HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Researchers Demonstrate Relay Attack That Spoofs Apple AirTag Locations via Replayed Bluetooth Signals

Security researchers have shown that Apple AirTag location data can be falsified by capturing and replaying BLE advertisements over the internet. The spoofed signals cause the Find My network to display fabricated positions, exposing a design weakness that could be abused for stalking or asset‑tracking deception.

LiveThreat™ Intelligence · 📅 April 18, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
helpnetsecurity.com

Researchers Demonstrate Relay Attack That Spoofs Apple AirTag Locations via Replayed Bluetooth Signals

What Happened – Security researchers captured BLE advertisements from an Apple AirTag, removed its battery, and replayed the signals from remote locations using custom transmitters and an internet‑backed relay server. The spoofed signals caused nearby Apple devices to report false locations to the Find My network, displaying fabricated positions in the owner’s app.

Why It Matters for TPRM

  • Reliance on Apple’s Find My network for asset tracking can be subverted, exposing organizations to location‑based deception.
  • The attack demonstrates a design weakness in the encrypted reporting protocol that cannot verify the authenticity of a location claim.
  • Third‑party services that integrate AirTag data (e.g., logistics, field service) may inherit this vulnerability.

Who Is Affected – Consumer electronics users, enterprises that employ AirTags for asset or personnel tracking, logistics providers, and any third‑party service that leverages Find My data.

Recommended Actions – Review any reliance on Apple AirTag or Find My for critical tracking; implement monitoring for anomalous location jumps; consider alternative, tamper‑resistant tracking solutions; engage Apple for roadmap mitigations and firmware updates; educate users on potential misuse.

Technical Notes – The attack exploits the Find My protocol’s inability to validate the provenance of BLE‑derived location reports. Replay is possible for up to seven days if the AirTag’s battery is removed, bypassing daily key rotation. No CVE has been assigned yet. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/04/17/apple-airtag-relay-attack-location/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →