Police and individuals have found AirTags hidden in vehicles a few times.
- Police don’t quite know how to deal with reports by individuals who suspect they are being tracked.
- A fair number of media reports and some police announcements make a lot of assertions; the worst start to verge on common urban myths that play on deep-seated fears.
Let’s look into the media and police reporting.
A Roundup Reveals We Should Round Down
I’ve assembled several stories from the last few weeks, as seemingly credible accounts appeared of people believing that someone was either actively tracking them or had done so at one time. (Simultaneously, I’ve started seeing more people sharing first-hand experiences of using AirTags to recover lost and sometimes stolen stuff.)
The biggest flurry of stories and subsequent reporting emerged from the York Regional Police in Ontario, Canada, who said that, in what they believed were five different incidents, car thieves hid an AirTag on an expensive vehicle in a public parking lot in order to find it later at an owner’s home and steal it at their leisure.
The department posted this video to Twitter and a media release on their website (Internet Archive link) with a more detailed description and photos. (The release is no longer available, but this isn’t a retraction: the tweet is still up, and the York police appear to remove their posts consistently within four weeks, likely automatically.)
That was 2 December 2021, and several stories followed with specific incidents:
- A swimsuit model found one in her coat pocket: Brooks Nader explained on her Instagram account that she had received a warning about an AirTag traveling with her as she moved among bars one night and then headed home.
- Man finds Apple AirTag tracker on his Dodge Charger (Detroit, MI): This TV station has a single first-hand account. It also quotes local police anonymously with a story that’s suspiciously like the York release: “Thieves track the target vehicle and pick the most opportune time to steal—found mostly on Dodge products, parked in mall parking lots.”
- West Seneca Police warn of Apple AirTags being hidden on cars and Apple’s AirTags used to follow 2 women in West Seneca (West Seneca, NY): The West Seneca Police cite two cases and found a hidden AirTag in one of them.
- Crowley Police: Apple AirTag facilitating crime (Lafayette, LA): A local police chief asserts two cases with “a notification” but provides no details.
- Burlington Police give warning about Apple AirTags (Burlington, IA): “Police say they are getting calls from people who have received notifications on their phones that they have been air tagged and it will show them their route of travel.”
- Are Apple AirTags Being Used to Track People and Steal Cars?: This prominent end-of-year story in the New York Times had more smoke than fire, asking a question instead of making a statement. The story features several first-hand accounts but includes Mary Ford, “a 17-year-old high school student from Cary, N.C.…[who] realized it wasn’t a threat when her mother revealed she had put the tracker in the vehicle about two weeks earlier to follow her daughter’s whereabouts.” But “[Ashley] Estrada, who got the notification while in Los Angeles, eventually found the quarter-sized tracker lodged in a space behind the license plate of her 2020 Dodge Charger.”
I also found more general pieces that combined raising awareness and promoting general anxiety:
- Police warn of AirTags used to track people instead of items (Jacksonville, FL): Despite stating the police warning, this story doesn’t quote any police officers or leaders.
- Is it legal to track people using AirTags in Alabama? (Huntsville, AL): “The Huntsville Police Department says they have not had any cases of AirTag stalking yet.”
- Some Atlanta residents being tracked with Apple AirTags: “We uncovered eight police reports in our area, most within the last month…” the news station said, which could include people receiving false positives. But one person was definitely tracked via her vehicle across a long drive.
The most sensible accounting came from the University of Wisconsin’s police department in its post, Apple AirTags and Your Safety. The blog reports that “UWPD has had three reports of individuals reporting they’ve received an AirTag warning message in the past few weeks on the UW-Madison campus.” But it continues with a very important proviso: “In every instance, the AirTag could not be located… it’s very likely the AirTag signal was being picked up from a nearby apartment or residence hall room rather than the individual being maliciously tracked.”
Are people overreacting? No: the message is absolutely disturbing. If I were in a situation where I suspected someone might have followed me from a bar, from my place of work, or from school, I would absolutely call the police. And I’m a straight man—if you identify as a gender other than male and an orientation other than straight, I expect the sense of concern would be vastly higher due to the well-documented heightened risk of stranger, domestic, and ex-partner stalking and violence among the 70% or so of the population that covers.
But wait. If these incidents were happening regularly, I would expect to see an explosion of news stories. The AirTag offers a specific alert; finding one provides an actionable element for police, who are accustomed to GPS trackers being hidden on cars for stalking purposes. Reporting an alert might not get an officer excited, but finding an AirTag would certainly warrant a report. In some of the stories above, police even began or completed the process to obtain the registered information associated with the AirTag. In theory, that should lead to a culprit, and the news media should be following up on these stories.
Remember, AirTags are locked to an iCloud account, are associated with a phone number, and have an immutable serial number inside. To read the serial number, someone finding an AirTag only needs an NFC-capable Apple or other device; with other Find My items, an iPhone or iPad is required. All this would seemingly add up to making an AirTag a high-risk way for a perpetrator to track someone unless they had the foresight to create a burner Apple ID and potentially use a burner iPhone that could otherwise be tracked by its unique cellular ID. Apple may promise privacy for iMessage and a lot of other data, but the company will reveal via warrant things like to whom an iCloud account belongs.
Some of the reporting and the police statements smack of past panics and recurring urban myths. In the 1980s, law enforcement across the United States was convinced Satanism was rampant with human sacrifice, including the murder of infants. No matter that no adults or babies were missing—Satanist! From the Chicago Tribune in 1987:
But to a growing number of police investigators around the nation, stories of ritual mutilation, blood-letting and sometimes murder are all too real. In seminars and conferences, they have begun to train others to see signs of satanic motives behind otherwise bizarre and inexplicable crimes.”
Similarly, police alerts appear every year around Halloween about razor blades in apples or poison in candy, even though only four cases were reported between 2008 and 2019 in the US and almost none before that. A prominent 1974 candy poisoning story wasn’t random: a father murdered his child. There’s also the ongoing hoax of LSD-coated stickers intended for children. And the one about how flashing your brights at someone with their headlights off at night will lead them to follow you and kill you as part of a gang initiation despite no deaths ever reported this way. (Road rage is something else.)
It’s human to tell stories. It’s human to manifest fears within the modern world as expressions of distrust of technology. And there’s definitely a risk with Find My trackers that you could be tracked in a way vastly easier than with any previous device. Being aware can help, and Apple could do more.
Keep Alert for Trackers
If you’re worried, what reasonable efforts can you take to protect yourself and your loved ones against unwanted tracking?
- Leave Find My enabled: If you disable the Find My network, you won’t receive warnings that an AirTag is moving with you. (Conversely, disabling it prevents your device from relaying, but the value in receiving warnings is very high.)
- Pay attention to alerts: Apple’s alerts and explanatory details are clear and informative—read them and follow the provided links. No specialized knowledge is necessary to understand Apple’s instructions for finding and disabling Find My items.
- Listen for odd alarm sounds: Find My separation alarms are designed to alert people to the tracker’s presence—if you hear something odd, listen carefully and look for it. The alarm may be faint if someone has tried to muffle the sound.
- Explain the basics of Find My to others: Help those who know little or nothing about technology or the tech industry to learn what an AirTag is and what to do if they receive an alert or hear a sound.
- Contact authorities, if it makes sense: Upon finding an AirTag, if you have any doubts about your safety and you trust that law enforcement could improve on that, file a police report so the authorities can investigate further with Apple.
One thing that’s out of our control? Active scanning for nearby Find My items. It’s quirky that you can force a scan of your vicinity for Find My devices from an Android phone, but you can’t do the same from a piece of Apple hardware. In the iOS 15.2 beta, an item in the Find My app’s Items view read Items That Can Track Me, appearing to offer Tracker Detect capabilities. It didn’t ship in the production release of 15.2, but Apple should make sure it’s in an upcoming release. This would allow iPhone and iPad users to check their car, bags, or home if they’re concerned. (And Tracker Detect for Android should work automatically, as the Find My app does in iOS.)
Fundamentally, we can’t keep people from engaging in bad behavior. Before wireless technology, someone could have attached a can of flour to the back of your car, punctured it with a small hole, and followed the trail of white powder through the streets. Relatively expensive GPS trackers that are more powerful and don’t require relaying abound. An abusive or mistrustful partner might simply use Find My via Family Sharing to see your iPhone or MacBook’s whereabouts.
AirTags don’t offer a new kind of risk. They’re just a new and ill-understood entry in an old game that might encourage some people to go farther than is sensible or legal with regard to tracking other people. Apple should continue to refine parameters around the AirTags to favor safety while still making them useful for finding a lost backpack or keys.
I purchased AirTags for my wife and me to keep track of our car keys. I often run errands with my wife’s car, and I’ve been getting the warnings that an AirTag that doesn’t belong to me is moving with me.
That’s fine, but the notification never appears until I return home with the keys. If a bad actor were tracking me with an AirTag, wouldn’t that mean that they would discover where I live before notifying me about it?
I’ve considered getting an AirTag for my teenage daughter’s backpack since she brings her MacBook Air to school. But I’m holding off due to the privacy issue.
As I understand it, that is the correct behavior. The notification doesn’t happen until you arrive home or to a location iOS has identified as a frequent location for you. I assume this is to prevent false-positives that may result from casually being near another AirTag user (e.g. traveling on a bus or train near someone with his own tags devices).
See also Here's when and where Apple will alert you to an AirTag used for stalking | AppleInsider
As for what this means for a stalker, yes, this may be a concern. If he is using “Find My” to track the tag, then it would be reporting the tag’s currently location. But I don’t know how often this information updates, so it may not be real-time.
WRT your daughter, I don’t think it should affect your decision to get her a tag. The concern here is if someone else slips a tag into her bag, not about her using a tag for her own bag.
That makes sense… Thanks for the thoughtful reply!
Find one that is suspicious? Take a pict of it, Put it in a shielded bag or tin. (EZpass bags or static bags that have metallic coating should cancel signal out). Then notify authorities. Do not open at a home. Or if you want, stick it on a mail truck or amazon van. Or HD rental truck. Have fun, right? (I am being humorous here)
Note: it has removable CR2032 battery so, might even disable with removing it.
I’m curious about “other” tags, e.g. Milwaukee TICK. Like Airtag, the battery is replaceable. I mean, do we all have that One-Key App (might want to)? Its cheaper than Apple ($20 vs $30). Less obvious (black). And has screw eyes for fastening/ziptie. I was considering a pack of 4 @ ~$78, to put on tools my neighbor “borrows”. Especially the pricier tools, like portable miter and flooring nailer. Considering using some doublesided-VHB adhesive to attach.
But here’s the question: its likely community tracking. That is, whomever has the app (or with Airtags, iphone 11 & up with latest iOS) and within 100’ of tracker -also see iBeacons, it will use them to notify via nearest bluetooth device.
How does it track if no iphone or enable bluetooth 4.0 device is near, updating a server? What if someone steals your car? Might it be wise to have an Apple Tag or TICK on it somewhere (that perp won’t find? or would a clever one have an iphone to sweep and note if such? Ofcourse if car is that valuable, there is LoJack…). Would one put “Car has AirTag. Do not attempt theft” label?
Thanks for this article and thoughts about it being myth or menace!
FWIW, we also store our car keys in a homemade Farraday cage (an aluminum box lined with an extra layer of foil) when we’re at home to prevent anyone from cloning the keys - car thieves will clone keyless entry keys by using a signal booster from outside the house - it’s a thing here.
When AirTags are offline for too long, they will sound off once they are connected again.
The link in the article to When You’re Told an AirTag Is Moving with You - TidBITS has detail straight from the horse’s (Apple’s) mouth on this, too. Apple says the notification typically appears in these cases:
I don’t think there’s a guarantee it only appears in those circumstances, but it’s part of Apple’s efforts to reduce false positives. The bad part about this is that someone could obviously track you to your house if you arrive home and then receive the alert. I think Apple might consider suppressing relaying within some radius (maybe half a mile or a mile) of your significant locations until you’re alerted, too.
I keep trying to remember to research the best one of these. Apparently some of the ones that are sold in great numbers don’t actually provide the Faraday cage function, which is a very sad state of affairs.
Only tracks within Bluetooth range; no crowdsourced network.
Tile offers a crowdsourced network, but it’s pretty thin on the ground, so they haven’t had a stalker problem to contend with at scale. (Tile was just sold to a larger company in November, btw: Tile is selling its Bluetooth tracking business to Life360 for $205 million - The Verge )
My wife and I are experiencing the reverse problem. It appears you can’t FamilyShare an AirTag. If we both want to track our car, apparently we each need our own AirTag in it as I cannot find a way to give her access to an AirTag I originally paired with my iPhone and then dropped in our car even though we use Family Sharing for all our other stuff. In fact, we can even share our iPhone locations with each other (which we use a lot to find each other in crowded areas), but not the AirTag.
Yes, the tags rely on device-based end-to-end encryption. Find My device uses simple iCloud encryption. You’ll note that you can’t find family devices, like Macs, via crowdsourcing either, only if they’re on the internet.
I fashioned my own. I had a metal box that I received from Volkswagen when I leased my Golf. I glued a layer of aluminum foil to the inside. When I put the keys with AirTags attached in the box they are undetectable when the box is closed. If you can find an old cigar tin, that would probably work too.
I think this adds to the discussion on Faraday bags, including some information on the variable effectiveness of different solutions.
It is interesting to read in any case.
That was the one I read and forgot who had written it. Matt is a very smart egg and I trusted his experiments.
Thanks. I was surprised to see how poorly the metal tin did.
I wonder if it would work any better if the tin was electrically grounded. Of course, doing that would also make it immovable, so that would only be practical for some kind of built-in installation.
It should also be noted that a “shield” that is not properly enclosed could end up reflecting signals, causing them to be stronger in some directions.
I remember many years ago when I was using an old TRS-80 computer that this computer interfered with nearby TV reception (including the TV it was using as a display!) pretty significantly. I found that if I put a metal tray table over the top of the computer, it blocked the interference in the room really well. But it created a lot more interference for the TVs downstairs.
I guess what I’m trying to say is that RF is really complicated. Don’t think you can improvise something if you have a serious security concern, because you probably won’t be able to get it completely correct and a mistake may end up being worse than doing nothing at all.
I think for most applications the shield doesn’t need to be perfect. From what I have read the car thieves who clone keys use some kind of booster to pick up the unique signal. This assumes that most people keep their keys near the front door. On top of using the box, I keep the keys towards the centre of the house.
How can a car owner test whether their attempt at protecting their keyless entry fob is working? Remote keyless systems use much lower frequencies than the 2.4GHz range Bluetooth uses. I don’t know if containers effective at blocking Bluetooth are also effective at blocking the keyless entry signals, Matt Blaze’s tests didn’t include low enough frequencies.
I took my improvised box to my car, the door unlock function wouldn’t open, nor would the starter if the box was closed.
I’m sure there’s some signal leakage, but it wasn’t strong enough for the receiver in the car to detect it. Anyone trying to grab the signal would probably have difficulty reading it without sophisticated equipment.
Will each new brand of item tracker also require you to load its notification app? That would be A Very Bad Thing. At the same time, I can see 3rd party trackers proliferate, with probably less concern than Apple on use cases and facilities for identifying unwanted trackers.
It’s not AirTags that scare me here, it’s -everything else- with similar technology. Of course, that is subtlety that we’ll not get from tech journalists or newspapers, where “bad news about Apple” generates the clicks.
Same here. I can’t open the car from there and in the box the car can’t be opened or started. I bet it’s still not perfect, but it sure is good enough for me.
I have a friend who’s ex a couple of years ago was teasing/harassing her with obvious knowledge of where she had been. The friend had a mechanic check every inch of the car for a gps tracking device. The mechanic didn’t find anything, but she eventually discovered that her car’s app had a “where did you park” function that the ex still had access to on her cell phone. My friend deleted the account and that ended that.
This sort of activity has been happening for longer than AirTag and Tile has been around, and at least with AirTag there is a way to find out that a foreign one is following you around. My friend ultimately wasn’t being tracked by a gps tracker, but if she had been, there would have been nothing to warn her that such a device was following her around.
I put Tile devices on my luggage during a long trip, which included overseas travel. (This was in the Before Time.) I ended up concluding that they were a waste of money as they were rarely able to be located, and when they were found, the information was sometimes days behind reality. AirTags have a great advantage in this regard, in that they actually work, but they’re not exactly real-time either. (That’s why Apple doesn’t recommend them for putting on your pet’s collar.)
What happens when someone is using a directional “higher-gain” bluetooth antenna to “track” an Air Tag?
Seems not very useful. The transmission range isn’t very high and it re-generates its encrypted network broadcast ID on a regular basis—several times a day if not more often.
You can just remove the battery on any unknown AirTag you find. It’s really easy to twist the back off and drop it out.
The privacy issues are real, and Apple obviously thought of them and has made good efforts to mitigate them. It does, of course, make it less useful than it could be as a theft-tracking device that could lead you (or law enforcement) to the thief’s location.
I had a problem trying to re-pair a Siri Remote 2 from an TV HD to a 4K. Only when I put the HD, and Siri Remote 1 inside a metal tin (it came filled with lebkuchen) was I successful. This with the HD & Siri 1 at the other end of the house from where the 4K & Siri 2 are located. When I go to set up the HD in the bedroom, I’m going to put the 4K & Siri 2 in the tin box first!
For some reason this security issue confuses me … somethings are more intuitive, to me, than others: Does this imply a bad-actor activated their Apple tag to your phone? (and can reverse “Find” your phone?)
I’m not sure I exactly understand the question. Are you asking how a phone gets notified about a nearby AirTag?
I am basing my question on my recollection of how I set up my air tags, and my understanding on how the interface works: that an air tag is paired to a specific phone. The original post suggests, I think, that any phone will read any air tag in the vicinity
Still not sure what you’re referring to—the first comment in this thread?
AirTags are paired with a single iPhone or iPad. That also engages Pairing Lock, which has to be disabled from the paired device. Without disabling Pairing Lock directly from the paired device, an AirTag cannot be used again, even when it’s physically reset. (Activation Lock can be disabled remotely for an iPhone, iPad, Mac, or Watch, making it substantially different.)
The Android app Apple has released can reveal if an AirTag or other Find My item is in the vicinity—that is, within Bluetooth range. As of iOS 15.2/iPadOS 15.2, Find My will only show the whereabouts of Find My items paired with your device, and those aren’t shared with other people in a Family Sharing group.
Apple previewed a Find My featured in the 15.2 beta that didn’t ship that would let you scan for nearby AirTags just like the Android app. I assume that is coming, but it’s not in the iOS 15.3 beta, so perhaps later.
With the Android tracking app or a future iOS/iPadOS Find My feature, you’d be able to determine if an AirTag or other Find My item is nearby and then use whatever method is available with a found item to get its serial number, contact information, or other data. However, you can’t trigger a sound on it, as you can if an AirTag or other item is determined to be moving with you.
(I should note I get into all this in my Take Control of Find My and AirTags book.)
sorry, 2nd post in this thread indicated
“getting the warnings that an AirTag that doesn’t belong to me is moving with me”
So to clarify my question:
How does, an unfamiliar Air Tag i.e. an unpaired device appear in a users phone … unless, of course, it was surreptitiously paired to the phone.
Like I said, a little non-intuitive to me, sort of like 8-Track recording hardware, but I digress
The tag is paired to your phone in the sense that only your phone can request information about its location.
Any Apple device within range may pick up its signal and relay that signal to an Apple server, but that data will remain on the Apple server until its paired phone requests that data.
If someone else plants an AirTag on your person, it does not appear in your phone. You can’t track it, because it is already paired with someone else’s phone.
But your phone will be periodically reporting its location to Apple. The Apple server will figure out that that tag’s location is moving in sync with your phone and will send you an alert. But (as far as I know), you can’t tell your phone to show you its location. You will need to be alert to listen for its periodic audio alerts (which is generates at random times after it has been separated from its owner for more than 8 hours) in order to find it.
Needless to say, this is far from a perfect solution.
Exactly. Just has to be around you. The iOS/iPadOS system software recognizes that it has been relaying the same Bluetooth ID as you have moved from place to place. Apple particularly notes that you have to arrive at certain location you commonly go to, like your home or work, for the alert to appear on your device.
Because AirTag and all Find My items and Apple devices that use the Find My network change their Bluetooth identifier at intervals, this only works over relatively short periods of time where the same ID is recognized.
So it combines:
David, that’s correct in part: a Find My network device separated from its owner from between 8 and 24 hours (a randomly period, not just 8 or more hours) will make a sound.
However, if you get a “traveling with you” notice on an iPhone or iPad, you can trigger a sound on the Find My device by tapping a button on your iPhone or iPad. This is sent via Bluetooth. This allows you to pinpoint it aurally. (Though doesn’t help people who have hearing impairment.)
As noted in the article:
Suddenly the world seems to be full of people who constantly loose things or have a pressing (!) need to track their belongings.
Opinions may vary, fair enough, but I just can’t see any usefulness in these AirTags.
Apple isn’t anywhere close to being the first to figure this out.Tile has been around since 2013 keeping track of all kinds of articles.
John Gruber links to a good story about a positive use of AirTags.
Not all products are for all people. Personally, I’m not the sort of person who loses things. I have an AirTag that I got for testing, but it just sits on my desk, since I can’t think of anything that I want to track with it at the moment. If I was going to track meets and races, I’d put one in my duffle bag since it’s commonplace to leave bags around where anyone could steal them. It basically never happens, but it would be annoying if it did.
But my grandmother, if something like the AirTag had been available when she was alive and driving, would have adored it. She was constantly forgetting or losing her keys, her pocketbook, and more. I remember having to walk home with her from shopping trips because she’d lost her keys in a store and we had to go get the backup set.
I have to admit, like @mHm, I too got the impression that now that Apple has a tracker out, and years after there have been similar solutions from smaller companies, all of a sudden everybody seems to urgently need to track all kinds of super valuable stuff, all their movable belongings, their dog, and perhaps even their kid. It all seemed a bit ridiculous to me. I rarely lose stuff. Stuff that’s important to me I guard closely. Stuff I’d lose is obviously not really that important. So in short, I was quite skeptical.
But since I’m also curious I decided to get one and play around with it a bit. Turns out it was actually good at doing two things where I had little faith in the “conventional method”: shipping and traveling.
Because I have family on three continents and because I also collaborate quite closely with several colleagues abroad, I often find myself shipping something internationally. Now in general tracking these days is not bad. Often reasonably up to date, rarely flat out wrong. But still, every once in a while I’d find myself wondering if my parcel was really stuck in Paris Orly for five days or if perhaps it had just been shipped off with another carrier that doesn’t tie in to the USPS tracking system. So these days I sometimes just drop an AirTrag in with my package. It’s surprising how well it works even where there is no conventional tracking available or when it lags or fails to update. Next time my folks send something back, they’ll send me back my AirTag or I just pick it up when I next meet them.
The other thing is travel. Now in Asia and Europe I rarely lose my bags, but in the US I’d say on average every third flight one of my checked bags won’t end up on my flight. Part of it is much more frequent and shorter layovers, the other is the silly system we still employ where inbound travelers have to pick up their bags, drag them through customs, and then recheck them. Usually in some dingy corner of a run down airport with a bunch of seriously under-motivated (and probably even worse compensated) employees standing around making you wonder already then and there if your bag will be sent off three days late and to Honolulu instead of DFW. So I’ve now started dropping an AirTag into my checked luggage. Just the other week I was seriously impressed with how I could follow it around the tarmac while waiting at the carousel in Miami. Obviously there are just that many people with iDevices working at airports. It updated frequently and the accuracy was surprisingly good. And for anybody who’s ever dealt with the lost luggage people, you’ll recognize this situation where they don’t know where your stuff is, when it might be found, when it might even find its way back to the hemisphere you’re currently on, etc. Well, when United managed to ship one of my bags from EWR to Denver instead of Zurich, my AirTag let me know that my bag was departing Denver towards the East Coast before the UA rep at Zurich was even able to locate the bag.
Long story short, for me nothing super urgent or important. But considering the low cost, it’s a fun and at times indeed reassuring little tool. So I’d say I’m perhaps still a bit skeptical as to all the hoopla over it, but I’m no longer a skeptic.
Remembering where things is something that only some people do. My wife is an ADHD coach and, as a result, I’ve been immersed in ADHD stuff she’s swimming in. A lot of people who have ADHD don’t remember where things are.
There’s also a neurological division between low registration and high registration: folks with low registration have low spatial awareness, often bumping into things and not remembering where things are and where they put them. This is an inherent thing, not something you can just decide not to do. (I am very high registration, which makes it nearly impossible for me to discard information, and I can remember, say, the layout and objects in a room I was in once 20 years ago.)
Related, some people live in areas with enough crime to worry about theft. And, contrariwise, cars are stolen all the time in my low-crime part of Seattle (which is generally low on violent crime, high on property theft).
I have seven AirTags and Chipolo ONE tags…sitting in a drawer. Because right now, I barely leave the house with any stuff! Only with myself for walks or shopping. I have only be out of Seattle with my family and then twice (by car) in the last two years. Bad time for tracker sales!
Meanwhile, my 14 y.o. has some very nice noise-cancelling headphones they use to offset noise sensitivity. We agreed when they returned to school last fall that they needed to track them. So using some very nice acrylic adhesive, I attached a Chipolo to one side of the headphones! Matte black, the Chipolo was nearly invisible.
One of my many careers is as a type historian, and I have a $1,350 item I sell called the Tiny Type Museum & Time Capsule. I started shipping them in September 2020. Had AirTags been available, I would have put one in every package and a SASE for the recipient to send it back to me on arrival. Amazingly, not a single one of the 96 shipped to date have been lost. One meandered around for a few days. But it would have been nice to know where it was during its journeys.
I’ve considered getting one for one of my bikes.
TBH, if there were a thinner AirTag I’d get one for my wallet. I’ve never lost my wallet before, but I don’t want to learn what that feels like. I’ve seen 3rd-party competitors that come in a credit card like form factor for exactly this purpose.
Not for everyone, I get that.
The army moving story quoted by @ddmiller reads cool, it really does, as do some other examples.
However, AirTags start to beep after being separated from their owner for a certain period (the exact time varies, doesn’t it?)
How is that going to work in a parcel you ship? Will there be alerts with their related delays if somebody in a sorting centre hears this?
Whats does a bike thief do once they hear and locate the AirTag? Even before the 8 hrs are up, said thief might get an alert on his iPhone that there IS an Air Tag.
What happens at an airport in the bag handling centres once the AirTag starts to beep? A bomb alert? Not every journey is shorter than 8 hrs.
Leave a laptop bag/camera bag/gear bag intentionally over night in the office/workplace/at a friend’s house/even at home. After a while the thing gets on everybody’s nerves. Do you want to constantly have to manage your AirTags to avoid this kind of nuisance?
On balance, we read so many stories about stalking, theft prevention, getting items back after theft. I don’t think they work well for these scenarios and Apple apparently says they are not for theft cases.
Grandmas who loose their keys at the supermarket, ok, a good one. But seriously, such a giant technological effort for these use cases?
I think that some developers thought this up without thinking it through. Was the world really waiting for this or is this solution desperately searching for a problem to solve?
Yes. Why not? To give an anecdote, my son’s girlfriend misplaced her car keys when they were visiting during the summer of 2019. They were never found, which was discovered when she needed to leave to meet friends for a lunch appointment. It ended up costing her a lot more than an AirTag to have a locksmith come and replace they key, plus she missed out on her lunch appointment (we were not there and would have loaned her one of our cars for the day.) We all got a good laugh the next Christmas when we have her a gift of a couple of Tiles.
So much of the technology we use today fills what to others are trivial use cases. As always, if you don’t need it, if it provides you no value, then don’t buy it.
Right, there are definitely things I’d need to look up (beeping etc).
Is there an AirTag app that you need to see them? I’ve never gotten a notification that I was near one.
Others have made the point about the fact that it’s not for you doesn’t mean it’s not for everyone, but I’m wondering how big the effort really was? They had to add code to iOS to handle the network and design and build the AirTag, but the iDevice network already existed – they just leveraged it. In fact, it strikes me as something that didn’t take a lot of effort.
I agree with that. Seeing as to just how many iDevices are around and with Find My already existing, this seems to me almost like “low hanging fruit”. Don’t get me wrong, there was developmental effort for sure, but it also screamed waiting to happen just to leverage Apple’s broad reach. I think this also a key advantage over competitors like Tile (assuming they don’t just tie into Find My). Who else has such a huge number of devices distributed around the globe capable of “phoning home” at any time?
I would say, not precisely? There are really three Find My circles: People, Devices, and Network (Devices and Items):
I’m still not sure why anything thinks its strange to want to track stuff in case you lose it or leave it behind. Apple added a very nice little Find My feature a release ago that lets you get notified if you leave something behind—it’s a switch under Notifications for devices. Perfect to help avoid losing an iPad in a coffeeshop.
Yep, that’s pretty much what I thought. AirTags by themselves aren’t a particularly big added effort to what already existed.
From a privacy point of view, it also leveraged the design of COVID-19 contact tracing APIs designed with Google, right?
As of course previously noted:
I, too, was puzzled by the news stating that some women were being stalked because of AirTags. As usual the news reports left out details like the ones being stated here.
The question - how can anyone DROP an AirTag on a person and be able to follow a person???
Other way around: the Find My network was introduced a few years ago for devices only. The idea of “items” (Bluetooth, no Internet connectivity) came with the AirTags and then the licensing program. Some more licensed items were announced at CES this year two weeks ago.
Apple collaborated with Google to create a modified Find My network, more or less!
The model who said she was AirTag-stalked said her coat was on the back of her chair and she wasn’t always in the chair. I can see someone trying to slip a small item into someone’s possessions, but the odds of being caught seem really high?
There are also simple ways to disable the speaker so the AirTag doesn’t beep: Howto remove the speaker coil from the Airtag (make your Airtag very silent!) - YouTube
My wife and I spent decades working with victims of domestic violence and people being stalked. If there is any chance these devices can be used for stalking purposes that would be of grave concern. Many of the people we worked with were at high risk if they were being stalked. So reports of such happening would need to be carefully checked out.
BTW when a victim of domestic/relationship violence leaves the abuser they are at the most vulnerable and high risk time for violence. I would be interested in any information regarding the possibility of any of the tag resources being used in that manner. From the discussion thus far I’ve not heard anything certain to indicate they are a real danger. Is it a menace or an urban myth? Seems to me law enforcement and shelter services might be the best answer to that question. I’m going to check with some professionals to get an opinion. Thanks for the thread.
The main things I “lose” are my eyeglasses, the tube of superglue I was just using, etc. AirTags are too humongous to use for these; I need something I can tape to the inside of a bow on my glasses!
Don’t glue your eyeglasses to your head, Dennis!
I’m very concerned about this and appreciate any insight you have.
My reasoning in this article is that if it were being used on a widespread basis—let’s say, 1,000s of people, even—you would think that the odds of discovery are so high and the publicity around it so high that we should be seeing dozens of credible newspaper and local blog reports, in addition to people posting on Instagram, TikTok, Twitter, etc. The number of reports is very small.
The other thing is that the easiest way I can imagine a domestic, acquaintance, or unknown stalker tracking someone is by tracking their iPhone or Android phone. If someone ever has access to the device, they can add them to Family Sharing or install spyware or malware on an Android device, and have unfettered Internet-based tracking that’s very accurate.
I sometimes forget that everybody in my household can see every single one of my devices at all times! We can’t track as “people” unless we opt in (which we do with our kids), but we can track all of each others’ devices.
Unfortunately there has been quite a bit of news coverage about AirTags being used for stalking, carjacking and theft:
Right, my article has a section about this—but many of the published reports and police warnings are either vague or cite the same source material, like the York Regional Police. The question I raise about an urban myth is not that it’s totally impossible or never happens, but how much is the repetition of stories (sometimes distorted)?
The New York Times article that mentions only well into that one unwanted tracker was placed by a 17-year-old’s mother? I mean, 17: you’re a minor. Your mother can do that. Is it good parenting? I would always use disclosure. But it’s not per se abusive and the interview doesn’t make it sound problematic.
I didn’t see a direct answer to this, so yes, there is an app that you already have on your iDevice named “Find My”. Select “Items” from the bottom of the box that lists People, Devices, Items or Me.
Nor have I and I suspect most people won’t since as explained earlier it has to be there for an extended period, you have to be in a familiar spot and the mystery AirTag must no longer be with it’s owner.
I don’t often lose things either, but there are family members who do, and what I’ve discovered over the years is that things are rarely actually lost, simply misplaced. Like many, we have two sets of keys for our cars. One set was AWOL for almost 2 years. Because of COVID, we’re not out as much, but I lived in fear of being on a family trip without a second key. I also bristled at the idea of paying hundreds of $$$ to have a new key programmed.
Sure enough, the key was recently located in the pocket of a rarely-worn winter coat in our basement closet. I immediately ordered an AirTag to attach to the keys. For me, this kind of scenario is the best use case (for us) for a tracker. Had we used a tracker when the coat was stored, we would’ve found the keys long ago.
We actually did have a Tile tracker on those keys, but it was an earlier model with a non-replaceable battery. For me there were a couple of key reasons why Tile didn’t work for us: the battery issue, and the fact that it relied on other people using the Tile app to be able to locate the tracker. Find Me is much more ubiquitous.
I will be glad to pass on what I learn. One of the problems right now is that the agencies are absolutely hammered - COVID has greatly increased the need of services (people trapped in homes increases isolation and maximizes abusive behaviors) along with funding cutbacks because not-for-profits are struggling for grant and funding support. So it may be a bit before I hear back from some of our contacts. Really appreciate that you have raised the issue. I will get back to you what I find out!
I agree! The main thing I misplace is the pen I always carry, but it is much too small for an Air Tag.
There are a couple of options (none of which I’ve tried yet). There’s Nomad’s holder, which works in most wallets: Card for AirTag | NOMAD®, and Chipolo has an Find My-compatible wallet tracker: Chipolo CARD Spot - Chipolo.
The world has really been waiting for this. My ex would regularly lose her keys. I once lost my wallet for months. I finally got fed up and bought several Trackrs (which never worked too well) when I couldn’t find my wallet for days, and finally found it behind my bed.
This is just the first step. I’m waiting for when they are flat stickers that cost a couple of bucks a piece, and then I will stick them on my books, remotes, and anything else I might misplace (or loan out).
Apple has published a safety guide for Apple Devices: Personal Safety User Guide - Apple Support (CA)
I just did this on my trip home on Monday. When we landed at home, as we taxied to the gate, I checked Find My and it said that my bag was with me in Boston. So, it was able to connect to at least somebody’s phone on the plane, if not mine, into the cargo hold from the passenger cabin.
I also used it when we landed in Charlotte at baggage claim (this was an international flight) and I could see the bag circling the carousel getting closer and closer to me as we approached it. Pretty slick really.
Cool. I’ve used airline apps to track my bags for many years, but they only have city-level granularity - they tell you which plane or airport has your bag (basically, wherever the airline last scanned its tag), but they stop there.
The ability to locate the bag on arrival is a really nice bonus.
Via @jcenters, this story about an alleged domestic stalker planting an AirTag and being caught by the police (unclear if it was while doing it or the police searched his victim’s car): Police: Waterbury man tracked victim’s car with Apple AirTag
Hi Glenn. I’ve not given up on checking with Dom Vio sources with which I am familiar. It is just many of them are really being pushed to the max right now and I don’t want to interrupt the execs in a time when they are dealing with staffing shortages, $$$ shortages and highly increased client needs. Their work right now deserves respect and I would urge people to donate to their local sexual abuse/domestic violence agency as they would most certainly welcome it.
Apple has just released a statement on AirTag tracking that talks more about the problem, what Apple is doing about it as a company, and how it will be tweaking the technology and user experience in the future.
That is a huge number of changes. “Tuning sounds” is interesting—when you compare the Chipolo ONE Spot alert sound to an AirTag, the former feels far louder, though when I used a decibel meter, the peak sounds weren’t that different. It seems like Chipolo uses more noticeable frequencies and a higher amplitude for longer than the AirTag.
Thank you Adam. That is great news!!
Will the anti-stalking measures to make Airtags more noticeable to others when away from their owners cause problems when the owner is using the Airtag to trace luggage or packages shipped.
Luggage is often outside Bluetooth range of the owner and, for most of the trip would not be in an often visited location. Similarly, packages shipped would spend most of their journey away from the sender or recipient or any place they normally visit,
So, the Airtag would frequently beep in these situations. Because of the great nervousness about beeping objects, wouldn’t that cause security protocols to be raised?
The NYTimes had an article today comparing AirTag, Tile, and a GPS tracker called LandSeaAir. (This link should not be behind the firewall.)
Kashmir is an extraordinary writer on privacy and this is a fabulous article that I think uses a little bit of heightened anxiety (though realistic) to sell a very solid, nuanced story. I keep coming back to a question I asked in the article: how many of these has Apple sold? What percentage are being used nefariously? Did Apple sell a million and 500 are being used poorly? Or 100,000 and 50,000? We don’t know!
I also keep coming back to Bitcoin, if you can believe that. One of the worst things to steal is Bitcoin, because it’s so trackable and illiquid. The alleged launderers of the Bitfinex theft from 2016 had apparently been unable to or were too worried to use much of the Bitcoin? And the feds tracked them meticulously through the web of transactions. Because Bitcoin has to be cashed out through an exchange to get fiat currency, there are these enormous choke points.
So with an AirTag, I keep thinking about it this: a stalker buys a serialized piece of equipment, they put their hands on it, they pair it with hardware they own, a sequence of data is stored in Apple’s servers, their iPhone or iPad has an IMEI or other traceable connections via IP address, etc. It’s probably the most trackable way to try to stalk someone. So the people who use it that way are the people most likely to get caught using it that way.
I concur. Despite the click-bait headline and a very strange fear-porn paragraph:
Ummm… It’s not a surveillance state if you’re tracking your own stuff. That phrase should be reserved for cases where the state is tracking you, which is (at least for the moment) not the case for the three products discussed.
That having been said, I thought it was a well-written article and it comes to the same conclusion I came to on my own. AirTags are doing the same thing that others have done in the past. There is increased risk due to the fact that they are more popular than the others, but this is greatly offset by the safeguards Apple is building in to their ecosystem, which other products are not (yet?) doing.
Of course, this is all only relevant for individual people tracking each other.
Once we start discussing government surveillance, there’s no need for such devices. If you have subpoena power, you can contact mobile network operators and track any mobile device as it pings off of towers, and possibly even get them to broadcast their GPS coordinates. Only a person who is trying to hide would keep his phone powered off all the time, since most of us want to be able to receive calls when we’re on the go.
BTW, do you know if Apple makes available to law enforcement (when properly subpoenaed) data from the Find My network? I would assume that they will, if it is technically feasible to do so, but I haven’t heard any discussion about it so far.
I think she could have gone further about, what if police and other governmental bodies use these in unsanctioned ways, illegally or borderline in democracies, and legally or not regulated in dictatorships? The term is probably misplaced in this context.
Fascinating question. Apple’s statement yesterday said they provide AirTag information, but I believe they may be unable by design to produce Find My network tracking details. If police obtained a warranty to examine someone’s iPhone and were able to compel the person to unlock it, that would contain the keys necessary to retrieve Find My network encrypted information—would Apple provide that under warrant?
An interesting development in New York State:
Not exactly a development—just a press release. It seems a little bit overblown! Like it’s a crisis instead of something to be aware of. Most of it is solid consumer advice, though.
Glen, at the end of the day, it really doesn’t matter how many verified reports of stalking there are if none of Apple’s mitigations are actually effective against a determined abuser and is easily reproducible. You may say that an AirTag requires a (burner) iPhone, but that’s only really during initial pairing. And it’s also trivial to create burner Apple IDs. Once paired, all the abuser has to do is dump the phone in the nearest hobo fire barrel to burn away any incriminating forensic evidence and they can access their Apple account from any anonymous proxy like Tor. And then there’s the possibility of a profitable cottage overseas stalkerware market that trades in Stalking-as-a-Service, complete with untraceable AirTags. It seems like the defenders don’t have the same level of imagination as real-world attackers, much like the general state of infosec.
If I had my way, I would go a step further and create a generic device that can track any arbitrary AirTag with the same Precision Finding UWB that iPhones have. Heck, make it an Android app for the most potential reach. Then criminals could use it to actually target valuables people have foolishly slapped these surveillance devices on. Hopefully, that’ll cause people to wake up and abandon this entire product category en masse. The sooner, the better. Even one case of stalking abuse is too many. Apple could, of course, turn on industry-standard unknown AirTag Precision Finding for all Apple and Android devices, but you know they won’t because they value profit margin over customer safety. Perhaps we need to force their hand…
Isn’t that overreacting? How are any of the AirTag competitors dealing with these issues you mention? They usually just don’t. I get the impression Apple is doing far more here than other players in this market. Seems wrong to single out Apple here when they are actually doing most of the heavy lifting when it comes to making it easier for people to protect themselves against those that choose to break the law.
It really isn’t. The power of the Apple AirTag solution doesn’t come from the hardware itself, but the Find My network. After much research, I’ve discovered that AirTag has been found to be notoriously insecure. It doesn’t perform any secure boot checks, the firmware is completely unencrypted, and is easily reflashable such that it can trigger any nearby iDevice to load whatever URL it advertises or dump the full location history from Find My. Even worse, the Find My network isn’t even dedicated only to iDevices. There already exist open-source frameworks that can spoof AirTag locations by replaying their identifiers over Bluetooth and bypass the device pairing requirement. You essentially have “ghost trackers” now. This intrigues me so much, I might actually build one from a BLE dev kit. We don’t even need the U1 chip handshake because this kind of tracking doesn’t require Precision Finding. The whole premise of theft recovery is rendered moot due to this vulnerability. And it’s not something Apple can easily fix without redesigning the AirTag hardware. Seriously, I encourage you to read this security research. It’s kinda mind-blowing. And this is just what we know from last year. Who knows what kind of attacks against the U1 chip itself is known by now? Will we see cheap Chinese clones next year?
P.S. If Google’s doing what I think they’re doing, they may turn on an Android-based Find My style network that could theoretically dwarf Apple’s due to Android’s much larger international install base. I sincerely hope they rethink that strategy in light of the threat model we’re already seeing with Apple’s rollout. I mean, didn’t Google learn from the whole Eddystone beacon spamming debacle? Surreptitious tracking is the next logical conclusion. That’s exactly what places like malls and other public venues were asking for, after all.
Oh, and before I retire for the night, there’s one easy fix Apple could implement right now to solve at least part of the stalking issue. Today, folks can disable the little speaker/buzzer by ripping out the voice coil or just simply removing the permanent magnet. Because it comes with an on-board accelerometer, they could encode a challenge tone into the chirp that can be registered by the accelerometer. If it doesn’t “feel” the challenge tone, it should automatically assume its integrity is compromised and alert all iDevices in the vicinity of this huge red flag. This should be non-negotiable, even for “legitimate” uses.
Some law enforcement agencies are already using AirTags and similar Bluetooth tracking devices to hunt down stolen vehicles and chop shops. I’m pretty sure they didn’t request a warrant to do that cuz it’s not legally considered a “search” in some jurisdictions. The future is already here. The law really needs to catch up.
Sounds like what you’re looking for is an RFID tag. You know, the kind they use to “chip” pets. Some of them even include a built-in antenna that can be remotely interrogated by a handheld reader and can do location and ranging, given the right reader. They use this tech in warehouses all the time.
The link you provided didn’t get into any of that beyond the firmware being unencrypted. What’s your source for the claim that an iDevice will send a request to any URL an AirTag sends it? If they will, that’s equivalent to a malicious URL in a web page (e.g. on a malicious site or in a malicious ad), a repeated vector for phone exploits but much easier to address with software that has a specific purpose (unlike a web browser).
The AirTag doesn’t have its location history, that’s on the AirTag owner’s device, so getting its location history requires some kind of exploit on the iDevice. If someone has an iDevice exploit, the history of an AirTag is much less valuable than what else can be done.
Being able to spoof an AirTag doesn’t matter. It could be used to facilitate the theft of whatever the AirTag is tracking but you know what else does that? Removing the AirTag.
Well, it’s not quite that, but Krebs on Security last September reported on a vulnerability discovered by Bobby Rauch that allowed a hacked AirTag set to lost mode to send a malicious link when somebody who discovers it and attaches to its found page to get instead a malicious link.
I believe that bug has been patched. Brian Krebs reported anyway that Apple intended to patch it.
Today you have learned,
regarding online forums,
opinions can be wild,
looking for sense or
looking for objectivity
sometimes is elusive.
Join the discussion in the TidBITS Discourse forum