On Monday, Apple and Google formally announced the release of a new feature that alerts users on iOS and Android devices when a Bluetooth tracking device is being used to surreptitiously monitor them without their knowledge or agreement.
“This will help mitigate the misuse of devices designed to help keep track of belongings,” the companies said in a joint statement, adding it aims to address “potential risks to user privacy and safety.”
The cross-platform solution concept was first made public by the two IT behemoths precisely a year ago.
The feature, known as “Detecting Unwanted Location Trackers” (DULT), can be found on iOS devices with iOS 17.5, which was officially distributed yesterday, and Android devices running versions 6.0 and later.
According to the industry standard, Android users—regardless of the platform they are linked with—will get a “Tracker traveling with you” alert if an unknown Bluetooth tracking device is found to be traveling with them over time. The message “[Item] Found Moving With You” will appear to iOS users.
Users can then see the tracker’s identity, hear a sound to help locate it, and get instructions to disable it, regardless of their OS system.
“This cross-platform collaboration — also an industry first, involving community and industry input — offers instructions and best practices for manufacturers, should they choose to build unwanted tracking alert capabilities into their products,” the businesses stated.
The move is a reaction to allegations that bad actors are abusing trackers like AirTags for illicit or illegal intent. Domestic abusers frequently utilize these devices as devious monitoring tools to pursue their victims.
AirTags have evolved into “one of the most dangerous and frightening technologies employed by stalkers,” according to a class-action lawsuit against Apple filed in October 2023. The lawsuit further said that AirTags can be used to obtain “real-time location information to track victims.”
Through a technique known as multi-dealer secret sharing (MDSS), a team of researchers from the University of California, San Diego and Johns Hopkins University developed a cryptographic strategy last year that provides a better trade-off between user privacy and stalker identification.
“MDSS extends standard secret sharing to admit multiple dealers with multiple secrets while achieving new properties of unlinkability and multi-dealer correctness,” the academics said in a paper titled “Abuse-Resistant Location Tracking: Balancing Privacy and Safety in the Offline Finding Ecosystem.”
Apple Re-Backports CVE-2024-23296 Fix
The DULT news also comes after Apple decided to backport to devices running previous iterations of iOS, iPadOS, and macOS a patch for a security hole in the RTKit real-time operating system (CVE-2024-23296), which was announced in March 2024.
The vulnerability has been actively exploited in the wild, albeit it is currently unknown what the technical details of these attacks entail. It allows an attacker with unrestricted kernel read and write capabilities to circumvent kernel memory protections.
The following versions have patches available to address the vulnerability:
- iPad 5th generation, iPad Pro 9.7-inch, iPad Pro 12.9-inch 1st generation, iPhone 8, iPhone 8 Plus, and iPad X are all running iOS 16.7.8 and iPadOS 16.7.8.
- Mac computers running macOS Ventura 13.6.7
Additionally, 15 security vulnerabilities have been fixed by Apple with the iOS 17.5 update. These vulnerabilities include ones in AppleAVD (CVE-2024-27804) and the kernel (CVE-2024-27818) that might be used to execute arbitrary code or cause unexpected program termination. The macOS Sonoma 14.5 release has fixed the same two bugs.