Abstract :

Full Description Locating a pet, a wallet, a bicycle, or even the keys is crucial during this pandemic time. But when a technology is designed so well that it could be implemented to track any object precisely, malicious actors could twist its original purpose and abuse its functionalities. Technically, inexpensive and practical, the Apple AirTags, by design, make themselves a perfect tool to track intimate partners, actors, women, men, journalists, ex-partners, kids, businesspeople, politicians, or even specific cars. The abuse of this technology might play a crucial role in coercive control.

In this presentation, we will explain how the Apple Find My network interconnected devices technology works. This talk explores different aspects and scenarios where some individuals have been involved in these difficult situations, and some of them were able to detect and find the hidden Apple AirTags. But what about when malicious attackers disable the AirTag after they know the desired target location. Will the affected people ever know that they were tracked? These small devices are difficult to detect and sometimes impossible to find, even if they play a sound. Adding that they are becoming a perfect tool to track individuals with low or limited resources using Apple third-party technology.

Concerning the current situation, instead of concluding this presentation with suggestions, we will conclude with actions. We will explain how a person can detect an Apple AirTag device, even if a malicious user already disabled it. We will explore different possibilities to track down the tracker by signal, by sound, and by using an open-source tool to guide the affected person to find the hidden device. Finally, how to spoof the signal somewhere else to deceive the malicious attacker with an incorrect location.

Speaker:  Salvador Mendoza 

Salvador Mendoza is director of research and development at Metabase Q and member of the Ocelot Offensive Security Team.

Salvador focuses on tokenization processes, payment systems and embedded prototypes. He has been a speaker at world-class events such as Black Hat USA, DEFCON, DerbyCon, Ekoparty, HITB, Troopers, among many others. Among his different activities, he is recognized for training in EMV, RFID and NFC technologies that he has offered in multiple countries such as Germany, Mexico, Colombia, Bolivia, Chile and United States.

It has also designed different tools to scan for vulnerabilities in physical and digital payment systems. Their contributions to the community are not only at offensive level; In his research, Salvador has participated in the design of different tools for detecting bank account skimmers and malicious payment system devices.

Also, Salvador is author of “Show me the (e-) money Hacking a sistemas de pagos digitales: NFC, RFID, MST y Chips EMV“. A Spanish-written book with a collection of different attacks against payment system technologies.