Security News > 2021 > May > Apple AirTag hacked again – free internet with no mobile data plan!
The owner of the AirTag that called home can decrypt the location in the Find My message, but has no idea which relay device passed the message on.
By limiting the length of the hidden message and repeating the same Bluetooth "Public keys" over and over again, Bräunlein's hope was that eventually a complete copy of all the data packets containing the hidden data might make it to Apple.
Intriguingly, the location data encrypted in the actual Find My message by the relaying device is completely irrelevant to Bräunlein's system - in fact, it's useless for his purpose because he has no control of what that location data is going to be given that it is injected by the intermediate relay device.
In the end, it's simply the list of Find My message "Public keys" that arrives at Apple that tells the recipient what hidden data got sent.
If you send a fake "Public key" that consists of the bytes THE DATA IS 42, then in order to recover that message, surely I would need to know the text THE DATA IS 42 in advance, in order to calculate the hash I'd need to see the message had been delivered?
The counter field in each "Public key" message means that the bits can be stitched back together in the right order no matter when they arrive, and also that partial data can be reconstructed even if some of the bits never make it through.