Apple’s AirTag tracking devices can be deceived by replaying Bluetooth signals, according to new cybersecurity research. The technique allows malicious actors to spoof an AirTag’s location, potentially enabling stalking or theft evasion scenarios.
Security analysts at Help Net Security first documented the vulnerability, demonstrating how attackers can record and retransmit Bluetooth Low Energy (BLE) signals from an AirTag. This creates false location data in Apple’s Find My network while the actual device remains elsewhere.
“This isn’t just theoretical,” said a cybersecurity researcher familiar with the findings who requested anonymity. “We’ve replicated it in lab conditions using about $200 worth of equipment.” Apple has not commented on the specific findings but maintains that AirTags include multiple anti-stalking protections.
The vulnerability stems from how AirTags rely on nearby Apple devices to crowdsource location data. By replaying captured BLE signals, attackers can trick this network into reporting incorrect locations. While this requires proximity to both the target AirTag and the spoofing equipment, experts warn it could be weaponized by sophisticated criminals.
Looking ahead, security professionals anticipate Apple may address this through firmware updates or enhanced signal authentication. However, the incident highlights broader challenges in securing crowd-sourced tracking networks against spoofing attacks.