Google announced in a blog post today that it and Apple were leading an industry coalition (that includes smaller item-tracking players like Samsung, Tile, and others) to develop a specification for Bluetooth Low Energy (BLE) tracking devices. These devices, like Apple’s popular AirTag, are small BLE emitters that use public key cryptography and a network of “finding” devices to tell you where your tag is when you’re not around.
Soon after AirTags were released, malicious users discovered that they could be put to use as low-cost tracking devices. Women reported finding AirTags in their cars or purses. To combat their devices being used as a cost-efficient stalking device, Apple implemented a notification that appears on a user’s iOS device if a “lost” AirTag has been moving around with them for an extended period of time. I’ve been involved with some research on the topic along with many others, and unfortunately, the tracking detection and notification system Apple designed is easily subverted.
To combat the location privacy threat posed by these devices, Google and Apple have teamed up to standardize what item trackers broadcast over BLE in an IETF RFC draft specification. While it’s positive that they’re taking the threat their item trackers pose to people, this attack didn’t exist before Apple started pumping out 20$ tracking devices the size of a quarter. So, before we go about heaping too much praise on these tech companies for “combat[ing] unwanted tracking across iOS and Android,” according to Ron Huang, Appleās vice president of Sensing and Connectivity, let’s remember that they’re the ones that introduced the attack in the first place.