How Does an Apple AirTag Work

An Apple AirTag is little white puck like device that integrates with an Apple iPhone and allows one to track and/or find personal items, such as bags, keys, luggage, wallet, etc., using the Find My app on the iPhone.

The following illustration shows an Apple AirTag:

So, how does an Apple AirTag really work ???

To get a better understanding of the inner workings, one should understand how any Bluetooth Low Energy (BLE) device works. Here is a quick start guide to Bluetooth Low Energy (BLE).

AirTag is essentially a Bluetooth Low Energy (BLE) device that is powered by a coin-sized CR2032 battery.

At a high-level, the following is how an Apple AirTag integrates with the Apple ecosystem and works:

An AirTag is paired with an iPhone. This pairing allows the two devices to exchange some cryptographic material
An AirTag then emits an undirected advertising packet every two seconds
Every Apple device (iPhone, iPad, Mac) has a built-in Bluetooth chip that plays a dual role - as Bluetooth Classic and a BLE Central
Any Apple device (iPhone, iPad, Mac) in the vicinity of an AirTag can act as a BLE Central and start scanning for the advertising packets (think of it like crowd-sourcing)
On receiving the advertising packet from any AirTag, the iPhone (or iPad) will determine the GPS location coordinates (latitude and longitude) using its GPS chip. Note that an AirTag does not have a built-in GPS
The Apple iPhone (or iPad) that processed the advertising packet and identified the GPS coordinates will transmit the original advertising data along with the GPS data to Apple iCloud
When the AirTag owner opens the Find My app on their iPhone, it will connect to iCloud and some backend processing will deliver the necessary information about the AirTag to be displayed on the Find My app

Let us now take a peek inside an AirTag. There are 3 layers of boards inside - one of them is a board with the antenna. We will only look at the two other boards, which have the circuitry.

The following is the illustration of the first board inside an AirTag:

The section annotated in GREEN in Figure-2 above is the Transceiver Chip, which is responsible for transmitting/receiving the radio signals to/from the air and operates in the 2.4 GHz frequency spectrum.

The section annotated in BLUE in Figure-2 above is the Nordic BLE Chip, which is responsible for handling the Bluetooth Low Energy (BLE) functionality.

The two chips together implement the layers of the BLE stack.

The AirTag-iPhone pairing process leverages the Elliptic Curve Cryptography to generate some cryptographic key along with a shared secret key associated with that AirTag.

Every two seconds, the AirTag sends an advertising packet (broadcast) with a 2-byte Apple company identifier that is coded as 0x004C along with a rolling public key generated from the cryptographic key.

When another crowd-sourced Apple device receives the advertising packet with the company identifier of 0x004C and the public key, it determines the GPS location and encrypts it with the public key and transmits both the pieces of data (payload from the advertising packet as well as the encrypted GPS location) to Apple iCloud.

When an AirTag owner opens the Find My app on their iPhone, the backend server process in Apple infrastructure is able to figure all the rolling public keys and able to pull all the data related to the AirTag.

Moving on, the following is the illustration of the second board inside an AirTag:

The section annotated in GREEN in Figure-3 above is the Speaker Coil, which is used to make a ping sound when requested by the AirTag owner.

The section annotated in RED in Figure-3 above is the Accelerometer Chip, which is responsible to determine if the AirTag is moving. This is probably used to optimize how often the AirTag will broadcast if it has not moved.