Apple AirTag and Samsung SmartTag Security

The new paper Securing the Invisible Thread: A Comprehensive Analysis of BLE Tracker Security in Apple AirTags and Samsung SmartTags by Hosam Alamleh, Michael Gogarty, David Ruddell, and Ali Abdullah S. AlQahtani, looks into the security of Bluetooth Low Energy (BLE) trackers, particularly Apple AirTags and Samsung SmartTags. The research identifies a broad range of attack vectors, including physical tampering, firmware exploitation, signal spoofing and cloud-related vulnerabilities. It examines the security measures and cryptographic methods used in these devices, revealing that while they provide considerable utility, they also introduce significant security risks.

Apple AirTags and Samsung SmartTags differ in their approach to security and privacy. Apple prioritises user privacy, leading to authentication challenges and successful AirTag spoofing instances. Samsung’s design aims to prevent beacon spoofing but raises concerns about cloud security and privacy. The study highlights the trade-off between battery life and security in the design of Bluetooth trackers, noting the absence of secure boot processes as a vulnerability.

The paper concludes that future developments in Bluetooth tracking technology will likely focus on enhancing security features. This is crucial as these devices become more integrated into the IoT ecosystem and subject to evolving privacy regulations. The research underscores the importance of addressing the security challenges presented by BLE trackers to balance functionality and security in next-generation systems.

Are Apple AirTags iBeacons?

While AirTags use Bluetooth (and Ultra Wideband UWB), the Bluetooth transmission isn’t in iBeacon format. The advertising is more complex and involves a rotating key scheme for enhanced security.

The Find My mechanism has been reverse engineered (pdf) by the Secure Mobile Networking Lab of Technical University of Darmstadt.

The researchers have an open source framework called OpenHaystack on GitHub that demonstrates how to create your own tracking tags by installing Bluetooth firmware on Linux, ESP32 or Nordic nRF51.

If you are a manufacturer wanting to use the Find My mechanism, you shouldn’t rely on reverse engineering that can change and should instead join Apple’s Find My network accessory program.

The Power of the AirTag

Apple announced AirTag this week. Many commentators are asking what’s different or better than Tile and other Bluetooth trackers. Some are even asking why Apple is such an innovative company.

While the accuracy of finding is better for the relatively few Apple iPhones that have the Ultra Wideband (UWB) U1 chip, this isn’t likely to be the main advantage and will in any case be lost on most potential buyers. Similarly, Apple’s claim that it’s private and secure is unlikely to be important or seem significant in most scenarios.

Instead, the power of the AirTag will not come from the technical aspects of the physical AirTag but from being part of the Apple ecosystem. The problem with Tile and other trackers is that the range is only local, typically about 50m. When tags are lost away from the vicinity the system relies on other users to detect your tag. This previously hasn’t worked because there haven’t been enough users. The power of the AirTag will be the reach of the Apple device network that no other tag manufacturer will be able to match.

This isn’t to say AirTags will replace iBeacon and Eddystone beacons. AirTags are only for tracking and are more for finding personal things rather than say assets in a warehouse or factory. AirTags only identify and don’t sense like sensor beacons. While they can be seen by Bluetooth gateways, the privacy and security features will thwart identification and use in real time locating systems. AirTags are only a very small, proprietary and closed part of the tracking and sensing ecosystem.

Apple Tag – a Tile-like Device

In our previous post on Apple WWDC on the ‘Find my’ feature we explained how the use of others’ phones for finding your devices is much like Tile (and other tracking beacons). However, there’s evidence that Apple might also be creating their own, separate, Tile-like device. 9to5Mac also have some further speculations.

It’s also interesting that Apple are changing the API for looking for beacons. CLBeaconRegion has become CLBeaconIdentityConstraint. The functionality currently remains the same in that you can filter by UUID/major/minor. However, the renaming of the API to make it more generic suggests it might eventually also be used for something else which might be the Apple tag.

While devices such as the Tile are great, when finding items remotely, they assume lots of people have them for someone else’s Tile app to see your tile. While the Tile network is large at 15 million trackers it will never be large enough to reliably find things. Apple has a much greater reach to make such a scheme more successful. Tracking things such as your lost car or dog become far more feasible.

An observation is that Google Android has a substantially greater reach offering Google the opportunity to offer something similar, more reliable (due to sheer number of devices) but more open as they did with Bluetooth Eddystone vs iBeacon. Taking this idea further, it’s a shame there isn’t an open Bluetooth tracking system or standard, for example, championed by the Bluetooth SIG.

September 2019 Update: It’s looks like Apple will be using UWB rather than Bluetooth making the solution more accurate and more proprietary. If true, it will eventually compete with Bluetooth Direction Finding.

May 2020 Update: The device will be called AirTag.