Apple AirTag Tracking Can Be Misled by Replayed Bluetooth Signals

Apple’s Find My ecosystem has become a cornerstone of consumer‑grade asset tracking, leveraging a massive crowd‑sourced network of iPhones, iPads and Macs to anonymously relay Bluetooth Low Energy (BLE) pings from AirTags. While the encrypted hand‑off protects user identities, it also assumes that any device reporting a signal is trustworthy, creating a blind spot that researchers have now exploited. By capturing raw BLE packets and replaying them elsewhere, the attack sidesteps Apple’s location‑verification logic, demonstrating that the network’s strength—its scale—can also be its Achilles’ heel.

The relay technique hinges on two technical nuances: first, the Find My protocol rotates encryption keys roughly every 24 hours, but a captured signal remains valid until the key changes or the AirTag’s battery is removed. Second, local BLE reports are given priority over cloud‑based updates when the owner’s device is nearby, allowing a spoofed signal to overwrite genuine location data. In practice, the researchers were able to project an AirTag’s presence across continents, with falsified positions persisting for up to a week. When both the original and replayed signals are active, the app flickers between the two, eroding user confidence in the system’s accuracy.

Beyond the immediate privacy implications—such as potential stalking or asset misdirection—the discovery underscores a broader lesson for IoT security: encryption alone does not guarantee data integrity. Apple may need to incorporate replay‑attack mitigations, like timestamped nonces or stronger key‑exchange validation, to restore trust in Find My. For enterprises that integrate AirTags into supply‑chain monitoring, the vulnerability signals a need for supplemental verification layers or alternative tracking solutions until Apple addresses the protocol weakness.