Tracking You from a Thousand Miles Away! Turning a Bluetooth Device into an Apple AirTag Without Root Privileges

Who Would Be Interested?

Many different groups might be interested in using this tracking technology, each for their own purposes:

Marketing and advertising companies could use this to track consumer movement patterns without having to install expensive tracking equipment in stores. By understanding where people go and how much time they spend in different locations, they can create more targeted advertising campaigns.

Shopping apps and social media platforms might use this technology to track users' locations without explicitly asking for GPS permission. They could learn where you shop, what restaurants you visit, and other habits to send you personalized recommendations and ads. This data becomes extremely valuable when combined with your online browsing and purchasing history.

Data brokers and analytics firms collect and sell information about consumers. This tracking method would give them another source of valuable location data to enhance their profiles about individuals, which they then sell to other businesses, political campaigns, or anyone willing to pay.

Government intelligence and law enforcement agencies might be interested in this technology for surveillance purposes. They could potentially track specific individuals by getting them to install software containing this tracking code. Unlike traditional tracking methods, this approach wouldn't require physical trackers or direct access to cell tower data.

Hackers and cybercriminals could use this tracking to identify when valuable devices are away from secure locations or to determine when people aren't home. This information could help them plan more effective device thefts or home break-ins. The method is particularly attractive because it's difficult to detect and doesn't require expensive equipment.

Stalkers and people with harmful intent might use this technology to track specific individuals. Unlike physical trackers that might be discovered, this software-based approach is virtually undetectable to the average person.

What Are the Prerequisites?

For someone to track your device using this method, they would need:

1. Malicious App installed. The attacker needs to get you to run their software on your device. This could happen if you download an app that secretly contains tracking code, or planted by a USB drive.

2. BLE capability. Your device must have Bluetooth hardware, and it must be turned on, which is usually the case. Most modern laptops, phones, and many other gadgets have Bluetooth, and after device activation, the Bluetooth remains turned on by default. Unfortunately, users of Linux, Windows, and Android (versions before 13) cannot prevent Bluetooth from being turned on. This is due to a system feature that allows applications to turn on Bluetooth without user interaction.

3. Surrounded by FindMy network. There must be Apple devices (iPhones, iPads, etc.) passing near your device occasionally to pick up and relay the tracking signals, regardless on the ground or in the air.

Which Devices Can Be Attacked?

Device with Bluetooth Low Energy could be affected, including: Laptops and desktop computers running Windows, Linux, or older versions of macOS; Android smartphones and tablets; Gaming consoles like the Steam Deck; Smart TVs from manufacturers like Sony; Virtual reality headsets like the Meta Quest; Raspberry Pi and other small IoT computing devices; Other Bluetooth-enabled devices like e-bikes and scooters.

How Does It Work?

The attack works in four main steps:

1. A piece of malicious software (which we call a "Trojan") runs on your device and gets information about your device's Bluetooth address.

2. This software connects to a server controlled by the attacker, which performs complex calculations to create a special key that matches your device's Bluetooth identity.

3. Your device then starts broadcasting signals that make it look like an AirTag to nearby Apple devices.

4. Any iPhones or iPads (participated Find My)that pass nearby will pick up these signals and report the location to Apple's cloud, thinking they're helping someone find a lost AirTag. The attacker can then access these location reports.

The attacker doesn't need to be anywhere near you - they can track your location from thousands of miles away as long as there are Apple devices passing near you.

How Accurate Is the Tracking?

Our tests showed that in homes and offices, the tracking can be accurate within 3 meters (about 10 feet). Even on a moving e-bike, the system could track location within about 50 meters. We even tested it on an airplane, and while the accuracy was lower (about 70 meters), it was still good enough to reconstruct the entire flight path and identify the flight number. The time it takes to get the first location report is typically between 6-15 minutes, depending on how many Apple devices are nearby.

How Practical is the Attack?

Without using hypothetical super computers in the future, the attack can be carried out with today's hardware. For a single-use attack, the cost is equivalent to a bottle of soft drink (~$2.2). The cost can be further reduced if the attacker aims at a large number of devices, particularly against Linux systems. Attackers can store every key for Linux in a single hard drive at the cost of $600. The attack is surprisingly time-efficient. Once set up, an attacker can locate a device within minutes. The attack is also stealthy. The attacker can set the tracking signal to appear as MacBooks, which Apple considers "irrelevant" for tracking purposes, avoiding unwanted tracking alerts. In summary, this attack combines affordability, speed, stealth, and scalability, making it a serious privacy concern for users of Linux, Windows, and Android devices with Bluetooth capabilities.

Has This Problem Been Fixed?

Apple released patches in December 2024 (iOS 18.2, visionOS 2.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2, Sequoia 15.2) to fix this vulnerability.

However, the attack remains effective as long as there are unpatched iPhones or Apple Watches near the tracked device. Since many people don't update their devices right away, this vulnerability could remain exploitable for some time.

How Can I Protect Myself?

To protect yourself from this kind of tracking:

Install apps from trusted source. Be careful about what apps you install, only download apps from trusted sources.

Manage Bluetooth permission. Be cautious about giving Bluetooth permissions to apps that don't obviously need them. When not using Bluetooth, consider revoke applications' Bluetooth permission.

Install security patches. Keep your devices updated with the latest security patches, reduce the risk of being attacked by known vulnerabilities. Apple user can also help to protect others by updating their devices and reducing the vulnerable Find My network coverage.

About Our Research

This work was supported in part by the US National Science Foundation (NSF) under grants CNS-2304720, CNS-2310322, CNS-2309550, and CNS-2309477. It was also supported in part by the Commonwealth Cyber Initiative (CCI). Our goal in publishing this information is to raise awareness about privacy risks in widely used technology and to encourage better security practices.