A Relay a Day Keeps the AirTag Away: Practical Relay Attacks on Apple's AirTags
This work exposes a practical privacy and security vulnerability in Apple's Find My network for AirTag owners, showing that the lack of report validation can be exploited to manipulate location data.
The authors demonstrate a relay attack on Apple AirTags that injects false location reports into the Find My network, causing the owner to see a wrong position for a lost tag, and also enabling a focused denial-of-service attack by misleading the owner about the tag's whereabouts.
Apple AirTags use Apple's Find My network: when nearby iDevices detect a lost tag, they anonymously forward an encrypted location report to Apple, which the tag's owner can then fetch to locate the item. That encryption protects privacy -- neither the finder nor Apple learns the owner's identity -- but it also prevents Apple from validating the correctness of received reports. We show that this design weakness can be exploited: using a relay attack, we can inject manipulated location reports so the Find My service reports a false position for a lost AirTag. The same technique can be used to deny recovery of a targeted tag (a focused DoS), since the owner is misled about its whereabouts.