Checklist 268: Bleepin’ AirTags and 2FA in Action

This week on The Checklist:

• Apple moves forward with AirTag security
• Is AirTag the problem, or is Find My?
• Google’s 2FA by default delivers the goods

An update on AirTag security

On last week’s Checklist, we talked about some coming changes to AirTag. The changes address the numerous security and privacy concerns around AirTag, Apple’s personal tracking device.

This week: an update about those upcoming updates!

Apple has just released the fourth OS betas for iOS/iPadOS (15.4), macOS (12.3), watchOS (8.5), and tvOS (15.4). And according to a MacRumors piece, two of the proposed changes are already in the latest iOS 15.4 beta.

Per MacRumors, would-be stalkers now receive a deterrent message during the AirTag setup process. The message reads:

You can locate this item using the Find My network … Using this item to track people without their consent is a crime in many regions around the world. This item is designed to be detected by victims and to enable law enforcement to request identifying information about the owner.

In addition, MacRumors says that Apple has also made it possible for devices to distinguish between AirPods and AirTags. The former were causing the “Unknown Accessory Alert”, leading people to believe an AirTag was tracking them when in fact they were just sitting next to some AirPods. 

A cloned AirTag highlights Find My vulnerabilities

Apple is enhancing its AirTag security. But unfortunately, this still may not be enough.

Apple Insider ran a piece this week about a security researcher who managed to create a working clone of an AirTag.

Security researcher Fabian Braunlein wanted to show that a bad actor could bypass Apple’s security precautions around AirTag. According to Apple Insider, he succeeded. Braunlein’s experiment highlighted the following vulnerabilities:

• An AirTag clone will work on the Find My network, even though it lacks a unique serial number paired with an Apple ID, which makes it anonymous and untraceable.
• A cloned AirTag can bypass Apple’s audio alert precautions if it doesn’t have a working speaker.
• It’s possible to build an AirTag clone that doesn’t send tracking alerts to iOS devices or Apple’s Android Tracker Detect app.

AirTag … or Find My?

Now, at this point, you might be thinking to yourself: “Wait a second. This isn’t really an AirTag problem — because the researcher wasn’t using a real AirTag!”

Braunlein would agree with you, says Apple Insider: 

…Braunlein believes the main risk isn’t in the AirTags themselves, “but in the introduction of the Find My ecosystem that utilizes the customer’s devices to provide this Apple service.” Since the current iteration of the Find My network cannot be limited only to AirTags and hardware that officially has permission to use the network, Braunlein thinks Apple should consider shoring up its security.

According to the researcher, Apple needs to “take into account the threats of custom-made, potentially malicious beacons that implement the Find My protocol, or AirTags with modified hardware”.

The silver lining to this story? Most people wouldn’t have anywhere near the technical expertise needed to do what Braunlein did. In addition, it appears that his demonstration has attracted the notice of the security community … and hopefully of Apple as well!

2FA for everyone

There’s a lot of AirTag and AirTag worry in the news — and plenty of other cybersecurity concerns as well! But there is also some good security news, and that’s what we’d like to talk about now.

Engadget reports that Google has new data on the results of its ambitious program of enabling two-factor authentication (2FA) by default. This is, obviously, a pretty huge data set. Google has auto-enrolled over 150 million users for 2FA already, with more expected in 2022.

The good news is that it seems to be working. Like really, really well. Google says that account breaches have dropped by 50% for users where 2FA is on by default. As Engadget comments:

The reduced volume of account breaches isn’t a shock — requiring more effort to crack an account is bound to deter some would-be intruders. It hasn’t always been easy to show the tangible impact of 2FA on security, though, and the sheer scale of Google’s user base gives it a representative sample.

On the Checklist, of course, we’ve been encouraging people to use 2FA for years. But it’s nice to have strong statistical evidence to back up that advice (thanks, Google!). If you’d like to learn more about 2FA and how to use it, here are some resources from The Checklist and the SecureMac blog:

• Checklist 139: 2FA 101
• Checklist 160: What If You Lose One Factor?
• Cybersecurity New Year’s Resolution: Turn on 2FA
• How to Use an Authenticator App for 2FA on iOS
• What is Key-Based 2FA?

Do you have a question you’d like to ask or a topic you’d like to hear us hit? Send us an email and let us know!