BLE Tracker Stalking: Real Cases and the Response

How BLE Trackers Work

BLE trackers like Apple AirTags, Samsung SmartTags, and Tile trackers are small devices that broadcast Bluetooth Low Energy signals at regular intervals. These signals are picked up by nearby smartphones, which relay the tracker's location to a cloud service. The tracker owner can then check the cloud service to see where the tracker was last detected.

The key innovation is the use of crowdsourced location reporting. A single tracker does not have GPS or cellular connectivity. Instead, it relies on the billions of smartphones already in people's pockets to act as relay nodes. When any compatible smartphone passes near a tracker, it picks up the BLE signal, attaches its own GPS coordinates, and uploads the sighting to the cloud.

This architecture makes BLE trackers remarkably effective. An AirTag in a busy city will be "seen" by dozens of iPhones per hour, providing nearly continuous location tracking. Even in rural areas, a single passing iPhone is enough to report the tracker's location.

The Find My Network

Apple's Find My network is the largest crowdsourced location network in the world. It consists of approximately 1 billion active Apple devices - iPhones, iPads, Macs, and Apple Watches - each acting as a passive relay for Find My-compatible trackers.

graph TD
    subgraph "Find My Network Architecture"
        A[AirTag Broadcasts BLE Signal] --> B[Nearby iPhone Detects Signal]
        B --> C[iPhone Attaches GPS Location]
        C --> D[Encrypted Location Uploaded to Apple]
        D --> E[AirTag Owner Queries Apple]
        E --> F[Location Displayed on Find My App]
    end
    subgraph "Scale"
        G[1 Billion Active Apple Devices]
        H[Global Coverage in Urban Areas]
        I[Updates Every Few Minutes in Cities]
    end

Find My network architecture - a billion Apple devices act as anonymous relay nodes

The protocol uses end-to-end encryption. The AirTag broadcasts a rotating public key. The detecting iPhone encrypts the location data with this public key and uploads the encrypted report to Apple. Only the AirTag's owner (who has the corresponding private key) can decrypt the location reports. Apple cannot read the location data, and the detecting iPhone does not know whose tracker it detected.

This privacy architecture is technically sophisticated, but it creates a dual-use problem. The same network that helps you find lost keys can also be used to track a person without their knowledge or consent.

Documented Stalking Cases

Since AirTags launched in April 2021, law enforcement agencies worldwide have documented cases of AirTag-enabled stalking. The scenarios follow consistent patterns.

Vehicle tracking is the most common use case. Stalkers place AirTags in the wheel well, under the bumper, or inside the trunk of a victim's car. The tracker reports the vehicle's location continuously as it passes other iPhones on the road. Multiple arrests have been made in the United States, Canada, and Europe for this type of tracking.

Ex-partner stalking represents another documented pattern. After a breakup, one partner plants an AirTag in the other's bag, coat, or car. The victim may not discover the tracker for days or weeks, during which time their movements are fully logged.

In one widely reported 2022 case, a woman in Indiana discovered an AirTag attached to the underside of her car after receiving an alert on her iPhone. The tracker had been placed by someone she had previously rejected romantically. Police traced the AirTag to its registered owner and made an arrest.

graph TD
    subgraph "Common Stalking Scenarios"
        A[Vehicle Tracking] --> B[AirTag Hidden in Wheel Well]
        C[Personal Item Tracking] --> D[AirTag Placed in Bag or Coat]
        E[Home Location Discovery] --> F[Track Vehicle to Home Address]
    end
    subgraph "Detection Timeline Problems"
        G[iOS Alert: 8-24 Hours Delay]
        H[Android Alert: Requires Tracker Detect App]
        I[No Alert: Non-Smartphone Users]
        J[Modified Trackers: Speaker Disabled]
    end

Common AirTag stalking scenarios and the gaps in current detection systems

Anti-Stalking Measures

Apple has implemented several anti-stalking features since AirTags launched, iterating on them in response to criticism and documented abuse cases.

iOS alerts notify iPhone users when an unknown AirTag has been traveling with them. Initially, these alerts took up to three days to trigger. Apple reduced the threshold to between 8 and 24 hours, and later introduced more proactive notifications. The alert reads "AirTag Found Moving With You" and provides options to play a sound on the tracker, see its location on a map, and get instructions for disabling it.

The AirTag itself emits an audible chirp after being separated from its registered owner for a period (initially 72 hours, later reduced to 8-24 hours). The sound is intended to alert nearby people - including the stalking victim - to the presence of an unrecognized tracker.

Precision Finding (on iPhones with Ultra-Wideband support) allows users to locate a nearby unknown AirTag with directional guidance, making it easier to find a hidden tracker.

The Android Detection Gap

The most significant gap in AirTag anti-stalking measures is the Android ecosystem. iPhones receive automatic alerts about unknown AirTags. Android users do not - at least not through the same built-in system.

Apple released a "Tracker Detect" app for Android in December 2021, but it requires manual scanning. Unlike the automatic iPhone alerts, Android users must open the app and initiate a scan to check for nearby unknown trackers. Most Android users are unaware the app exists.

Google and Apple jointly announced a cross-platform tracker detection standard in May 2023, with Android integration rolling out in 2024. This standard provides automatic alerts on Android when an unknown Bluetooth tracker is detected traveling with the user. Samsung, Tile, and other tracker manufacturers have committed to supporting the standard.

However, the rollout has been gradual, and coverage depends on Android version and manufacturer support. Users running older Android versions may not receive updates that include tracker detection. The gap between iPhone and Android detection capabilities has narrowed but not fully closed.

Tracker Modifications

Documented cases and security research have shown that AirTags can be modified to reduce or eliminate the anti-stalking safeguards. The most common modification is disabling the speaker - removing or disconnecting the small piezoelectric speaker that produces the audible chirp. A modified AirTag without a speaker will never alert a victim through sound, and the physical modification is straightforward.

Researchers have also demonstrated that AirTag firmware can be modified to change the rotation schedule of the BLE advertising address, potentially evading detection algorithms that rely on tracking consistent identifiers over time. These modified trackers are harder for Apple's anti-stalking system to detect because they do not exhibit the expected BLE behavior.

Third-party tracker clones have appeared that are compatible with the Find My network but do not include any anti-stalking measures. These devices broadcast Find My-compatible BLE signals and are tracked through Apple's network, but they do not emit sounds and are not flagged by Apple's detection system.

Detecting Trackers With the BLEShark Nano

The BLEShark Nano's BLE scanning capability can detect AirTags, SmartTags, Tile trackers, and other BLE-broadcasting devices in your vicinity. Unlike phone-based detection that relies on specific apps or platform support, the Nano performs raw BLE scanning that identifies all BLE advertisements in range.

This is particularly useful in several scenarios. Physical security sweeps of vehicles or spaces can use the Nano to identify any BLE trackers present, regardless of whether they are Apple, Samsung, Tile, or an unbranded clone. The Nano does not rely on Apple's detection algorithms and is not limited by platform-specific restrictions.

For personal safety, the Nano provides an independent verification tool. If you suspect you are being tracked but your phone has not generated an alert (particularly relevant for Android users), the Nano can scan for BLE devices that are consistently present near you.

The Ongoing Challenge

BLE tracker stalking represents a fundamental tension in product design. The same properties that make trackers useful for finding lost items - small size, long battery life, silent operation, and crowdsourced global coverage - make them effective stalking tools.

The industry is slowly converging on anti-stalking standards, but technical countermeasures face inherent limitations. Alerts that trigger after 8 hours still give a stalker 8 hours of undetected tracking. Speaker-based alerts can be defeated by physical modification. Detection algorithms can be evaded by firmware changes. And any tracker that works on the Find My network inherits the network's global reach.

The most effective countermeasure remains awareness: knowing that small, inexpensive BLE trackers exist, understanding how they work, and periodically checking for unknown devices - either through phone-based tools or dedicated BLE scanners like the BLEShark Nano.