Apple later announced a planned update that would address some of these privacy concerns, but it seems like it might not be enough. This is according to security researcher Fabian Braunlein of Positive Security who published a blog post on how they created a cloned AirTag that essentially bypassed the security and privacy measures Apple has in place.
Based on the test that Braunlein carried out with the clone, it seems that it was able to track an iPhone user over the course of more than five days without triggering notifications to let the person know they were being tracked by an unknown AirTag. Braunlein believes that ultimately, the issue here lies with Apple’s Find My ecosystem and less with the AirTag itself.
According to the researcher, “They need to take into account the threats of custom-made, potentially malicious beacons that implement the Find My protocol, or AirTags with modified hardware. With a power bank and ESP32 being cheaper than an AirTag, this might be an additional motivation for some to build a clone instead themselves.”