How do Apple AirTags Work?

By now, you have probably seen something or other about these new little magical, $30, white buttons that you can attach to your keys, purse, throw in your luggage, or sew into your kid’s backpack. You can then pull up the location of this amazing little gadget with a couple taps into the ‘Find My’ app on your iPhone. Sounds great, right? I don’t know anyone who loves loosing stuff, like keys and kid’s backpacks. But how the heck do these little Apple AirTags work?

Brand new AirTags pair with their owner iPhone/iPhone User, sharing a crypographic seed. You could call this a “provisioning” process. The AirTag then begins emitting a Bluetooth Low Enery (BLE) advertising beacon every two seconds, broadcasting a time-sensitive encrypted message. The AirTag does this forever and ever, until its little coin cell battery (3 volt, 2032 battery) dies. The BLE messages are not directed at any particular device. They are like smoke-signal messages, sent up into the air for anyone to catch. The AirTag has no way of knowing which one of the messages are being picked up, or what device is listening. These messages do not require a paired Bluetooth connection.

The messages that the AirTags broadcast are mostly encrypted, but the first couple of bytes in the message are not. These first couple of bytes indicate to nearby iPhones and Macs that the message belongs to an AirTag. The operating systems of recently updated iPhones and Macs have instructions to listen for messages from AirTags – anyone’s AirTags – not just the ones that belong to the owners of the iPhones and Macs. The global network of iPhones and Mac relay the AirTag messages up to the ‘Find My’ network. Before they relay the AirTag message to the cloud, the iPhone/Mac grabs their most recent location information (GPS, Wi-Fi or otherwise) and bundles that (encrypted) into the message. You see, the little AirTag doesn’t have a GPS onboard, nor does it have Wi-Fi or a network sim card, so it leverages the existing, vast, network of network-enabled iOS and Mac devices out there on planet earth.

When the owner of an AirTag opens the “Find My’ app on their iPhone, searching for their lost item, an interesting process occurs. The iPhone calculates, using the encryption data shared only with the iPhone and the AirTag, along with the current time, and generates the encrypted message that AirTag is also expected to generate and broadcast. Then, it searches the Find My network for that value. When the match is found, the location data is decrypted by the owner’s iPhone and the user learns the last known location of their item.

Apple says that an iPhone that relays the AirTag message to the Find My network is unknown to the owner of the AirTag and that Apple itself doesn’t know the cryptographic info shared between the iPhone and the AirTag.

The Vulnerabilities: AirTag Stalking?

So, obviously, it isn’t going to take too long to think about the ramifications of people attaching an AirTag to the underside of someone’s bumper, or slipping one inside a handbag, to track a person’s movements without their knowledge. For folks that have an iPhone, there are safety features that alert iPhone users that an AirTag that doesn’t belong to them is travelling with them. You don’t have to watch too many videos to see scenarios where users were alerted that they were traveling with an AirTag that didn’t belong to them only after they arrived home. If your ‘home’ address isn’t known to your phone, you will get alerted at the end of the day. The jury is out on if these precautions are timely enough, useful, or simply annoying, when grandma picks up the kids from school and now her iPhone is bombarded with push notifications over your perfectly-safe kid’s backpack.

The most worry-some gap here is for Android phone users. None of these security features are available to Droids and that makes Android users more vulnerable to AirTag Stalking. That’s why I wrote the AirTagLocator App for Android. This app just simply sorts through all of the BLE devices around the Android phone and identifies those that are advertising messages with the AirTag pattern. It’s free, and has no advertising.

Apple says that AirTags that are ‘unattended’ (not near their owner for a period of time) will produce an audible sound. Of course, this feature can be disabled by the owner. So, it’s clear that this feature isn’t intended to discourage AirTag Stalking.

Excessive bandwidth use by unsuspecting iPhones?

Imagine (in the before-times, pre-COVID) you are in a commuter train for 45 minutes each morning and each evening. Pretend there are 5 passengers in your train car that have an AirTag on their key ring or backpack. Think about your iPhone, adjusting it’s GPS data, encrypting, bundling and uploading messages for 5 local AirTags, for 90 minutes, five days a week. Each AirTag emits a message every 2 seconds. It would be interesting to know if iPhones bundle AirTag messages and send them in an efficient manner, or if there is really just a ton of network traffic involved here. Let’s say they are bundled such that every 3 minutes (as observed in this video) a message is relayed up to the cloud. That would still be 90 min commute / 3 minute intervals x 5 AirTags x 5 days a week = 750 network calls made by your phone, on behalf of other people’s AirTags.

Can I opt out?

Well, you can turn off Bluetooth, turn off data, opt out of the ‘Find My’ network, or maybe just get an Android phone? 🤣😉 Obviously, if you are an iPhone user, discontinuing use of these hardware/software features is a bummer. It probably isn’t what you signed up for.

Oh, the Ultra Wideband Precision Finding….

There is no doubt that the tech behind an iPhone zeroing in on an AirTag is impressive. At a coarse level, the ‘Find My’ Network data (longitude and latitude) is requires a global network of existing iPhones and Macs. On a finer grain, it appears that the AirTag BLE advertising can be picked up and used by the owner iPhone directly. You can see this with iPhones older than iPhone 11. On iPhone 11 and later models, Apple added the U1 Ultra Wideband chip. This is the hardware that makes extremely accurate, real-time localization possible. So, if you are using an iPhone 11 or later, and running iOS 14.5 or later, your iPhone will use Ultra Wideband to locate your AirTag, with a compass-looking UI. This fancy technology makes it possible to locate your AirTag down to a couple of centimeters. Check this video out for more details…

NFC and Apple AirTags

Each AirTag has a serial number (printed inside, under the coin battery). If an iPhone user finds someone else’s AirTag, they can use NFC to identify the lost AirTag. Of course, within two weeks of AirTags being released, this feature was already hacked, with beautiful documentation, basically rendering a lost AirTag just about as dangerous as an abandoned thumb drive left in a parking lot. Some folks online say that Android phones can use NFC to identify an AirTag, but I haven’t been able to confirm that in my tests with various Android phones.

How long does the battery last?

Apple says the battery lasts about a year. I bought an AirTag a few days after they were released. I pulled the plastic tag out when I un-boxed it, and it ran about 4 days before I started to get messages on my iPhone that my AirTag battery was running low. Since I replaced the battery, it has been running fine now for about 12 days.

How to I reset an AirTag?

In various places online, I have read that if you want to re-set (unprovision) an AirTag, basically disconnecting it from it’s owner, you will need to do the following: Pop out the battery by pressing down on the chrome cover and turn clockwise. The chrome piece should pop off and reveal the battery. When the chrome piece is removed, the battery contact is released. Remove the battery, then replace it and hold the battery down. The AirTag should make a cute little Star Trek-ish noise, then take the pressure off the battery again and remove it. Repeat this five times, until you don’t hear the Star Trek sound. The AirTag will disappear from the owner’s ‘Find My’ map, like they never had the AirTag at all. Put the chrome cover back on, twist counter-clockwise and listen for another little Star Trek noise to confirm that it is working again. But BEWARE! I haven’t been able to confirm that this process alone works! In my experience, resetting a AirTag requires the process described above in addition to the owner iPhone to Removing it in the Find My Network app. This makes sense in that if someone found a lost backpack with an AirTag and was able to basically factory reset the AirTag manually, it would completely defeat the purpose!

Final Thoughts?

The AirTags are clearly the result of a years-long endeavor at Apple. Think about the alphabet soup of NFC, BLE, and UWB technologies all working in unison, packaged in a cute little button. It is a pretty cool product. After the euphoria of harmonious tech fades, I am left with a nagging fear that these things will be used for no good, and that is never a good feeling. Be safe out there, folks.