security

The biggest risks of using Bluetooth trackers like Apple AirTag, Tile – CNBC


Bluetooth tagging devices are catching on, and keeping an eye out on the world in ways never before possible. For that relative who is always losing track of their keys or wallet, these devices from Apple, Samsung and some niche gadget players like Life360, offer a new approach to minding belongings. For pet owners, these Bluetooth devices can be used as a cheaper alternative to microchipping your dog.

“If you’re someone who forgets your keys, or your purse, or your child, and you want to track them, then these are not a bad way to do that,” said Justin Cappos, associate professor of Computer Science and Engineering at New York University Tandon School of Engineering and a member of New York University’s Center for Cybersecurity.

But the idea of tags to track people, specifically, is where the controversy has been introduced as part of this technology’s adoption.

From Apple’s AirTag to Samsung’s Galaxy SmartTag to Life360’s Tile, there are many options in the Bluetooth tagging device market offering security and peace of mind, but notably, the company’s in the market, from Apple to Life360, have made clear these devices were never designed to track people — Apple’s product messaging focuses only on personal items. That doesn’t change the fact that as with most of the technological advances occurring at an accelerated rate in recent decades, from phones to social media and AI, there is never a breakthrough that arrives without a potential downside. Tags are being put to nefarious uses, including to stalk individuals.

“If you want to track somebody, that’s what these are designed for, and that’s where the problem really comes in,” Cappos said. “You have something that it’s intended use and it’s malicious use are almost identical.”

Here are some basics to know about Bluetooth tags if you’re using one already, or considering adding one to your tech-enabled life.

The risk of stalking is real, tech companies are addressing it

There have been several crimes reported involving the use of Bluetooth tagging devices to stalk victims, specifically younger women and women being stalked by former spouses or relationship partners. Attaching these devices to cars has been common, but there have been cases of victims finding these trackers on themselves — one victim reported a Bluetooth tagging device taped inside her duffel bag and another found one hidden in her coat after a night out.

“The problem with Bluetooth trackers … is there’s no way to prevent a victim from being stalked by one of these devices because they don’t control it. They don’t have any access to it. … Whether it’s a creep at the bar or an angry ex-partner, this is a new avenue that they can use to non-consensually track somebody without their knowledge,” said Adam Dodge, CEO of digital safety education company EndTAB and a member of the World Economic Forum’s Digital Justice Advisory Committee.

Two women recently filed a class-action lawsuit against Apple alleging lack of protections the AirTag has against stalking. One victim discovered that her ex-boyfriend had planted an AirTag on her car, while the other found multiple AirTags in her child’s backpack that she suspects were placed by a former spouse.

The lawsuit is a step in the right direction, Dodge said, because tech companies have historically been insulated by Section 230 of the federal Communications Decency Act but in this case, it is a product liability issue alleging inherently dangerous products lacking sufficient safeguards.

He does give Apple credit for working to address these issues. “Apple’s already taken a lot of steps to make them less effective stalking tools. The problem is they’re really good at stalking people,” Dodge said.

Readers Also Like:  Google advises Android users to take action after finding 18 zero ... - TechSpot

For that reason, the litigation could ultimately produce positive effects, even if it’s tough to beat big tech in court. “The history of litigation against big tech for these types of circumstances is not great. But I’m hopeful that they will have success from a product liability standpoint and as a result make these devices much safer to use,” he said.

Whether successful or not, Dodge says it “sends a message to anyone developing hardware like this to prioritize user safety at the same level as they prioritize user growth and revenue.”

Sound alerts for tracking

Many victims of stalking cases were able to identify that they were being tracked when they received a sound notification on their iPhone that an AirTag was found moving with them.

But there have been complaints about the low level of the sound.

“It’s not a noise that you may not even take notice of it, so you have to be very cognizant that this is happening,” said Kathleen Moriarty, chief technology officer at the Center for Internet Security. 

Apple has taken measures to raise the volume of the sound emitted from the AirTag, outlined in its February 2022 major announcement about several anti-stalking enhancements. Apple stated in that February update that is has been adjusting the tone sequence to use more of the loudest tones to make an unknown AirTag more easily findable.

Apple’s work with law enforcement

In its February update, Apple also included a new privacy warning during AirTag setup that explicitly states it’s a crime in many regions to use AirTags to track people without their consent.

This warning function may have limited value, though. While it creates “friction” in the process for any user planning to put the AirTag to criminal use, it’s unlikely to stop those intent on a malicious action, according to Dodge.

“It can’t hurt to say that, for Apple to put the warning out there, and perhaps for someone or a small group that would prevent them from misusing AirTags,” Dodge said, comparing the idea to how some algorithms now built into social media warn users a post they are about to publish is offensive or harassment.

He said more important is the Apple announcement it is working with law enforcement on tracking AirTags back to perpetrators. “They have put out a very clear statement they will cooperate,” he said, and from what he has heard, Apple has backed that up. The challenge, according to Dodge, is that many people still don’t know that Apple will cooperate, including local law enforcement agencies, especially since historically, cooperation between law enforcement and big tech has not always been smooth.

Apple referred all questions about AirTag to the policies and updates it outlined in its February update, and specifically the statement that the company is “committed to listening to feedback and innovating to make improvements that continue to guard against unwanted tracking.”

It does not comment on pending litigation.

Early warning and detection are key

Some of the biggest updates Apple and other manufacturers have made relate to apps dedicated to enhanced detection.

“What we really need is really early warning detection, and we need to raise awareness in our community that this is a real risk,” Dodge said.

The AirTag sound alert has been surpassed by Apple’s Precision Finding app for any iPhone 11 or later model, which physically guides users to an unknown AirTag, including showing the exact distance to the tag, and in addition to an AirTag separated from its original owner playing a sound to draw attention to it.

Readers Also Like:  The congressional China-EV showdown - Axios

For users of iOS 14.5 or later, an AirTag can also be recognized when the user arrives home, if that information is filled out in an Apple My Card contact section, and if location services are turned on, which is the default setting. An unwanted AirTag, or a tag taken by mistake (say another family member’s tag) can also be detected at additional locations which a phone user frequents, such as a gym.

Apple does not divulge a standard period of time when alerts commence for security reasons, with that randomized window of time ranging from 8 hours to 24 hours.

“Precision Finding is great but what we also want is an earlier warning to victims,” Dodge said. “They’ve added Precision Finding, they’ve increased volume, they’ve lowered the time window to alert somebody if they’re being tracked, but we’d like to see them go further,” he said.

Apple has made an effort to provide similar detection tech to Android phone users, with its Tracker Detect app available in the Google Play store. It lets Android users scan for items no longer with the original owner, however, it is not an automatic detection as on the iPhone.

“More safety measures are needed, even for Apple, they need to find a better way to alert Android users if they are being tracked with an AirTag, because unlike the iPhone, they do not get the continual scanning,” Dodge said. He added this is particularly important because Android phones are more popular with underserved communities and people of lower-income, who should not be more at risk of stalking as a result of socioeconomics.

Samsung and Tile

In late 2020, Samsung launched a SmartThings Find feature in the SmartThings app, which enables Galaxy users to locate their lost phone. Samsung later added an update that allows users to scan for any unknown SmartTags near them with the Unknown Tag Search.

Life360’s Tile introduced a similar update last March called Scan and Secure that lets both iOS and Android users detect any Tiles or Tile-enabled devices nearby.

Once a user chooses to run Scan and Secure, the scan requires them to walk/move or drive a certain distance away from their original location for a maximum of 10 minutes of uninterrupted time until the scan is completed, a design the company says was informed by concern for potential victims of unwanted tracking. The company notes that the most common use case of domestic violence is 70% of stalking victims who know their abuser.

While Dodge cited the importance of earlier detection, Life360 says it is a manual Bluetooth scanner because proactive alerts set to appear after a certain period of time can put victims of domestic abuse in more danger, depending on the situation. Automatic alerts may not be in the best interest of someone who lives with their abuser and is trying to leave a dangerous situation can’t wait for an alert to inform them hours later that they’re being tracked.

What to do if you’re being stalked

If you discover an unknown Bluetooth tagging device with you, there are ways to disable the device so it can no longer track your location.

With AirTags, iPhone and NFC-capable smartphone users can disable the device by holding the top of their phone next to the white side of the AirTag. This will prompt a notification that brings users to the AirTag’s serial number, and they can then access instructions to disable the device.

This function can be used to find an innocently lost AirTag and return to the owner if it has set the device to Lost Mode, or for an unwanted AirTag to be disabled.

Readers Also Like:  RISCO Partners With Skills For Security To Close Skills Gap | Security News - SecurityInformed

Apple offers step-by-step instructions on its website. Tile does as well.

All AirTags can have batteries removed, which is not the case for all Tile and Tile-enabled devices. If a battery can be removed, that is a simple way to disable the device. For versions of Tile devices that are operated with non-replaceable batteries, the company recommends wrapping the device in several layers of foil or placing them in an electronic signal-blocking bag.

While a user might be tempted to destroy an unwanted tag, especially if the battery cannot be removed, that’s not the best idea.

“You could always take a hammer and destroy the thing, or put it in the garbage and send it to the dump, but from an evidentiary standpoint, if you’re going to law enforcement, obliterating the device means you might not have the serial number, and they’d want that,” Dodge said.

Where Bluetooth tagging devices are headed

The influx of stalking cases involving Bluetooth tagging devices emphasizes why people need to be vigilant about their privacy with these devices in the world, but these issues likely won’t dissuade prospective customers.

“You could take a very hard line and just say technology isn’t good because it can be used for this type of tracking and not pursue the technology. But we’re in a situation where the use of it has already begun, so pulling back is difficult,” Moriarty said.

With more safety features implemented into these devices, companies also need to balance security with usability.

“If it becomes less useful to consumers because of limitations that they put on to stop these kinds of attacks, I think that it’s possible that will deter people from it. But I don’t think that is very likely, I think the much more likely outcome will be that they will continue to be used more and more,” Cappos said.

The safety features that Apple, Samsung and Life360 are adding in their Bluetooth tagging devices could end up leading to secondary players in the market becoming more popular with criminals.

“One thing you don’t want to have occur is have it be that Apple adds a bunch of good security features, so then all the attackers go and buy it from a vendor who didn’t add those security features and use it for stalking,” Cappos said.

But Dodge said that the attention to this issue is a good thing, and a rare thing in tech, with device makers responding to safety concerns and creating safety features. Responding forcefully to user complaints about safety is not something he says the tech world has been good at in the past. “But with AirTag, we are starting to see that, and it’s hopeful,” he said.

Dodge stressed that a Bluetooth tag is a subset of a much larger problem in tech, that our smartphones are the ultimately stalking apps. While the tags are a very specific tool able to be dropped into the wheel well of a car or backpack, they are part of the broader phenomenon of tech-enabled location tracking, whether through an on-demand food delivery, parking or fitness app.

“We have massive digital footprints, and especially for people being stalked by current or former partners, the apps we rely on every day can be weaponized to track without consent. We need to raise awareness about that too,” Dodge said. “It’s often overlooked.”



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.