Skip to content

Tracked by hidden tags? Apple and Google unite to propose safety and security standards… – Naked Security

Apple’s AirTag system has been in the news for various reasons, including firmware hacking, being used as a low-bandwidth community radio network, and being involved in a tragic stalking incident that ended in a murder charge. While Apple has introduced measures to make AirTags harder to exploit, the growing market for similar devices and Google’s reported entry into the space suggest the need for safety and security standards. Apple and Google are proposing an internet standard called Detecting Unwanted Location Trackers, with experts from both companies working together to create it. The draft introduces the term Unwanted Tracking (UT) and splits trackers into two classes: small and large. Large devices are considered easily discoverable, while small devices are easily concealed and must provide at least a basic level of UT protection.

The proposal outlines several specifications, including that trackers must not broadcast their identity and trackability when they are near their registered owner, and must broadcast a notification every 0.5 to 2 seconds when they are away from their owner. Additionally, tags must switch between modes and change their machine identifier every 15 minutes when with their owner, but must hold onto their MAC address for 24 hours when parted from their owner. If any unwanted tags are detected, they must respond to “reveal yourself” probes by bleeping 10 times and vibrating or flashing at a specified sound level. Any tag found must have clear instructions for disabling it, and the manufacturer must provide a text description as well as a visual depiction of how to disable it.

The proposed standards cover both technical and social aspects, such as how to encrypt serial number data and when, how, and for whom such encrypted data should be unscrambled. The proposal also includes controversial specifications, such as the requirement for “obfuscated owner information” to be emitted by the device on demand. The current draft is open for comment for six months, during which time it may be modified and re-proposed, or accepted as a new standard.

If you are concerned about mobile device security, privacy, or the potential for tracking devices to be abused, it is recommended that you read through the proposed standards. While some specifications are technical, others are social and cultural, and some may not be agreed upon, such as the specification for “obfuscated owner information.” The proposed standards are an important step towards establishing safety and security standards in the smart tag market.

Leave a Reply

Your email address will not be published. Required fields are marked *