A Relay a Day Keeps the AirTag Away: Practical Relay Attacks on Apple's AirTags

Gabriel K. Gegenhuber; Leonid Liadveikin; Florian Holzbauer; Sebastian Strobl

arXiv:2604.10138·cs.CR·April 15, 2026

A Relay a Day Keeps the AirTag Away: Practical Relay Attacks on Apple's AirTags

Gabriel K. Gegenhuber, Leonid Liadveikin, Florian Holzbauer, Sebastian Strobl

PDF

TL;DR

This paper demonstrates practical relay attacks on Apple's AirTags, exploiting a privacy-preserving design flaw to inject false location reports or cause denial of service, highlighting security vulnerabilities.

Contribution

The authors reveal a novel relay attack method on AirTags that can manipulate or deny location reports, exposing security weaknesses in the system's privacy design.

Findings

01

Relay attacks can inject false location reports

02

Attack can cause targeted denial of service

03

System's encryption prevents validation of reports

Abstract

Apple AirTags use Apple's Find My network: when nearby iDevices detect a lost tag, they anonymously forward an encrypted location report to Apple, which the tag's owner can then fetch to locate the item. That encryption protects privacy -- neither the finder nor Apple learns the owner's identity -- but it also prevents Apple from validating the correctness of received reports. We show that this design weakness can be exploited: using a relay attack, we can inject manipulated location reports so the Find My service reports a false position for a lost AirTag. The same technique can be used to deny recovery of a targeted tag (a focused DoS), since the owner is misled about its whereabouts.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.