AirGuard
AirGuard copied to clipboard
seemoo-lab
Trying to detect new Airtags from a stationary scanner
I'm trying to inform users of my open source smart home project when an actually new Airtag appears, but it's quite hard to do, since stationary Airtags rotate the mac every 15 minutes.
What I'd be interested in (thinking of implementing it in my project) is a way to detect when Airtags change their mac addresses, so that I can ignore the Airtags that the user was already alerted to.
They seem to change their mac address at regular interval (15 minutes), so if the Airtag count isn't too high it should be possible to do this. And if there is a way to extract other more stable values (such as battery level) it would become even easier?
I'd be curious if you think this approach is useful and possible. Perhaps it could be a feature of Airguard too?
P.S. How does Apple do this? I suspect they can only inform you if a devices is travelling with you because they can check the location of the Airtag and the phone and see if they move together for a while? That would imply Apple's protection app would also have a harder time informing people about malicious trackers if they are stationary too? After all, it migh just be your upstairs neighbour's Airtag.
I've been looking at the status byte values of an Airtag.. and it doesn't seem to be a predictable value.
I wouldn't rely on this to work properly. The status byte shouldn't change that much. The only values that might change is the one bit that shows if the owner was connect withing the current key rotation and the 2 bits that represent the battery state.
Apple can differ between AirTags owned by the device owner and others, because AirTags get associated to the Apple ID of the owner device in the setup process.
We already thought about this but came to the conclusion that it will probably not reliable enough, because the battery level is relatively stable and solely relying on the status byte can start to cause problems when more than one AirTag is present.
one bit that shows if the owner was connect withing the current key rotation and the 2 bits that represent the battery state
Could you share which bits represent what?
And the battery state is just two bits? Hmm, then indeed it probably won't have a lot to work with for recognising a device based on its battery level. Which is good I guess, because otherwise Apple would have dropped the ball here :-D
can start to cause problems when more than one AirTag is present
How so?
probably not reliable enough
Don't let perfect be the enemy of good? For my use case it would already be useful even if it's not perfect.
Currently my system reports if a new airtag is detected based on the number of airtags it found during a scan. If the number increases, that's relevant already (provided the user doesn't live on top of a busy footpath).
As you can tell, this currently creates a lot of instances there the system notifies that it detected a new tag. I'd like to make it a little more accurate. For example by trying to guess if an airtag is truly new based on the mac address and any other data that might be useful. increasing scan duration and doing some time-based averaging would probably also help.
From the research paper:
(1) Unpaired
(2) Connected
(3) Nearby
(4) Separated
If my system could filter out airtags that are happily paired or connected, that might already help with finding potential stalker devices.
The document you linked to mentions that once nearby the airtags will emit "the first part of a public key". And once they enter the separated state, they emit the full public key.
That public key is only changed once per day?
That seems to imply that an Airtag in the nearby/separated state could easily be tracked since key public key remains stable for an entire day?
If that is correct, then might I be able to use that (first part of the) public key to keep track of which Airtags presence the user has already been alerted to recently?