Apple and Google Launch Cross-Platform Feature to Detect Unwanted Bluetooth Tracking Devices

May 14, 2024WritingLocation Tracking / Privacy

Apple and Google on Monday officially announced the rollout of a new feature that notifies users on iOS and Android if a Bluetooth tracking device is being used to surreptitiously monitor them without their knowledge or consent.

“This will help mitigate the misuse of devices designed to help keep track of assets,” the companies said in a joint statement, adding that the goal was to address “potential privacy and security risks users”.

The proposed cross-platform solution was initially unveiled exactly a year ago by the two tech giants.

The feature – dubbed “Unwanted Location Tracker Detection” (DULT) – is available on Android devices running versions 6.0 and later, as well as iOS devices with iOS 17.5, which officially shipped yesterday.

As part of the industry specification, Android users will receive a “Tracker traveling with you” alert if an unidentified Bluetooth tracking device is detected as moving with them over time, regardless of platform. form with which it is associated. On iOS, users will receive a “(Object) found moving with you” message.

Regardless of operating system, users then have the ability to view the tracker’s ID, play a sound to help locate it, and access instructions for deactivating it.

“This cross-platform collaboration – also an industry first, involving community and industry input – provides guidance and best practices for manufacturers, should they choose to integrate unwanted tracking alert capabilities in their products,” the companies said.

This development follows reports that trackers like AirTags are being used by bad actors for malicious or criminal purposes, often used as a nefarious tracking tool by domestic attackers to stalk their targets.

A class action lawsuit filed against Apple in October 2023 alleged that AirTags had become “one of the most dangerous and frightening technologies used by stalkers” and that they could be used to determine “real-time location information to follow the victims.

Last year, a group of researchers from Johns Hopkins University and the University of California, San Diego, designed a cryptographic system that offers a better compromise between user privacy and stalker detection through a mechanism called sharding. multi-dealer secrets (MDSS).

“MDSS extends standard secret sharing to admit multiple sellers with multiple secrets while achieving new properties of non-binding and multi-dealer correctness,” the academics said in a paper titled “Abuse-Resistant Location Tracking: balancing privacy and security in the offline search ecosystem.”

Apple backports patch for CVE-2024-23296

The DULT announcement also follows Apple’s decision to backport a patch released in March 2024 for a security flaw in the RTKit real-time operating system (CVE-2024-23296) to devices running older versions of iOS, iPadOS and macOS.

The vulnerability, which allows an attacker with arbitrary kernel read and write capabilities to bypass kernel memory protections, is being actively exploited, although technical details on the nature of these attacks are currently unknown .

Fixes to address this deficiency are available in the following releases:

Apple’s iOS 17.5 update also fixes a total of 15 security vulnerabilities, including flaws in AppleAVD (CVE-2024-27804) and in the kernel (CVE-2024-27818) that could be exploited to cause the Unexpected termination of an application or execution of arbitrary code. The same two flaws have been fixed in macOS Sonoma 14.5.