The common complaints were that Apple is slow to fix bugs and doesn’t always pay or publicly recognize hackers for their reports, and that researchers often receive little or no feedback from the company. The vulnerability was discovered and reported to Apple by Bobby Rauch, a security consultant and penetration tester based in Boston. Rauch told KrebsOnSecurity the AirTag weakness makes the devices cheap and possibly very effective physical trojan horses. My wife and I spent decades working with victims of domestic violence and people being stalked. If there is any chance these devices can be used for stalking purposes that would be of grave concern. Many of the people we worked with were at high risk if they were being stalked.
In an article posted by Washington Post early September, a number of security consultants and bug-hunters aired their concerns with how Apple treats its bug bounty submitters. They give the example of iOS software developer Tian Zhang, who went public with a bug notification after reportedly hearing nothing from Apple for months. The next time Zhang submitted a bug report, Apple fixed the flaw but did not provide a reward. Rauch said Apple never acknowledged basic questions he asked about the bug, such as if they had a timeline for fixing it, and if so whether they planned to credit him in the accompanying security advisory. Or whether his submission would qualify for Apple’s “bug bounty” program, which promises financial rewards of up to $1 million for security researchers who report security bugs in Apple products.
The other thing is that the easiest way I can imagine a domestic, acquaintance, or unknown stalker tracking someone is by tracking their iPhone or Android phone. If someone ever has access to the device, they can add them to Family Sharing or install spyware or malware on an Android device, and have unfettered Internet-based tracking that’s very accurate. BTW when a victim of domestic/relationship violence leaves the abuser they are at the most vulnerable and high risk time for violence. I would be interested in any information regarding the possibility of any of the tag resources being used in that manner. From the discussion thus far I’ve not heard anything certain to indicate they are a real danger.
Anonymous September 30, 2021This type of attack will mostly be tacked at locations where they know that the victim is worth the $30 payout. Drop them in New York banking district or the stock market perhaps, but in Willoughby? Catwhisperer September 28, 2021You don’t have to expose your phone number, LOL, you get a .950 jdj price Google Voice or similar number. Some are beyond US Justice, others it takes years to catch. When Apple isn’t the first stop for exploits, in such cases the damage is done by the time such holes are closed and the crooks caught. JamminJ September 30, 2021There are good, open source, QR code readers for your phone.
On top of using the box, I keep the keys towards the centre of the house. Yes, the tags rely on device-based end-to-end encryption. You’ll note that you can’t find family devices, like Macs, via crowdsourcing either, only if they’re on the internet.