Suppose someone finds a lost key ring with an AirTag attached. Is there any way this finder could use the AirTag to extract information about past locations that the key ring has been in? If so, AirTags would pose a serious security weakness, because it would allow the finder to find out which house the keys have mostly been at (and are therefore likely to unlock).
AIUI, the technology behind AirTags is that they use Bluetooth to tell whatever iPhone is around that that phone should, on the AirTag’s behalf, communicate the phone’s location (which by extension is also the AirTag’s location) to some server. This means there is no flow of information from the phone to the AirTag which is somehow stored in the AirTag and could be retrieved by the finder?
No, because there isn’t anything to extract. The AirTag itself doesn’t store location data or location history. As you mentioned, it’s the finding device that gathers the location data.
There is one and only one case where I get a display of an AirTag‘s route: there is an anti-stalking functionality in the AirTag system where I get an alert if another person‘s AirTag has travelled along with me for some time/distance. My wife and I both have AirTags on our keyrings; when we have taken a long walk together we often both get stalking alerts that the other‘s AirTag has moved along. When I bothered to look at the alert in the app I saw a rough route where that AirTag has moved with me. But, that is no new information to me because the alert is predicated on me having moved on the same route.
Other than that, I cannot even trace past positions of my own AirTags.
(as an aside: I understand the use case of the stalking alert function, but on the other hand it makes AirTags almost useless for anti-theft use, unless the thief has neither an iPhone nor an Android phone with Apple‘s anti stalking app loaded).
I’m not equipped to answer the questions, but maybe I can help sharpen them enough to be answered by somebody.
It’s important to distinguish here between what Apple will show an ordinary non-technical user about AirTag history, and what information might be collected by Apple but saleable to 3rd parties, and what information might be on the AirTag itself and accessible to either basic or highly skilled hackers.
There might be none of those other things, but assuming that what naïve end-users can see on their own Apple devices is the entire story isn’t necessarily all there is either.
Clearly something is storing at least some of the recent history of each and every AirTag’s trajectory. Otherwise the app could not produce the anti-stalking trail.
IMO the question(s) are:
Where is that data kept?
If not locally on the “stalked” person’s phone, how well is that data secured wherever it is?
Does possession of a stolen or lost AirTag give the finder any leg up on getting to that history wherever it is?
I’m not sure I follow. Pretend I’m a thief who has an iPhone. Now I find or steal your keys with your AirTag attached. As I drive away, I start getting alerts that you are stalking me. I’m not surprised; your keys are in my pocket. How does the anti-stalking feature deter or impede theft? You, the rightful owner, are not the one getting alerts.
For sure, the basic AirTag function means that you can ask Apple, “Where’s my AirTag?” and get an answer. That is theft-deterrent, not theft-assistive. As a bad guy, I’m being stalked by you until I find and disable or dispose of your AirTag. Even if my phone’s off, there might be another iPhone nearby tattling on me.
It means that if someone steals my laptop bag, with an airtag hidden in some pocket, that the thief will get a warning that they’re being stalked, which will give them a chance to ditch the tag.
Maybe that means searching the bag and discarding the tag, maybe it means ditching the bag and keeping the laptop.
But either way, it makes me recovering my bag less likely.
The airtag does not even know where it is now. All that information is detected by Bluetooth-enabled Apple devices (laptops, phones, and so on) and uploaded to private servers. You need certain private keys to query the servers for its current position, to say nothing of historical data.
Detecting an airtag that is “stalking” you is trivial: just scan for nearby Bluetooth devices and look for the Airtags, Samsung tags, and so on.
If you are thinking of getting them, the round white Airtags seem solidly constructed, water resistant, good battery life (if you use brand-name cells). It is certainly possible to hack an Airtag and dump its flash memory, but I have not heard of any bad security vulnerabilities along the lines of random strangers can trace it back to your house (the tag does not have that information anyway).
Ahh, now I see. Thank you. That makes complete logical sense.
OTOH …
If I’m a bad guy, I ought to be aware of the possibility of AirTags. And take steps to keep at least my own phone (and any companions’) offline until I can find or neutralize them. Yes, the anti-stalking feature will smarten up a clueless inexperienced thief who leaves their phone on, but I think word gets around pretty quickly in that milieu. Early adopters 10 years ago might have had a reasonable expectation of fooling a clueless thief. Nowadays IMO that ship has long sailed.
If the bag is discarded with the airtag, then you have a good chance of finding your bag, but a poor chance of finding whatever was valuable in the bag which is now separated from the bag. I also don’t know it makes it less likely, because if your bag is stolen without a tracker, then you don’t have any idea where it is.
There is also a delay before an airtag will show up as “stalking.” I believe it has to be away from it’s “home” phone for 20 minutes before another device will register as being stalked. So if your traveling companion has an airtag in their bag, you will never be stalked by that airtag, because your companion, and their phone, is near you the whole time.
What that means in practice is that if a thief takes your bag they will not get a stalking notice for at least 20 minutes.
It isn’t just your phone, but any phone within bluetooth range. Apple suggests it is a 30 foot radius. So as a thief, your best strategy may be to reform your ways, but other than that, put the stolen article in a metal box, or other Faraday cage type thing, that will greatly reduce the airtag’s range, and then find and discard the airtag when you are in an area where no other iphones are present.
One thing to note that I consistently see people misunderstand - AirTags are not meant to be anti-theft or theft recovery devices. They’re not very good at that as it’s extremely easy for thieves to find them even if they didn’t let the thief know they’re being ‘stalked’.
Apple sells AirTags as anti-loss devices. I don’t believe they mention theft recovery at all in their marketing copy. It’s all about “Where the hell did I put my keys?” or “Did I leave my bag at the doctor’s office?” And they work extremely well for that. At least a couple of times I week, I roam my house, iPhone in hand, looking for where I shed my keys and wallet this time.
They are also great for alerting you that you left something behind. I have my Epipen cases tagged, because I once lost a set when the belt clip broke.
Yep, I can do that right here with Airguard on my Android phone. It finds two AirTags, and reports both are connected to their owner. What that really means is that both the AirTag and owner’s iPhone are in range at the moment. Airguard does not report them as tracking me, because the AirTags are in the “connected” state. In that state, I cannot use Airguard to cause them to play a sound.
One of the tags is connected to my ipad. I have to turn off my ipad for 20 minutes before the tag switches to the unconnected state. If I put the AirTag in my pocket, and go someplace without my ipad, then my Android phone with Airguard will eventually alert me I’m possibly being tracked.
I’ve had a few non-test case alarms. One was a real AirTag tracking me, but for completely innocent reasons (it was in the jacket of a child I was taking to the park). At least once I had one go off in traffic. Best I can figure it was in a car that had been driving near me for some time, and was not owned by anyone in that car.