Turning a Bluetooth Device into an Apple AirTag Without Root Privileges

The Surveillance Report podcast from Techlore and The New Oil shared recent research into bluetooth devices being able to share their location as an AirTag which can be used to track end-users:

Paper Abstract: “Apple’s Find My network, leveraging over a billion active
Apple devices, is the world’s largest device-locating network.
We investigate the potential misuse of this network to ma-
liciously track Bluetooth devices. We present nRootTag, a
novel attack method that transforms computers into track-
able “AirTags” without requiring root privileges. The attack
achieves a success rate of over 90% within minutes at a cost
of only a few US dollars. Or, a rainbow table can be built
to search keys instantly. Subsequently, it can locate a com-
puter in minutes, posing a substantial risk to user privacy and
safety. The attack is effective on Linux, Windows, and An-
droid systems, and can be employed to track desktops, laptops,
smartphones, and IoT devices. Our comprehensive evaluation
demonstrates nRootTag’s effectiveness and efficiency across
various scenarios.”

nRootTag Paper

Thanks for posting this! I have read similar research papers and proof-of-concepts before.

It is fascinating to see how insecure Bluetooth is. Bluetooth-capable devices (and by extension most IoT devices lol) are essentially landmines just waiting to be exploited. Even if they are privacy nightmares, at least AirPods and AirTags are more likely to have firmware updates applied to them.

Yeah of course! Apple fortunately acknowledged the research and patched this issue in iOS 18.2. (Except, of course, unpatched iPhones or Apple Watches)

So as you mentioned, privacy issues with Bluetooth will always be a revolving door