The Mac Security Blog

Security & Privacy

Apple’s AirTags Can Enable Stalkers and Abusers

Posted on May 18th, 2021 by

Apple’s new AirTags are clever devices. You can track your keys, your luggage, and much more with them, using Apple’s Find My app, and leveraging a swarm of nearly one billion iOS devices across the planet.

But there is a real risk that stalkers can take advantage of AirTags to find where people live and to follow them around. And that abusers can keep tabs on spouses and partners, without the latter being aware of this tracking.

AirTag anti-stalker features

Tracking items calls for a careful balance of surveillance and privacy. Apple is well aware of the risk inherent in a small, battery-powered device able to beam its location to a network of other devices, in order to pinpoint its location. Because of this, AirTags have several features to help users discover if they’re being tracked.

If an AirTag is away from its owner and moving with you for more than three days, it displays an "AirTag Found Moving With You” alert on an iPhone. This alert allows you to tell the AirTag to play a sound so you can find it. This AirTag may be with you legitimately; you could have borrowed a friend’s or spouse’s car, and have their keys, for example. If this is the case, you can follow the instructions in the alert to disable the AirTag and stop sharing its location.

Also after three days, if an AirTag that is not yours has been away from its owner, and is moved, it will play a sound. Here’s a video that Apple made with the sounds that AirTags can make:



It’s worth noting that they don’t include the "after three days" sound in the video, but, as you can hear, all the sounds are similar.

Finally, if you find an AirTag, hold the top of your iPhone near the AirTag and you’ll get a notification, directing to to a web page.

You’ll be able to find the serial number of the AirTag, and, if the owner has marked it as lost and left a phone number or email address, you can contact them. You’ll also see how to disable the AirTag.

How stalkers can use AirTags

In the real world, the above protections won’t do much against stalkers or abusers. There are a number of scenarios where someone can use an AirTag to track or locate someone without any of these protections making a difference.

Finding where someone lives

If you want to find where someone lives, this is easy. Just slip an AirTag into their bag or pocket. You could do this to a co-worker in the office, or to a stranger you meet in a bar, or you could drop it in someone’s gym bag. You can then track that person for up to three days before they get a notification. And if they leave the bag or coat at home and don’t move it, they might not get any alerts. Note that their iPhone also needs to be running iOS 14.5 or later to receive these alerts. And users of Android phones won’t get any alerts at all.

This can even work if you send an AirTag in a package to someone to their post office box or office address. When they take the package home, their location – though not their exact address – will be visible. If the AirTag is inside something, such as a plush toy, the person won’t see it. I sent an AirTag by mail to a friend, and was able to track its progress easily, and see its final location. Naturally, I knew his address, but if I had sent it to a PO box, and he took it home, I would have discovered his location.

If the person does find the AirTag, then they have some options. They can disable it, as explained above, and, if they think they’re being stalked, they can contact their local police. If the police have the resources to follow up on this, having the serial number can help track the owner of the AirTag, since it’s linked to the owner’s Apple ID. But anyone could buy a cheap iPhone to use as a burner, and create a new Apple ID, if they wanted to use an AirTag without being trackable.

However, there may be cases when victims of abuse are too afraid to contact the police, or even to throw away the AirTag. In such cases, the AirTag becomes a lojack that is hard to get rid of.

Tracking someone daily

Victims of abuse may have spouses or partners who want to track them. This is already possible if they have an iPhone and share their location, which provides real-time location tracking in the Find My app. But even without this location tracking, planting an AirTag on someone – in their bag, pocket, or even in their car – allows malicious people to track someone nearly permanently.

Since the AirTag only generates an alert after three days, if the person being tracked comes home each day, and is in proximity of the iPhone the AirTag is registered with, that resets the alarm countdown.

Apple’s choice of three days before alerts are given seems away too long; I think the default should be a few hours. If someone is aware that they have an AirTag that belongs to someone else – such as if they’ve borrowed car keys – then they can turn off alerts for that AirTag after that first warning. If not, it’s better for them to know they’re being tracked as soon as possible.

Note that you can turn off what Apple calls Item Safety Alerts entirely, and, if you do, you won’t get alerts when an AirTag is near you. This setting is in the Find My app on the Me tab.

It’s possible that someone with access to someone else’s iPhone may turn this setting off, but if that person has access to the iPhone, they will have other ways of tracking someone, such as turning on location sharing.

The AirTag is a powerful device for tracking and finding items, but with that power comes responsibility. Apple needs to make it much easier for people to know when they’re tracked, to protect people who are stalked or abused.

 

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

We discussed how AirTags can enable stalkers and more in episode 188 of the Intego Mac Podcast.

You can also subscribe to our e-mail newsletter and keep an eye here on Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Facebook, Instagram, Twitter, and YouTube.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →