> The attacker cannot manipulate the content of the location report, but he can specify the hash that is used to store the location report in the Apple network, cleverly encode the bits and bytes he wishes to transmit within the hash, and retrieve it. By retrieving the location reports, he can find out what data his keylogger has sent. Since the retrieval is effecte via the Internet, the attacker can be in any location at the time.
How is the keylogger downloading this information from the AirTag network? Wouldn’t you need to authenticate with Apple APIs to retrieve information? This would be required because even though it can send data, a keylogger would need to know what’s been sent to confirm the receiver has everything in the right order since the location data is capturing state in a lossy manner…
To retrieve the device's location and to prevent Apple from knowing who lost the device, all signed in users can download any location report for a given public key.
This is explained better here: https://github.com/seemoo-lab/openhaystack