Awesome work! I can recommend people interested in the iOS/Apple ecosystem to check out the Secure Mobile Networking Lab of TU Darmstadt in general. They do a lot of cool stuff in the space, a good starting point might be https://owlink.org.
As a side note: I wonder what the story is on the whole AirTag hardware project. It's becoming so "delayed" that reverse engineered implementations are here before.
This isn't a reverse engineering of airtags - this find me service has been available for Apple devices via the same bluetooth mechanism (iPhones and MacBooks) for a couple of years now.
If you are within BLE range you can "track" someone, but that is already the case with wifi/bluetooth in general.
Even known the public key, you can download the encrypted reports from Apple, but since you don't have the private key you can't decrypt the location messages.
That's why devices that aren't intended to be beacons are supposed to enable address randomization. It still has some security issues and undirected advertising of unique public keys obviously defeats the point, but it's more difficult to track than classic devices were.
Not really, but perhaps someone could make one based on a cheap Nordic NRF51823 or NRF5832. Actually, a quick search shows that you can already buy exactly that (even with Apple compatibility built in).
These devices don’t have a network connection, tracking is done via BLE which just broadcasts a beacon regularly and is then picked up by nearby Apple devices which do have a connection.
As a side note: I wonder what the story is on the whole AirTag hardware project. It's becoming so "delayed" that reverse engineered implementations are here before.