Image Source: New York Times
the staff of the Ridgewood blog
Ridgewood NJ, a swimsuit model says she was stalked by a stranger who slipped an Apple AirTag tracker into her coat pocket before following her for five hours.
Brooks Nader, 26, claims the disturbing incident occurred Wednesday night while she was out in New York City, and she only realized it when her iPhone alerted her to the fact that an “unknown accessory” was moving with her.
it is inevitable that items—such as keys, wallets, purses, and bags—may be lost or misplaced. To help prevent this, users can attach tracking devices to everyday items and connect them to a smart device via Bluetooth. Then, if items are lost or misplaced, users can use an app to search for them and determine their location with impressive accuracy. If the tracking devices are within Bluetooth range, the app can easily trigger an audible alert to help locate them. If the tracking devices are not within range, the app leverages nearby smart devices to transmit their location and send alert notifications to the owner and/or finder. There are multiple Bluetooth tracking devices to choose from, such as Apple AirTags and Tile tracker tags. Although their use can be a positive, legitimate, and convenient way to keep track of items, tracking devices have the potential for intentional misuse and abuse. We explore how perpetrators may use these tracking devices for nefarious purposes—committing malicious cyber activity, impacting personal safety, and enabling auto theft.
Image Source: Medium @bobbyrsec
In the event tracking devices are lost and cannot be located using the app, owners of Apple’s AirTag can enable “Lost Mode,” which creates a unique webpage and displays a custom message and contact details for finders or when the tracking device is scanned using near-field communication (NFC). This feature is helpful to reunite the tracking device with its owner; however, this feature can also be used maliciously, similar to USB drop attacks—in which threat actors hope “Good Samaritans” will find and connect malicious USB devices to targeted systems. Threat actors can create weaponized tracking devices and leave them around for “Good Samaritans” to help reunite owners with their devices. They can plant the tracking device and enable “Lost Mode” to display the purported contact information on the unique webpage, which does not require authentication. A vulnerability was discovered that the phone number field could be injected with arbitrary code to direct unsuspecting finders to a fraudulent Apple iCloud login page to enter their credentials, which are sent to the threat actors in the background.
The NJCCIC recommends exercising caution when using the Bluetooth tracking apps to scan if a tracking device or unknown device is nearby. If you receive an alert notification, hear an audible sound, or find an unexpected tracking device, report the suspicious activity to local law enforcement.
Strangers or known abusers may use tracking devices to target and stalk victims and monitor their locations. The nefarious use of tracking devices may impact personal safety, including tracking, stalking, harassment, abuse, domestic violence, robbery, and sex trafficking. For example, a woman drove away from a bar and started to receive alert notifications that “AirTag Found Moving With You: The location of this AirTag can be seen by the owner.” She did not drive home since she was concerned that she was being followed. She could not find a tracking device until the next morning. Another example involved a woman flying from Texas to Boston and receiving an alert notification that an unknown accessory was traveling with her. She eventually found the tracking device taped inside her bag. Before her flight, she was shopping, and the bag was located near a sliding window in her truck where it could have been planted. In another incident, a tracking device was placed in a woman’s vehicle while she was helping with a friend’s move. Once she received alert notifications on her phone, she proceeded to return to her vehicle to locate the tracking device and saw two men fleeing her vehicle.
Tracking devices, such as Apple’s AirTag, have a fixed serial number physically printed on them and readable by Bluetooth without alerting the owner (or perpetrator). Victims can work with law enforcement before touching or disabling the tracking device (per the manufacturer’s instructions) to prevent it from reporting their location. Additionally, law enforcement can work with the manufacturer per court order to identify the owner/registrant of the tracking device.
The NJCCIC recommends users consider their risk profile, create a safety plan, and be aware of your surroundings. To help protect yourself from being tracked without your knowledge, you can search for places where a tracking device may have been slipped or hidden. If you suspect someone is tracking you, narrow down items you have with you during those times and any encounters to identify if a tracking device may be on you, in your pockets, belongings, car, bike, home, etc. Regularly inspect belongings, including bags, purses, and luggage. If you have mail or packages sent to a PO box or mailbox, inspect before returning home. Additionally, exercise caution when using the Bluetooth tracking apps to scan if a tracking device or unknown device is nearby. If you receive an alert notification, hear an audible sound, or find an unexpected tracking device, report the suspicious activity to local law enforcement, especially if you believe your safety is at risk.
Thieves are targeting and placing tracking devices on high-end vehicles in public places, such as shopping centers and parking lots. There are many places on a car where a tracking device can be slipped in or hidden, such as bumpers, wheel wells, gas cap canister areas, trailer hitches, behind license plates, underneath the vehicle, and other hard-to-view places. Thieves can then track the targeted vehicles to the victim’s residence and steal them later from the driveway. They use screwdrivers and other tools to enter the vehicle. Once inside, they connect an electronic device to the onboard diagnostics port to program the vehicle to accept a key they brought in order to start the vehicle and drive away. Attempts and successful cases were already reported in Michigan, Texas, Iowa, and Canada, with the trend becoming more frequent.
The NJCCIC recommends securing vehicles, storing them in garages when possible, implementing steering wheel locks, installing locks on data ports located underneath the dashboard, inspecting for tracking devices, and other measures to deter malicious tracking activity and auto theft.
