Researchers Demonstrate Relay Attack That Spoofs Apple AirTag Locations via Replayed Bluetooth Signals
What Happened – Security researchers captured BLE advertisements from an Apple AirTag, removed its battery, and replayed the signals from remote locations using custom transmitters and an internet‑backed relay server. The spoofed signals caused nearby Apple devices to report false locations to the Find My network, displaying fabricated positions in the owner’s app.
Why It Matters for TPRM –
- Reliance on Apple’s Find My network for asset tracking can be subverted, exposing organizations to location‑based deception.
- The attack demonstrates a design weakness in the encrypted reporting protocol that cannot verify the authenticity of a location claim.
- Third‑party services that integrate AirTag data (e.g., logistics, field service) may inherit this vulnerability.
Who Is Affected – Consumer electronics users, enterprises that employ AirTags for asset or personnel tracking, logistics providers, and any third‑party service that leverages Find My data.
Recommended Actions – Review any reliance on Apple AirTag or Find My for critical tracking; implement monitoring for anomalous location jumps; consider alternative, tamper‑resistant tracking solutions; engage Apple for roadmap mitigations and firmware updates; educate users on potential misuse.
Technical Notes – The attack exploits the Find My protocol’s inability to validate the provenance of BLE‑derived location reports. Replay is possible for up to seven days if the AirTag’s battery is removed, bypassing daily key rotation. No CVE has been assigned yet. Source: Help Net Security