Outing German spy agencies by mailing them Airtags

A threat-model parable.

Cory Doctorow
3 min readFeb 15, 2022
A product shot of Apple’s Airtag; superimosed on it in meme-style all-caps Impact is ‘SNITCHES GET STITCHES.’ Image: Apple https://www.apple.com/airtag/

Apple’s Airtags are an ingenious technology: they fuse every Ios device into a sensor grid that logs the location of each tag, using clever cryptography to prevent anyone but the tag’s owner from pulling that information out of the system.

But there are significant problems with Airtags’ privacy model. Some of these are unique to Apple, others are shared by all Bluetooth location systems, including Covid exposure-notification apps and Airtag rivals like Tile.

For example, minute imperfections in these devices’ Bluetooth radio circuitry make it possible to uniquely identify them without having to bypass their encryption, simply by tracking the signature “fingerprint” of each radio:

https://pluralistic.net/2021/10/21/sidechannels/#ble-eding

That’s an attack on the device’s owner. But tracker tags also enable attacks by the device’s owner. For example, there’s a thriving market for Airtags whose speakers have been disabled (the speakers emit a chirp that is supposed to warn people if they are being tracked by someone else’s Airtag):

https://9to5mac.com/2022/02/03/airtags-with-deactivated-speakers-being-sold/

Even without gimmicked speakers, tracking people with Airtags (and their competitors) is frighteningly easy. The New York Times’ Kashmir Hill (consensually) tracked her husband around Manhattan with a constellation of these bugs.

https://www.nytimes.com/2022/02/11/technology/airtags-gps-surveillance.html

Even with the chirping speakers, her husband — a press privacy advocate with a strong technical background — struggled to locate and de-activate the Airtags. Hill reports that many people — particularly women — are finding Airtags hidden in their cars, clothes and elsewhere.

The far-reaching surveillance potential of these trackers was driven home by a stunt/investigation carried out by Lilith Wittmann, who confirmed her suspicion that a German government agency was a front for a spy operation, by mailing Airtag-bugged packages to it and watching as they were relayed to facilities used by the intelligence services (“the Office for the Protection of the Constitution”).

https://lilithwittmann.medium.com/bundesservice-telekommunikation-enttarnt-dieser-geheimdienst-steckt-dahinter-cd2e2753d7ca

It’s a fascinating new operational security wrinkle that relies on the popularity and ubiquity of Apple’s Ios devices; foiling it requires not just that a spy facility be mobile-phone-free, but that all the facilities that deliver its mail also adopt this measure.

Image:
Apple
https://www.apple.com/airtag/

Cory Doctorow (craphound.com) is a science fiction author, activist, and blogger. He has a podcast, a newsletter, a Twitter feed, a Mastodon feed, and a Tumblr feed. He was born in Canada, became a British citizen and now lives in Burbank, California. His latest nonfiction book is How to Destroy Surveillance Capitalism. 1His latest novel for adults is Attack Surface. His latest short story collection is Radicalized. His latest picture book is Poesy the Monster Slayer. His latest YA novel is Pirate Cinema. His latest graphic novel is In Real Life. His forthcoming books include Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid (with Rebecca Giblin), a book about artistic labor market and excessive buyer power; Red Team Blues, a noir thriller about cryptocurrency, corruption and money-laundering (Tor, 2023); and The Lost Cause, a utopian post-GND novel about truth and reconciliation with white nationalist militias (Tor, 2023).

--

--

Cory Doctorow
Cory Doctorow

Written by Cory Doctorow

Writer, blogger, activist. Blog: https://pluralistic.net; Mailing list: https://pluralistic.net/plura-list; Mastodon: @pluralistic@mamot.fr

Responses (4)