Clarification on the threat model of location-trackers

[bdetwiler]

From Eric Rescorla [ekr@rtfm.com](mailto:ekr@rtfm.com), Thu, 04 May 2023 00:05 UTC via unwanted-trackers-request@ietf.org

“First, I think it's important to be clear on the threat model here. The threat from "finder" type location trackers like Tiles or AirTags comes from the interaction of a number of features, specifically:

1. They are compact (thus easy to hide)
2. They are cheap (thus easy to obtain)
3. They take advantage of a preexisting infrastructure intended for another purpose (the finder network)
4. They have long battery lifetimes (and thus are suitable for long-term surveillance)

To contextualize this, consider the counter example of a GPS tracker like a Garmin inReach, which takes a GPS location and broadcasts it to a satellite. These cost about $300, have battery life measured in days, and are several centimeters across, so are hard to conceal. This is much less useful for both covert surveillance and for finding ones own items. So, the objective of this work should be to the extent possible to prevent attacks which are cheaper than buying your own GPS tracker.”

[tfpauly]

It sounds like these are all good nuances to add to the applicability section. Currently that only talks about what makes something "easily discoverable"

Accessories are considered easily discoverable if they meet one of the following criteria:

• The item is larger than 30 cm in at least one dimension.
• The item is larger than 18 cm x 13 cm in two of its dimensions.
• The item is larger than 250 cm3 in three-dimensional space.

It sounds like the cost/availability, battery life, and connectedness model are all dimensions that would be good to add.

[bledvina]

This page links to a threat model presented at the first DULT BoF meeting: https://datatracker.ietf.org/doc/slides-117-dult-detecting-unwanted-location-trackers-rev-e/

[bledvina]

Tagging this with DULT WG label, as this work will continue in that forum.